Attackers Targeting MFT Tools Are On The Rise
There is a constant war of convenience vs security being waged and moving files across networks is one of those battles being fought right now.
While many of these tools are designed to only be accessed behind a firewall, they are often incorrectly configured to be accessed via the internet.These types of misconfigurations make them a high value target for attacks.
The risk is exacerbated by how easy it is to implement an MFT application with little oversight of security teams responsible for protecting sensitive data.
Recently, we posted in our blog on the recent zero-day CVE-2023-34262 for MOVEit and how the Clop ransomware group had been weaponizing it. Earlier this year, we also posted about CVE-2023-0669 for GoAnywhere MFT and how you only needed access to the web-based admin console to perform the exploit. However, MOVEit and GoAnywhere likely aren’t the only MFT applications being targeted out there.
Ways Censys Search Can Detect MFT Applications
Luckily, it’s fairly easy to fingerprint these applications as they become exposed to the internet. Whether we are looking for tags in a response header, common port or even a hash of a favicon being presented in the login portal, Censys can identify these exposures quickly.
The Censys Search label for Managed-File-Transfer applications will automatically be applied to hosts across most common MFT applications. Some of the applications we are detecting are listed below but are not limited to this list;
- MyWorkDrive
- Sharetru
- Axway SecureTransport
- Fortra GoAnywhere
- SmartFile
- JScape
- Global Enhanced File Transfer
- MOVEit
- IBM Aspera Faspex
Can You Tell Me If My Organization Is Currently Exposed?
The Censys Search label used above helps in finding any asset on the internet with these applications. You can continue to refine the Censys Query to look for your assets. However, there is a much easier way.
Censys Exposure Management is highly effective at reducing the scope of our data set to only showing internet assets that belong to your organization. This is automated daily by our attribution process and then helping you prioritize risk derived from unknown exposures.
You can track if these applications are being used by your organization on a daily basis by our discovery process and alerting you if and when MFT apps become exposed to the outside world. Furthermore, Censys provides the visibility necessary to react as quickly as possible in a zero-day exploit the next time one of these applications are compromised.