Dive Brief:
- CrushFTP disclosed and patched an actively exploited zero-day vulnerability impacting the widely used file-transfer service on Friday.
- “We aren’t aware of any actual theft of data yet, but we have seen hackers download user config files and secure shell private keys and show passwd files,” CrushFTP CEO Ben Spink said Tuesday via email. Attackers appear to be scanning broadly, targeting CrushFTP customers at random, Spink said. “We have no knowledge of anything more directed.”
- While CrushFTP said the server side template injection vulnerability CVE-2024-4040 requires some level of authentication, researchers at Rapid7 determined attackers can exploit and completely compromise CrushFTP servers without privileges. The critical vulnerability has a CVSS of 9.8.
Dive Insight:
Recurring zero-day exploits targeting file-transfer services, which house sensitive data, underpin concerns for CrushFTP customers.
Researchers expect exploitation to increase quickly and are sounding the alarm about the potential impacts on unsuspecting CrushFTP customers.
“This latest zero-day vulnerability, just like MOVEit Transfer or GoAnywhere MFT before it, offers adversaries a smash-and-grab attack vector that enables complete takeover of the CrushFTP server and allows exfiltration of sensitive data,” Caitlin Condon, director of vulnerability research at Rapid7, said Tuesday via email.
Attackers have exploited critical zero-day vulnerabilities in multiple file-transfer services to steal data and extort victim organizations for ransoms.
“The vulnerability is simple to exploit by performing unauthenticated HTTPS requests to the CrushFTP web interface, resulting in arbitrary file read as root, authentication bypass for administrator account access, and potential theft of all files stored on the instance,” Condon said.
CrowdStrike, in a Friday post on Reddit, said it “observed this exploit being used in the wild in a targeted fashion.” The company declined to comment further.
Shodan analysis shows nearly 7,300 CrushFTP servers are publicly exposed and potentially vulnerable.
Spink said CrushFTP doesn’t know how many customers are still using unpatched versions, but noted the company has “many thousands of customers worldwide in every market segment.”
CrushFTP was first made aware of the vulnerability on Friday, and credited Simon Garrelou, security engineer at Airbus CERT, with discovering and reporting the vulnerability, which is patched in versions 10.7.1 and 11.1.0.
Of the five company-operated servers CrushFTP inspected on Monday, three bore evidence of attempted exploits but the company had already patched and was unimpacted, Spink said.