CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

9 Steps to Protect Against the Next MOVEit/MFT Attack

By now, the facts of the recent MOVEit breach are well known (although the victim total keeps climbing), but it never hurts to be reminded that these attacks do not take place in a vacuum and threat actors are more than happy to repeatedly use the same tactics if their targets remain vulnerable.

 

Trustwave SpiderLabs, has tracked and documented these events explaining how threat actors were found to be exploiting three vulnerabilities, including a zero-day, (CVE-2023-34362, CVE-2023-35036. and CVE-2023-35708) in the popular Progress Software managed file transfer (MFT) tool, resulting in adversaries gaining escalated privileges and unauthorized data access.

 

The vulnerability, an SQL injection, was soon patched—but not before more than 500 organizations (including US federal agencies) and millions of users were affected.

 

The MOVEit breach is merely the most highly publicized example of a trend in which threat actors target MFT software. Why the interest in MFT? Well, stealing data within the virtual walls of a well-defended organization, while by no means impossible, is hardly an easy task; to do so, actors must gain access, navigate the targeted network, and exfiltrate the data while remaining undetected.

 

MFT programs, by contrast, typically face the open Internet. Thus, compromising these file-transfer points is far less involved. This situation plays into the hands of threat actors as it gives them the ability to access and exfiltrate data at scale, which is now the norm for ransomware attacks. Unlike traditional ransomware attacks that require threat actors to encrypt data and offer a decryption key in exchange for payment, many criminals now simply steal data and demand payment.

 

A holistic approach

 

As with most cybersecurity situations. There’s no silver bullet when it comes to preventing MFT attacks. Instead, what’s required is a proactive attitude and a holistic approach to risk reduction:

 

  • Comprehensive security assessments: Regularly conduct thorough security assessments of the MFT infrastructure to identify vulnerabilities and potential weaknesses. Perform penetration testing to simulate real-world attack scenarios and validate the effectiveness of existing security measures.

 

  • Patch management and updates: Implement a robust patch management process to promptly address any known vulnerabilities in MFT software and associated systems. Keep all software components up to date, including operating systems, libraries, and third-party applications.

 

  • Access controls and authentication: Enforce strict access controls and role-based permissions to limit data exposure and prevent unauthorized access. Implement multi-factor authentication to strengthen the authentication process.

 

  • Encryption and security protocols: Encrypt data both in transit and at rest using strong encryption algorithms to safeguard against interception and unauthorized access. Utilize secure file-transfer protocols such as SFTP or FTPS instead of plain FTP.

 

  • Threat hunting: Proactive threat hunting is crucial in today’s world to find and halt hidden threats before damage is done—being reactive is not good enough. That means looking for Indicators of Behavior or Compromise (IoB/IoC), or having professionals do it for you, such as with Trustwave’s Advanced Continual Threat Hunting

 

  • Continuous monitoring and log analysis: Deploy a robust monitoring system to track MFT activities and detect anomalies or suspicious behaviour in real-time. Analyze logs regularly to identify potential security incidents and respond proactively.

 

  • Employee awareness and training: Conduct regular security awareness training sessions for employees to educate them about threats and safe practices. And this advice, while old, remains as valid as ever: Promote a culture of cybersecurity awareness within the organization.

 

  • Backup and disaster recovery: Regularly back up critical data, and maintain an effective disaster recovery plan to ensure business continuity in case of attack.

 

  • Managed Detection and Response Service: Implement an MDR service, such as Trustwave MDR, as an additional layer to detect, investigate, and respond to abnormal activity and attempts at lateral movement. MDR solutions can provide real-time threat detection and response capabilities, helping to identify and mitigate attacks promptly.

 

It would be comforting to learn there’s a one-size-fits-all solution to the vulnerabilities inherent in MFT software—but that’s not the case. As always, security leaders must remain vigilant and adapt to evolving threats.

Latest Trustwave Blogs

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More

Balancing Innovation and Security: How Offensive Security Can Help Navigate the Tech Industry’s Dual Challenges

Two of the greatest threats facing technology-focused organizations are their often-quick adoption of new technologies, such as artificial intelligence (AI), without taking security measures into...

Read More

Trustwave Government Solutions (TGS) Salutes New Mexico’s New Cybersecurity Executive Order

New Mexico Governor Michelle Lujan Grisham issued an Executive Order to shore up the state’s cybersecurity readiness and better safeguard sensitive data by conducting a state-wide security assessment...

Read More