The internet can be a frightening place, where the spectre of cyberattack is never far away.
This is why today’s businesses place a premium on security, especially when it comes to file-sharing.
There are lots of options for organisations who need to share data: Dropbox, Google, and Box, to name a few.
But these platforms are less popular with companies than enterprise tools, like Citrix ShareFile, which have the capability to securely share files and data between clients and customers.
Enterprise tools are more functional for businesses because they are designed specifically for office use.
But big businesses also use them because they are felt to be highly secure.
And this reputation is rightly deserved.
We recently investigated a global attack on a number of companies which leveraged enterprise level access as a vantage point, only to find the enterprise platform itself was not at fault.
In fact, it’s to be celebrated that our investigation focusing on Citrix ShareFile found no backdoors or issues inherent in the tool.
The enterprise-level attack was the result of poor administration on the part of those who were using ShareFile.
Incorrect use of ShareFile can transform the platform from security asset into security nightmare.
It allows malicious individuals to turn it against you in two key ways:
- First, when you fail to utilise ShareFile correctly, you can allow it to become a host for malware.
- Second, if you’re not careful what you release on ShareFile, you can make it into a channel for data leakage.
Our investigation was focused on these two avenues of an enterprise level attack:
1. Data leak
We found the first signs of an enterprise-level attack using our threat intelligence platform Recorded Future.
Recorded Future helps us to monitor conversations that people are having about our clients on the internet.
Anyone that discusses our clients’ domains – in a negative or positive sense – will be identified.
If your company is mentioned on a forum alongside the term ‘hacking’ for example, natural language processing is used and we are able to apply context and determine whether there is a threat of attack.
The more conversation we find revolving around a particular client, the more indication we have that there has been a breach, as the graph below demonstrates.
Most of the searches we carry out are simply routine, however.
It was on one such routine search that we uncovered a substantial amount of unauthenticated data which was being made accessible by the misuse of ShareFile.
- Purchase agreements between companies marked as confidential
- Family Trust documentation from an accountancy agency
- The share price agreement of a global certificate authority brokered by one of the ‘big four’ organisations
Accountancy data that we found leaked on ShareFile, including over 60 pages of expenditure for 2016 (redacted).
Payment history of a number of homeowners over a 200 page PDF to a loan company (redacted).
Obviously, this data was hugely sensitive and therefore incredibly dangerous in the wrong hands.
We had been able to identify signatures of executives involved in the sales of shares and the global locations, including email address, telephone numbers, banking details, credit loan agreements, preferred lending criteria, share option price.
If we could find it, then a hacker could too. And this kind of collateral would enable them, with very little effort, to cause devastation to a business.
The high profile of the organisations involved only made the leaked data more valuable, but it also reflects how difficult it can be to prevent the problem of misuse.
Companies in the big four are sure to have robust security systems, and yet they still suffered a ShareFile leak due to a staff member making an error on the platform.
We got in contact with all of the organisations concerned to alert them to the fact that their data had been leaked.
After all, responsible use of the internet extends to being responsible for other people too, and hopefully this is will a useful learning opportunity for the parties involved.
From now on they will be hyper aware of their use of ShareFile, and with any luck you will be too.
The second avenue in an enterprise level attack involves malware.
We found examples of malware that had been hidden on ShareFile so that it looked like legitimate data.
Hackers have targeted ShareFile in particular because it is a ‘trusted’ source to share business data, and it offers an initial trial period, which means it has a huge and relatively open audience.
So how did we work this out?
We noticed that the sharefile.com subdomains are present on a /14 hosted by Amazon which is 188.8.131.52 and currently hosts over 3k domains.
This interested us. Why were there eight hashes associated with the domains?
There were 8 hashes associated with the ShareFile domain.
ShareFile can be forced into becoming a host for malware.
We now know that both of the .exe you can see here are Trojans: malicious programs which grant remote access to an attacker.
And again, this is not caused by the ShareFile platform malfunctioning; it is a product of misuse, on this occasion by malicious actors.
A proactive approach will eliminate misuse
The only way to combat these enterprise level attacks is to cut them off at the root. This means tackling misuse of the platform by employees and by hackers.
Watching out for hackers attempting to fool you with malware that they have hidden on ShareFile is simple with threat intelligence.
By deploying threat intelligence to harvest and alert yourself to potential risks you will give yourself time to react appropriately to incidents, or even just the threat of an incident.
But your primary concern should be addressing misuse of ShareFile among your own personnel.
This is the key to a proactive approach, as it ensures that you won’t be causing damage to your own business through careless leaking of sensitive data.
Education is also an important part of this.
It’s important that all of your employees, from the C-suite to the most junior members, understand the importance of using ShareFile properly and safely.
You can ensure this by providing the right training and disseminating information on best practice.
And it even goes further than this: it’s also about educating each other on the dangers of misuse when we see it, as part of a community of responsible internet users.
This article itself is an example of the kind of education that we need to eliminate dangerous user misuse.
ScareFile no more
It’s important to stress again that ShareFile as a platform is not at fault in these enterprise level attacks.
The system will only work if it’s used properly – what good is a lock on a door if the door is left ajar by the person who lives there?
This is why misuse is the real thing you should fear this Halloween.
But it also means that it’s well within your power to prevent an enterprise level attack happening to you.
If your employees stay aware of their own actions, and if you keep an eye on the malicious actions of others you’ll find enterprise file-sharing is totally safe.
As this time of year demonstrates so perfectly, the only thing we have to fear is us ourselves.
For more information on how your business can avoid enterprise file sharing misuse, take a look at this white paper from Citrix. You can also learn more about how ShareFile can help your business on their website.
Or get in touch with us at http://www.fujitsu.com/uk/
He has developed his design, technical, project and security skills within some of the UK’s top employers and institutions.
Latest posts by Bryan Campbell (see all)
- Why misuse of enterprise platforms could be your worst nightmare - October 31, 2017
- Chain phishing attacks affecting O365 customers - September 6, 2017
- MongoDB ransom attacks – could you be at risk? - January 23, 2017