By now, the facts of the recent MOVEit breach are well known (although the victim total keeps climbing), but it never hurts to be reminded that these attacks do not take place in a vacuum and threat actors are more than happy to repeatedly use the same tactics if their targets remain vulnerable.
Trustwave SpiderLabs, has tracked and documented these events explaining how threat actors were found to be exploiting three vulnerabilities, including a zero-day, (CVE-2023-34362, CVE-2023-35036. and CVE-2023-35708) in the popular Progress Software managed file transfer (MFT) tool, resulting in adversaries gaining escalated privileges and unauthorized data access.
The vulnerability, an SQL injection, was soon patched—but not before more than 500 organizations (including US federal agencies) and millions of users were affected.
The MOVEit breach is merely the most highly publicized example of a trend in which threat actors target MFT software. Why the interest in MFT? Well, stealing data within the virtual walls of a well-defended organization, while by no means impossible, is hardly an easy task; to do so, actors must gain access, navigate the targeted network, and exfiltrate the data while remaining undetected.
MFT programs, by contrast, typically face the open Internet. Thus, compromising these file-transfer points is far less involved. This situation plays into the hands of threat actors as it gives them the ability to access and exfiltrate data at scale, which is now the norm for ransomware attacks. Unlike traditional ransomware attacks that require threat actors to encrypt data and offer a decryption key in exchange for payment, many criminals now simply steal data and demand payment.
A holistic approach
As with most cybersecurity situations. There’s no silver bullet when it comes to preventing MFT attacks. Instead, what’s required is a proactive attitude and a holistic approach to risk reduction:
- Comprehensive security assessments: Regularly conduct thorough security assessments of the MFT infrastructure to identify vulnerabilities and potential weaknesses. Perform penetration testing to simulate real-world attack scenarios and validate the effectiveness of existing security measures.
- Patch management and updates: Implement a robust patch management process to promptly address any known vulnerabilities in MFT software and associated systems. Keep all software components up to date, including operating systems, libraries, and third-party applications.
- Access controls and authentication: Enforce strict access controls and role-based permissions to limit data exposure and prevent unauthorized access. Implement multi-factor authentication to strengthen the authentication process.
- Encryption and security protocols: Encrypt data both in transit and at rest using strong encryption algorithms to safeguard against interception and unauthorized access. Utilize secure file-transfer protocols such as SFTP or FTPS instead of plain FTP.
- Threat hunting: Proactive threat hunting is crucial in today’s world to find and halt hidden threats before damage is done—being reactive is not good enough. That means looking for Indicators of Behaviour or Compromise (IoB/IoC), or having professionals do it for you, such as with Trustwave’s Advanced Continual Threat Hunting
- Continuous monitoring and log analysis: Deploy a robust monitoring system to track MFT activities and detect anomalies or suspicious behaviour in real-time. Analyze logs regularly to identify potential security incidents and respond proactively.
- Employee awareness and training: Conduct regular security awareness training sessions for employees to educate them about threats and safe practices. And this advice, while old, remains as valid as ever: Promote a culture of cybersecurity awareness within the organization.
- Backup and disaster recovery: Regularly back up critical data, and maintain an effective disaster recovery plan to ensure business continuity in case of attack.
- Managed Detection and Response Service: Implement an MDR service, such as Trustwave MDR, as an additional layer to detect, investigate, and respond to abnormal activity and attempts at lateral movement. MDR solutions can provide real-time threat detection and response capabilities, helping to identify and mitigate attacks promptly.
It would be comforting to learn there’s a one-size-fits-all solution to the vulnerabilities inherent in MFT software—but that’s not the case. As always, security leaders must remain vigilant and adapt to evolving threats.
