- VulnCheck found a bug being actively exploited in ProjectSend
- Crooks are using it to create rogue accounts and deploy malware
- Thousands of instances are at risk, experts warn
Researchers have warned hackers are taking advantage of a critical vulnerability in ProjectSend giving them access to servers and the ability to run arbitrary commands remotely.
ProjectSend is a free, open source file-sharing software businesses can use to securely upload, manage, and share files with clients, team members, or other designated users. It’s commonly used by businesses, freelancers, and nonprofits that don’t want to rely on third-party services such as Dropbox.
Apparently, an older version, that predates May 16, 2023, carried a critical authentication bypass vulnerability – and since the bug was never assigned a CVE, and thus was never publicly disclosed, most users were unaware of its existence.
Multiple attackers
As a result, the vast majority of ProjectSend users – 99% of them – were operating an older, unpatched and vulnerable version. In total, there are apparently 4,000 public-facing instances, and just 1% are using a patched version.
Once VulnCheck, a cybersecurity platform that focuses on identifying and analyzing vulnerabilities, observed the bug being actively exploited in the wild, it was given a designation CVE-2024-11680. Crooks were using it to create new accounts under their control, plant webshells, and embed JavaScript code.
VulnCheck added the exploitation picked up pace in September 2024, when Metasploit and Nuclei both released public exploits for the flaw.
“VulnCheck noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings,” the platform said. “These long and random-ish names are in line with how both Nuclei and Metasploit implement their vulnerability testing logic.”
“Both exploit tools modify the victim’s configuration file to alter the sitename (and therefore HTTP title) with a random value.”
At this time, there is no information about the identity of the attackers, or their motives, however it was said that the attempts came from at least 100 different IP addresses, meaning that numerous groups and individual hackers were taking advantage of the bug.
Via BleepingComputer
Leave a comment