Risk Advisory: Managed File Transfer Software

Wednesday, 28 June, 2023

Decorative: image of postboxes to illustrate moving files

Cydea’s risk advisories are intended for senior management to aid their understanding of current events and the cyber risk posed to their organisations.

What is the context?

Managed file transfer software is used when documents need to be shared between different organisations. They are internet connected corporate solutions which are often used for sharing documents that cannot be shared by email. This internet connectivity and sensitive data makes these solutions a tempting, and rewarding, target for cyber criminals and state sponsored threat actors.

Two of the most popular managed file transfer solutions on the market have been attacked this year, impacting hundreds of organisations and resulting in the data of millions of people being compromised.

May 2023: Progress’ MoveIt Transfer application was targeted to be the starting point for a cyber supply chain attack. Primary impact organisations include healthcare providers, large consultancy firms and payroll service providers. Secondary impact organisations, across many industries, have been targeted through their payroll provider.

February 2023: A previously unknown vulnerability was discovered in Fortra’s GoAnywhere application and exploited. The number of impacted organisations continues to increase as more learn through their supply chains that their data was impacted by the breach.

The two recent exploits have highlighted the speed at which a supply chain compromise can lead to security incidents for multiple organisations, and the scale of data losses that can be incurred when the compromised supplier is a managed file transfer provider.

Initially the direct customers of the file sharing solution are impacted, then the organisations/people that they use the appliance to share files with. This leads to an increasing number of potentially impacted organisations.

These newer exploits aren’t the only ones that are being actively used to attack companies. In December 2020, vulnerabilities discovered by a ransomware group in Accellion’s legacy File Transfer Appliance were exploited. Despite a patch being released by the vendor within days of the vulnerabilities becoming known, additional organisations fell victim to this attack due to poor communications across the supply chain and slow patching.

What is the risk?

When the managed file transfer solution is compromised, ransom demands shortly follow from the threat actors in exchange for not releasing the exfiltrated data. In more recent attacks it is becoming less common for the threat actors to encrypt the data, however business disruption can occur as a result of the supplier temporarily halting the service they provide until it is secure again.

Source:

  • Supplier Compromise

Risk events:

  • Service Unavailability (MFT Suppliers shut down service to known impacted clients)
  • Information Breach (Unauthorised access to information; Unauthorised sharing of information)
  • Malware (Ransomware; Rootkit)

Consequences:

  • Compliance (Regulatory fines, Legal challenge)
  • Operations (Business Disruption)

What factors drive the consequences?

As with any data breach risk, the sensitivity and volume of the data are going to be driving factors in calculating the consequences of that data being released. The impact here can be mitigated through the application of additional confidentiality protections on the data shared, including using encryption with decryption keys shared by an alternative communication method.

To avoid the business disruption caused by the managed file transfer solution being unavailable, consider whether a failover solution with an alternative provider would be appropriate.

What factors drive the frequency?

While there is little that can be done to reduce the likelihood of an incident involving a zero day attack (an attack utilising a previously unknown vulnerability), a key control for reducing the likelihood of being repeatedly attacked is the ability to rapidly apply critical patches.

As with all third party provided software, it is also critical that default, or vendor created, passwords are not in use on any accounts, especially administrative accounts.

What action is required?

Identify whether similar file transfer solutions exist in your environment, or whether your suppliers/customers use them to communicate with you. If any do, then we recommend taking the following actions:

  1. Evaluate what data is held in the solution
  2. Evaluate what additional protection, if any, is applied to the data
  3. Evaluate if data held in the solution is still needed or can be deleted/archived (to minimise exposure)
  4. Evaluate what account management processes exist (account creation, credential validity periods, etc.)
  5. Regularly review accounts and their access rights
  6. Evaluate how the devices are patched and monitored

Vendor guidance specific to the MoveIt vulnerability

Vendor guidance specific to the GoAnywhere vulnerability

For further information or assistance in understanding or measuring this risk to your organisation please contact us for a session with one of our cyber risk consultants.

Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.

Photo by bady abbas on Unsplash