The spree of attacks against MOVEit environments in May, which are still cascading to downstream victims five months later, capped a concentrated period of damaging attacks against file-transfer services.
Progress Software’s MOVEit, Fortra’s GoAnywhere and IBM Aspera Faspex were hit by supply-chain attacks over a three-month span starting in March this year. Clop, the ransomware group responsible for exploiting a zero-day vulnerability in MOVEit and GoAnywhere, was also responsible for zero-day exploits against Accellion file-transfer devices in 2020 and 2021.
These managed file-transfer services are an opportunistic attack vector because of the data moving across them, said Jess Burn, principal analyst at Forrester. They contain a “treasure trove” that goes beyond phishing for someone’s credentials — high-value data that threat actors can use for extortion or potential corporate espionage, according to Burn.
“I don’t know if you can put all the blame on [file-transfer services], but there’s something about the design process that’s leaving what should be secure quite vulnerable,” Burn said.
The direct and indirect victims of these attacks include major financial institutions, education service providers, government agencies, healthcare providers, insurance companies and law firms.
File-transfer services serve an integral part of business operations and have trusted access to organizations' sensitive data, including personally identifiable information, financial, proprietary and intellectual data, Amy Chang, senior fellow of cybersecurity and emerging threats at R Street Institute, said via email.
As these services become more prevalent, so too does the number of vulnerabilities threat actors can target for potential exploits.
Intel 471 has documented 17 vulnerabilities in managed file-transfer products of significant interest to threat actors since 2018. Of the 136 vulnerabilities impacting managed file transfer software since 2014, 51 are classified by the National Vulnerability Database as high risk, according to Intel 471.
These tools are ubiquitous and the consequences from exposure are significant because of the period of time corporate data is handled by a third party in moving sensitive information from one location to another, said Mauricio Sanchez, senior director of enterprise networking and security at Dell’Oro Group.
“There’s a lot of implicit trust put into these firms that unfortunately has led to a false sense of security,” Sanchez said.
Compliance begets one-to-many targets
Managed file-transfer services advance the capabilities of file-transfer protocol with monitoring, automation and enhanced security, features that are critical for meeting compliance requirements for government and heavily regulated industry use.
Government contractor Maximus reported the largest breach linked to the MOVEit attacks thus far. Files containing personal information, including Social Security numbers, protected health information and other sensitive data on up to 11 million people were compromised.
“Compliance drove this and compliance is often a checkbox in many organizations,” Burn said. “High regulation is equaling super high impact at this point, and this is what these ransomware actors know. They know that these systems are being used for compliance to send sensitive data.”
MOVEit is one of multiple managed file-transfer services that meet regulatory compliance requirements. These auditor and government-backed accreditations make these tools widely used for high volume sensitive file sharing.
Clop’s attacks against MOVEit environments have exposed private health information, school records, the largest pension system in the U.S., and data held by government contractors and three of the big four accounting firms.
“Government accreditation carries a lot of weight," Sanchez said. "As a society, we place faith in our government institutions and the agencies that enforce certain standards across diverse technologies and industries.”
“Any accreditation is only playing catch-up to a world that seems to only move faster and more complex. If there is a problem, it’s that no accreditation will ever be perfect,” Sanchez said.
Sensitive data sprawl
The widespread use of managed file-transfer services has also exposed a much larger pool of downstream victim organizations and their respective customers. Exposure can occur if any vendor somewhere in an organization’s supply chain transfers sensitive data that was ultimately compromised by an upstream attack.
“Third parties are just passing this stuff on to fourth and fifth parties. This data is not even staying with something that you can manage or monitor. It becomes out of your control,” Burn said.
“It’s gotten away from us at this point,” Burn said.
One obvious, albeit, for many organizations, unrealistic, alternative to file-transfer services is to limit or stop using them altogether. Other tactics to bolster the security of sensitive file sharing are procedural.
Organizations should consistently monitor their supply chain for potential exploitation vectors, and keep data in an encrypted state, according to experts.
“Basically,” Sanchez said, “assume that any data will be made public, so at the very least ensure that there’s an extra layer of protection.”