Managed file transfer (MFT) software is a product category that emerged to supplement or replace file transfer protocol (FTP), which served its purpose but did not address growing security and compliance requirements. However, the ubiquity of MFT software among enterprises has not gone unnoticed by threat actors, who have repeatedly targeted it for financial gain.
The exploitation of MFT software is at the core of one of the most significant cyber extortion events on record. In May 2023, a cybercriminal group called CLOP aka TA505, FIN11 executed an enormous supply chain attack. It exploited an unknown structured query language-injection (SQLi) vulnerability (CVE-2023-34362) in MFT software called MOVEit, which is made by Progress Software. The flaw allowed remote attackers to gain unauthorized access to the MOVEit Transfer database. More than 2,100 organizations have been affected either directly or indirectly. The breached data has included protected health information, driver’s licenses, education-related data and other personal data affecting more than 62 million people. CLOP extorted its victims, demanding payment in exchange for either deleting or not publishing the stolen data on its data leak site, on clear web sites or distributing it using torrents over peer-to-peer file sharing.
Intel 471 has observed an increase in vulnerabilities in MFT products as well as robust interest from threat actors in acquiring related information or exploits via underground forums or marketplaces. There are dual reasons. First, threat actors may exploit MFT software in order to use it as an initial access vector. The products are often deployed facing the internet allowing for direct exploitation, which may be an easier path than compromising an endpoint and escalating privileges. Second, the data that these applications hold may be sensitive enough that an organization would pay a ransom to not have it publicly released.
These trends pose an ongoing threat that organizations should not ignore, as it may be possible to undertake mitigations to dial down the risk as such software remains in the sights of cybercriminals. This blog post will analyze why cybercriminals are targeting MFT software and the types and frequency of vulnerabilities found within it.
MFT Vulnerabilities: A Review
Since 2014, the National Vulnerability Database (NVD) has documented about 136 vulnerabilities impacting MFT products or similar software. From these, 51 vulnerabilities have been classified as high risk, 72 as medium and 13 as low.
From 2019 onward, there has been a noticeable uptick in vulnerabilities impacting MFT products. This trend suggests these products continue to be tested by both cybersecurity researchers and malicious individuals, yielding the discovery of more vulnerabilities. Furthermore, the upward trend indicates MFT software is likely becoming more prevalent, thereby increasing the number of products that can possess vulnerabilities.
Cybercriminal Interest in MFT Software
An understanding of which MFT software may be the target for exploitation can be derived by looking at adversary interest. By monitoring the discussion of vulnerabilities on underground forums, we can preemptively identify emerging cyber threats. Intel 471’s Vulnerability Intelligence team conducts analysis and underground monitoring to assess vulnerabilities. Vulnerabilities are triaged according to threat actor interest and their Common Vulnerability Scoring System (CVSS) scores. This approach helps reduce unnecessary distractions and enables the identification of the most critical issues.
Over the last five years, we documented about 17 vulnerabilities in MFT products that were of significant interest to threat actors. The most common vulnerabilities impacting MFT programs are SQLi and operating system (OS) command injection flaws. Among these, about 70% were rated as high risk, 18% medium and 12% low. Of the reported vulnerabilities, 6% were productized, 47% were weaponized and 23% had code available.
“Productized” means that an exploit is available for mass use by unsophisticated actors, such as incorporating exploits into attack tools and exploit frameworks such as Armitage, Metasploit, Core Impact, Cobalt Strike, Nexpose and others. “Weaponized” indicates sophisticated actors have integrated malicious code for use via exploit kits, malicious advertising (malvertising), etc. Code available indicates proof-of-concept (PoC) code has been published and more importantly that it has been shared in the underground.
Collecting adversary-based threat intelligence can provide guidance and potentially early warning of exploitation attempts in the near future. A recent example of this involved a Citrix vulnerability. On June 13, 2023, Citrix publicly disclosed CVE-2023-24489, which was a critical vulnerability in its ShareFile file transfer product.
We soon detected underground threat actors seeking exploits for CVE-2023-24489 and reported this behavior June 17, 2023. An individual searching for this exploit not only offered a monetary incentive, but also expressed willingness to conduct transactions through an escrow service, which is a sign of credible interest. Interest continued to grow such that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-24489 to its list of Known Exploited Vulnerabilities (KEV) Aug. 16, 2023.
We assess with high confidence the CLOP threat group is actively targeting MFTs. In late 2020 and 2021, CLOP exploited vulnerabilities in Accellion's File Transfer Appliance (FTA) to steal data from about 100 companies. The group also exploited the CVE-2021-35211 remote code execution (RCE) vulnerability in Serv-U MFT and Serv-U Secure FTP software. Following a relatively quiet 2022, CLOP's activity surged in 2023. In February 2023, the group exploited the CVE-2023-0669 vulnerability in Fortra’s GoAnywhere MFT platform and impacted up to 130 victims. The MOVEit campaign is CLOP's second major operation targeting file transfer software in 2023. Furthermore, the success enjoyed by CLOP likely will inspire similar attacks from other cybercriminals and it is highly likely they will leverage future vulnerabilities affecting MFT products. We have limited evidence to suggest other actors and groups currently are targeting MFT products in the same way as CLOP, however, the discovery of vulnerabilities impacting MFT products likely will be seized by opportunistic actors seeking similar success.
Looking Ahead: Preparation and Mitigation
The increase in the number of vulnerabilities observed in MFT software underlines the urgency for comprehensive vulnerability assessment and management strategies. Furthermore, the targeted activities orchestrated by threat groups such as CLOP in exploiting vulnerabilities in Accellion FTA, Fortra GoAnywhere MFT and Progress Software MOVEit Transfer to carry out highly impactful attacks highlights the necessity for organizations to adopt proactive cybersecurity measures. It is imperative to strengthen vulnerability management and red teaming activities to effectively counter this evolving threat landscape. Adversary threat intelligence can also give early warning of potential exploitation.
Organizations that use MFT software also should understand the supply chain risk it poses. The compromise of another organization’s MFT can mean a data breach for your organization. An important aspect of dealing with this is visibility. What type of data is stored in the MFT database? How long does that data need to be stored? Is it possible the data can be deleted after it is transferred, thus lowering the risk if the software is compromised? Addressing these questions alongside frequent vulnerability assessment can help reduce the attack surface as this threat persists.