Vulnerabilities in third-party managed file transfer services and software have led to hundreds of companies worldwide having their data stolen and payment extortion attempts made to keep the data private.
Businesses operate in vastly distributed ecosystems with partners providing components and parts to build products and sales, distribution and support services. They form distributed enterprise or organizational groups. Specialized products such as MOVEit and Fortra offer file transfer services between such distributed entities. Malware has been hidden in file transfer messages between MOVEit and Fortra and their customers to penetrate customers IT systems and exfiltrate data.
The secure file transfer services have become, in a sense, malware delivery systems.
Fortra
Back in March data protector Rubrik was hit by malware introduced to its systems via the Fortra cloud-based GoAnywhere MFTaaS (Managed File Transfer-as-a-service) offering. The attackers used a zero day vulnerability to gain access to Rubrik systems and copy confidential data.
Rubrik used Fortra to move files between its partners because Fortra offered an audited and secure file transfer facility. More than 120 other Fortra customers were similarly affected.
What is apparent is that if the transferred files and metadata arriving at Rubrik’s systems were scanned for malware, the scan did not detect the malware payloads.
According to Bleeping Computer, the malware people behind the Forta vulnerability used MFTaaS “to create user accounts in some customer environments.” The accounts then downloaded files, exfiltrating them from the MFTaaS facility. Other malware tools, Netcat and Errors.jsp, were reportedly loaded into some Fortra customers’ systems to facilitate file downloads and backdoor activity.
This can be seen as a data loss prevention issue. It is apparent, with hindsight, that file access permissions should not have allowed transfer outside Rubrik’s systems. In April Rubrik said it was automating sensitive data file detection and classification and working with Zscaler to stop such files being exported outside an organization’s IT boundaries.
Zscaler is a cloud security company with tools to detect known file exfiltration such as Exact Data Match (EDM) for specific data items and Indexed Document Matching (IDM) file fingerprinting. Rubrik tells its software what files to look for, using its Sensitive Data Monitoring & Management facility.
MOVEit
Progress Software’s MOVEit file transfer service is intended to provide a secure file transfer facility. Customers deploy software in a server. Client applications and web browsers can connect to it in order to upload and download documents. Customers included businesses and organizations in healthcare, finance and the public sector.
The Clop ransom gang exploited MOVEit vulnerabilities to exfiltrate data from the MOVEIt servers in hundreds of customers locations, such as the Minnesota Department of Education in the US, UK telco regulator Ofcom, Shell, hotel chain Radisson, 1st Source Bank, real estate giant Jones Lang LaSalle and Dutch GPS company TomTom. These could be direct MOVEit customers or ones who use an MSP with an included MOVEit facility, such as Majorel.
Comment
If an organization sends its data to a third party for onward transfer it is then utterly dependent on that third party to safeguard the data. As soon as the file or document is passed to the third party’s software agents on an organization’s own servers, it has passed beyond its own control.
By allowing any third party’s file transfer software to have agents on its own servers, the organization has introduced a latent vulnerability into its IT systems and enlarged its attack surface.
We perhaps need a kind of flight control software for data. Any file or document that some entity wants to send outside your immediate network has to have an authorized flight plan for any movement to take place. This would be similar to an airplane not being allowed to take off from an airport until its destination and flight plan have been approved by air traffic control.
We need network air traffic control for files.