The zero-day exploitation of Progress Software’s MOVEit Transfer solution has dominated news headlines since May 2023, with the vulnerability affecting organizations around the globe.
Major UK organizations, including the BBC, British Airways, and Boots, disclosed MOVEit-related breaches, and when the zero-day vulnerability came to light, there were thousands of MOVEit Transfer instances exposed to the internet.
In the past year, however, Progress Software wasn’t the only file transfer vendor to have disclosed major zero-day vulnerabilities. Despite the demonstrable impact of vulnerabilities such as those found in MOVEit Transfer and other file transfer solutions, there were a lot of things that file transfer vendors did right in the aftermath of 2023’s attack campaigns.
In fact, organizations more broadly could learn a thing or two from how file transfer vendors responded when high-severity vulnerabilities came to light.
Developing a Proactive Response to Vulnerabilities
While file transfer technologies have been under siege, Rapid7 researchers observed a strong degree of responsiveness and concern from a number of these software producers when we disclosed vulnerabilities to them.
In several cases, file transfer vendors remediated security issues in less than half the time most firms take. Some also actively sought to enhance their vulnerability disclosure programs by standardizing methods of contact and making their product security policies more visible and accessible to the public.
Numerous file transfer organizations instituted more robust and visible patch cycles and more mature vulnerability disclosure protocols, alongside enhanced security programs that entail more regular product reviews.
These proactive measures are expected to lead to more mature and effective software development practices – at least for these providers and those who have learned from them.
It showed that while new vulnerabilities can be alarming or challenging, companies can put themselves in a better position by recognizing the potential impact of new flaws, collaborating closely with security researchers, and standardizing vulnerability response protocols so future issues can be addressed quickly and transparently.
Why File Transfer Vendors’ Vulnerability Responses Are Effective
While zero-day vulnerabilities often capture the spotlight, attackers also continue to rely on older, known vulnerabilities and established techniques to breach organizations globally, jeopardizing both business and consumer data.
This trend was evident when the US Cybersecurity and Infrastructure Security Agency (CISA) released its most recent Top Routinely Exploited Vulnerabilities list, where the majority of the CVEs listed were flaws that had been public for over a year; several had even been widely exploited for four years or more.
This isn’t a new phenomenon, but it’s exacerbated by today's heightened threat landscape, presenting additional hurdles for security teams in addressing critical risks to their business. In 2023, Rapid7 revealed a concerning trend – 56% of high-profile vulnerabilities were exploited within a week of discovery, and over 40% of widespread attacks commenced with a zero-day exploit.
"In several cases, file transfer vendors remediated security issues in less than half the time most firms take"
Consequently, security teams face a diminishing window for patching new vulnerabilities and preventing attacks, intensifying pressure on already limited security resources. This scenario often leads to older, known vulnerabilities being deprioritized, despite their continued exploitation in attacks.
The key to managing vulnerabilities, and ultimately what some of the file transfer vendors Rapid7 worked with got right after learning of new vulnerabilities in their products, is having more established patch cycles and effective vulnerability disclosure mechanisms in place. It’s all about turning organizations’ reactive vulnerability response practices into proactive ones.
Key Takeaways for Effective Vulnerability Response
So, what lessons can organizations learn from how some file transfer vendors responded to high-impact issues? Proactive vulnerability response and asset management practices are still the best form of defense against threat actors.
A good vulnerability and patch management program should be built on a clearly defined and regular patch cycle, which prioritizes actively and widely exploited CVEs. It’s also essential that cycles have specific deadlines and objectives. Without these procedures in place, security teams struggle to quickly respond to zero-day exploitation.
It is also essential that organizations limit the exposure of internet facing devices. By exploiting vulnerabilities in connected technologies, adversaries can gain access to corporate networks and potentially move deeper into the system.
Therefore, network edge devices should be prioritized for frequent and urgent patch updates; whilst particular attention should be paid to security gateway products such as VPNs and firewalls. Security teams must ensure that management and administrative interfaces are never exposed to the public internet.
Implementing robust multi-factor authentication (MFA) is another key action. The additional authentication will make it more difficult for threat actors to successfully gain access to corporate networks. This provides an extra layer of protection for managing vulnerabilities that have not yet been discovered or patched.
Companies should also implement other safety procedures such as monitoring for unusual file upload sizes, excessive traffic to a single IP or domain, and irregular access to cloud storage. Adding firewall rules to block known file-sharing services, monitoring the presence and usage of data transfer and archiving utilities, and restricting local admin privileges on host devices are other measures organizations can take to mitigate the risk of data breaches and enhance overall network security.
With the ongoing surge in cyber threats, organizations should be looking at file transfer vendors to understand what they did right and where we can benefit from following their example. The strategies outlined above are critical for navigating the complex and evolving cybersecurity landscape, ensuring robust protection against today's diverse range of cyber threats.