In May, a series of attacks against MOVEit environments began a chain reaction of damage that is still affecting downstream victims five months later. This concentrated period of attacks targeted file-transfer services, including Progress Software’s MOVEit, Fortra’s GoAnywhere, and IBM Aspera Faspex, with supply-chain attacks occurring between March and May of this year.
The ransomware group Clop exploited zero-day vulnerabilities in MOVEit and GoAnywhere, as well as in Accellion file-transfer devices in 2020 and 2021. According to Jess Burn, principal analyst at Forrester, managed file-transfer services are an opportunistic attack vector because of the valuable data they handle. These services contain high-value data that threat actors can use for extortion or corporate espionage beyond just phishing for credentials.
The victims of these attacks include business sectors such as financial institutions, education service providers, government agencies, healthcare providers, insurance companies, and law firms. Managed file-transfer services have trusted access to organizations’ sensitive data, including personally identifiable information, financial, proprietary, and intellectual data.
Intel 471 has documented 17 vulnerabilities in managed file-transfer products since 2018, with 51 high-risk vulnerabilities impacting managed file transfer software since 2014. Intel 471 has classified them as significant interest to threat actors. According to Mauricio Sanchez, senior director of enterprise networking and security at Dell’Oro Group, the consequences of exposure are significant because of the time corporate data is handled by a third party when moving sensitive information from one location to another.
These managed file-transfer services provide critical features such as monitoring, automation, and enhanced security, making them important for compliance requirements for government and heavily regulated industries. The largest breach connected to the MOVEit attacks so far was reported by government contractor Maximus, with files containing personal information on up to 11 million people being compromised.
The attacks on managed file-transfer services have exposed private health information, school records, and data held by government contractors and big accounting firms. According to Sanchez, any accreditation can only play catch-up to a world that moves faster and more complex.
The widespread use of managed file-transfer services has also exposed downstream victim organizations and their customers. Exposure can occur if any vendor transfers sensitive data that was ultimately compromised by an upstream attack. Burn suggested organizations consistently monitor their supply chain for potential exploitation vectors and keep data in an encrypted state. Sanchez recommended assuming that any data will be made public and ensuring there’s an extra layer of protection.