Hackers Hit Secure File Transfer Software Again and AgainResearchers Race to Eliminate Flaws Before Attackers Can Launch Zero-Day Attacks
You don’t need an active imagination to hack, since most often just sticking with what works yields plenty of results. Time and again, hackers repeat and refine once they've found a pattern of vulnerabilities.
Exhibit A is file transfer software, the object of multiple, spectacularly bad hacking incidents in recent years. The Clop ransomware operation remains one of its fiercest practitioners. While Clop, also known as Cl0p, continues to develop its ransomware - it adds
.ClOP to encrypted files - the group has also unleashed multiple pure data leakage shakedowns tied to its mass exploitation of secure managed file transfer software.
The most recent such campaign, which Clop launched in late May against users of Progress Software's MOVEit secure file transfer software, resulted in the exposure of 66 million individuals' personal details, directly or indirectly affecting more than 2,550 organizations, according to security firm Emsisoft's latest tally.
Vulnerabilities continue to surface in file transfer tools. In May, Australian cybersecurity firm Assetnote alerted Citrix to a critical vulnerability in the ShareFile storage zones controller, or SZC, in its cloud-based secure file-sharing and storage service known as Citrix Content Collaboration. Citrix patched the flaw on May 11, notified customers directly about the vulnerability and helped them lock it down. Citrix also blocked unpatched hosts from connecting to its cloud component, thus limiting any hacking impact to a customer's own environment.
The U.S. Cybersecurity and Infrastructure Security Agency warned in August that the Citrix ShareFile vulnerability was being actively exploited by attackers.
Another file transfer software being targeted is Progress Software's WS_FTP Server software. Assetnote also found a flaw in that product and reported it to Progress Software. The Massachusetts company updated the software on Sept. 27 to fix multiple flaws, one of which can be exploited for remote control. Earlier this month, attackers began gunning for unpatched versions of the software (see: Ransomware-Wielding Attackers Target Unfixed WS_FTP Servers).
Trying to Outpace Attackers
Assetnote hasn't been the only security firm helping to root out vulnerabilities in secure file transfer products. In April, Rapid7 launched a research effort to find and report such flaws before attackers can do the same. The effort is led by its lead security researcher, Ron Bowes. His self-described "project to shake every file transfer tree to see what falls out" has so far led to three vendors patching critical flaws he found in their products:
- Fortra Globalscape EFT Server: Bowes found and reported to Fortra in May four vulnerabilities in the software. One of them allowed for remote code execution, although it appears to be difficult to exploit. Fortra patched the flaws in June.
- JSCAPE MFT: Bowes in August found and alerted Redwood Software to a JSCAPE Java deserialization vulnerability, now designated CVE-2023-4528. The flaw would allow an attacker to take full control of the secure file transfer software, including stealing stored data. Redwood Software patched the flaw on Sept. 7 via the release of JSCAPE version 2023.1.9.*
- South River Technologies Titan MFT and Titan SFTP: Last month, Bowes found and reported multiple flaws in Titan MFT and SFTP to the developer. On Monday, South River Technologies publicly detailed the vulnerabilities and released version 2.0.18 of the software to fix the flaws, recommending users update immediately. The good news about the vulnerabilities is that they all require a user to first authenticate and also only work if the software is being used in a non-default configuration, which Bowes said means they "are therefore unlikely to see widescale exploitation."
The efforts to find and eliminate flaws in secure managed file transfer tools come after Clop has run four mass campaigns:
- Accellion: On Dec. 23, 2020, Clop began stealing data from Accellion File Transfer Appliance users and holding it to ransom.
- Serv-U: In November 2021, Clop exploited a vulnerability in SolarWinds Serv-U Managed File Transfer and Secure FTP software.
- GoAnywhere: Clop exploited Fortra's GoAnywhere managed file transfer software starting on Jan. 25, stealing data from at least 130 victim organizations before Fortra patched the flaw on Feb. 7.
- MOVEit: In late May: Clop exploited a zero-day vulnerability in Progress Software's MOVEit file transfer software to steal data users were sharing via the software.
Multiple regulators are now probing the attacks (see: US Securities and Exchange Commission Probes MOVEit Hack).
Cyber risk firm Kroll said Clop may have started experimenting with the MOVEit vulnerability, designated as CVE-2023-34362, as early as 2021, which suggests how much planning may underlie this campaign. Progress Software patched the flaw on May 31, just days after Clop unleashed what appears to have been a highly lucrative campaign. Ransomware incident response firm Coveware estimated Clop earned $75 million to $100 million from large MOVEit-using victims who quickly paid up in exchange for a promise to not make the theft of their data public.
Security experts have warned users of secure file transfer software to safeguard themselves, given the risk of more such attacks perpetrated by Clop or copycats. One challenge with Clop's attacks is that the group has somehow continued to obtain access to zero-day vulnerabilities in the products, meaning even fully patched software could be - and was - exploited.
Even so, there are multiple "good cyber hygiene practices" users of secure file transfer products can employ to defend themselves, even against zero-day attacks, said Teresa Walsh, chief intelligence officer and managing director for EMEA at FS-ISAC, which is the financial services industry's information sharing and analysis center (see: Lessons to Learn From Clop's MOVEit Supply Chain Attacks).
Strategies Walsh recommends include minimizing the amount of data that gets stored on file transfer servers, which means: Remove it quickly and don't leave it laying around. She also recommends encrypting stored data, always reading the manual to understand how best to configure any given piece of software, and never being afraid to ask others for help to get the software better locked down.
*Correction Oct. 24, 2023, 15:15 UTC: Corrected to report that Redwood Software, developer of JSCAPE software, issued a patch on Sept. 7. Redwood Software, not Fortra, owns JSCAPE.