The Anatomy of MFT Data Breaches: Key Takeaways and Recommendations
Without the right security controls in place, MFT tools can pose a serious risk—exposing millions of data records for hundreds of organizations.

The Anatomy of MFT Data Breaches: Key Takeaways and Recommendations

Recent major breaches of managed file transfer (MFT) solutions demonstrate the immense risks organizations face when transferring sensitive files. By examining case studies of breaches by the Clop cybercriminal group, we can learn critical lessons on how to protect MFT systems. Three MFT breaches—Accellion FTA, GoAnywhere MFT, and MOVEit MFT—were examined in a recent Kiteworks webinar featuring Mandiant’s Charles Carmakal (Chief Technology Officer) and Kiteworks’ Yaron Galant (Chief Product Officer). The hour-long moderated discussion touched on numerous aspects related to the MFT data breaches and included invaluable insights and recommendations.

This webinar panel discussion explores the software supply chain risks of MFT data breaches, performing forensics analysis of the Accellion FTA, GoAnywhere, and MOVEit breaches.

Potential Attack Vectors for MFT Breaches

As a starting point, Charles and Yaron examined the different attack vectors nation-state criminal entities like Clop can use when targeting MFT tools. These include:

Code Exploits: Malicious code injection through SQL injection, command injection, cross-site scripting, etc., can allow takeover of the application.

Access Exploits: Stealing admin credentials through phishing or brute-force attacks provides entry. Backdoors in software code can also provide access.

Transfer Exploits: Intercepting traffic to steal files during transfer. Disrupting servers with DDoS attacks. Underlying protocol flaws.

Learn how Kiteworks unifies, tracks, controls, and secures sensitive content communications across all your communication channels.

Takeaways From the MFT Breaches

After assessing each of the three MFT breaches, Charles and Yaron outlined takeaways based on this assessment. At a high level, all three MFT breaches employed highly sophisticated attack methods that targeted zero-day vulnerabilities.

Massive Supply Chain Impact: By hacking a single MFT provider, Clop gained access to hundreds of customer organizations and millions of data records. MFT breaches enable massive-scale data theft through the software supply chain.

Scale of Impact: The latest MOVEit MFT data breach exceeded the scale of Clop. The success of the hack was beyond what the organizations could handle. For example, rather than sending email to hacked organizations, Clop directed organizations to a site to find out if they were hacked and next steps in retrieving their stolen data.

No Ransomware: In all three MFT breaches, Clop did not deploy ransomware but rather exfiltrated the data through other means. Extortion comes later through direct communications.

Long-tail Impact: MFT breaches play out slowly over months and years due to data privacy violations, lawsuits, and remediation costs. MFT vendors and the victims should expect a long-tail impact.

Patching Isn’t Protection: Clop exploited vulnerabilities before patches were released. Quick patching helps but does not mean an organization avoided compromise.

Recommendations for Securing MFT

Based on this assessment, Charles and Yaron had some recommendations for the webinar audience:

Assume Compromise: Forensically analyze systems, watch for extortion communications, and continually monitor for threats.

Select a Secure MFT Platform: Require robust layered security, not just endpoint protection. Prioritize anomaly detection, hardening, and penetration testing.

Encrypt Data: Implement strong encryption for data at rest and in transit to mitigate exfiltration impact.

Segment Access: Limit MFT access to only users that require it. Monitor third-party connections closely.

Continually Patch: Aggressively apply patches to close vulnerabilities as threats rapidly evolve. Plan for multi-wave attacks.

Kiteworks is proud of its MFT capabilities, which use a hardened virtual appliance that includes security layering, end-to-end encryption, and least-privilege access. It also employs AI-enabled anomaly detection while the engineering team follows software development life cycle best practices—including a bug bounty program and regular penetration testing.

To view or add a comment, sign in

More articles by Kiteworks

Insights from the community

Others also viewed

Explore topics