Threat actors of varying types continue to target managed file transfer (MFT) applications for exploitation. The latest concerning MFT vulnerability was identified by Converge Technology Solutions, originally in August 2023 impacting CrushFTP. Following responsible disclosure to the vendor, the vulnerability was publicly disclosed on November 16, 2023 as CVE-2023-43117.
What follows is the Huntress team's analysis of the threat posed by CVE-2023-43117 in CrushFTP, as well as a broader exploration of the ongoing challenges in managing the security of MFT applications.
Background & Context
CrushFTP exploitation allows for access to all hosted files on the victim system, as well as arbitrary file execution. As such, exploitation enables possible complete takeover of the compromised system along with enabling exfiltration of files hosted on the victim machine.
CrushFTP is a multi-platform file transfer application built in Java. As such, the vulnerability, which impacts all versions of CrushFTP prior to 10.5.2, can impact Windows, MacOS, and Linux devices running the software.
Notably, the necessary patch for CrushFTP was released in August 2023 following notification, giving victims a significant amount of time to patch and update systems prior to the public notification from Converge. Based on public reporting, over ten thousand CrushFTP applications are internet-facing as of early November 2023, although the specific version number is not available. Unfortunately, given that file transfer applications are typically “high availability” services for organizations, it is likely that a non-trivial number of these instances remain unpatched.
The vulnerability in CrushFTP is merely the latest in a series of attack vectors targeting MFT services and applications in 2023. Examples of adversaries leveraging file transfer software for exploitation include:
Activity in 2023 continues an observed trend of adversary interest in MFT applications. These applications are valuable both as initial access vectors for adversaries given that these are often external-facing services, as well as targets in their own right for data exfiltration for extortion. The latter was directly observed with MoveIT exploitation, where the cl0p criminal group rapidly exploited thousands of exposed MoveIT instances to exfiltrate sensitive data for follow-on extortion.
MFT applications are critical for business operations, but unfortunately, patch cycles are often not as rapid as needed. This is especially true in environments where adversaries have either identified and exploited these vulnerabilities as true zero days or rapidly reverse engineered patches to develop exploits. Even significantly after a patch release, threat actors continue to opportunistically exploit such items as “n-day” vulnerabilities, as seen in the long-tail of items in CISA’s Known Exploited Vulnerability catalog.
CrushFTP Specific Observations
While Converge researchers did not release a public POC for CrushFTP with their November 16 blog, sufficient details are available in the post, along with the long lead-time from the patch release in August 2023, to enable threat actors to develop a capability for this vulnerability. Theoretically, adversaries could have exploited this software as far back as August (or even earlier), but no evidence exists at this time indicating this has taken place.
From a defensive perspective, patching is certainly critical. However, as noted in Converge’s research, automatic updating for CrushFTP is not enabled by default. Thus any patching or updating will need to be manual—if not directly applied by administrators previously, asset owners should consider themselves vulnerable and take action accordingly.
Patching and updating details do not stop at this key point. Additional recommendations beyond patching include:
- Changing the default CrushFTP application password algorithm to the “Argon” setting.
- Running the CrushFTP application in a hardened, “Limited Server” mode to reduce attack surface and make future exploitation or compromise significantly more difficult.
Furthermore, some aspects of patching may not be straightforward. As documented in CrushFTP’s wiki, critical changes to address the vulnerability identified by Converge change some functional aspects of the application that may require manual configuration changes:
IMPORTANT: due to the security updates since CrushFTP version 10.5.2+ any JDBC driver jar file needs to be placed into the CrushFTP10/plugins/lib/ directory, or it won't load. In case of a server previously configured using an external SQL user DB, this new feature prevents access on next launch, will need to move the jar file, then edit prefs.XML, update the <db_driver> key value…
While failure to apply the above will not impact the security of the application post-patch, not following this guidance if these customizations or add-ons are present will result in impacts to application functionality. As a result, administrators are advised to fully review configuration and operational details before applying patches to ensure no interruption of service availability and functionality.
General Lessons & MFT Defense
MFT exploitation will remain popular with threat actors as long as they present both a valuable target to access victim networks and in themselves to harvest sensitive information. As a result, network defenders and system administrators must be vigilant, monitoring available news sources and vendor notifications to identify critical software updates and action them as appropriate.
Unfortunately, as seen in the MoveIT example, “just patch” is an unsatisfactory solution when threat actors are able to identify and exploit true zero-day vulnerabilities. As a result, while rapid vulnerability identification and agile patch management are necessary steps to securing MFT applications, they remain insufficient on their own to mitigate the potential attack vectors available to adversaries.
Network defenders and system administrators must therefore adopt a tiered, defense-in-depth approach to not just MFT applications, but to any exposed system, to manage attack surface and rapidly identify compromise should it take place. Such strategies include high-level business and use-case decision making, determining whether such applications need to be externally accessible in the first place for core functionality. If such access is necessary, controlling that access through security mechanisms such as requiring a VPN or allow-listing known partners and entities can reduce the associated risk.
In the event of compromise, investment in visibility is necessary. This includes both visibility on devices running applications such as MFT software to determine exploitation and post-exploit activity (e.g., large-scale exfiltration of data), as well as internal network visibility in those cases where the exploited host serves as a “beachhead” for further compromise. A combination of network visibility and monitoring (for exfiltration as well as post-exploitation command and control behaviors), as well as endpoint visibility and monitoring (for signs of exploitation as well as lateral movement within the victim network), are now minimally necessary items for most organizations to detect and defeat threat actors taking advantage of vulnerable applications.
MFT application exploitation remains a popular and concerning tactic used by multiple adversaries, either as a mechanism to deliver disruptive attacks such as ransomware or as an immediate method to exfiltrate data for extortion purposes. Asset owners and operators must remain aware of updates in such software and prioritize patching of such applications, particularly if they are external-facing, given the rapid weaponization of vulnerabilities by multiple threat actors.
Where patching remains difficult or to further harden environments, defenders and network operators are urged to reduce their attack surface by restricting access to such applications via security tools or products, and applying hardened configurations where possible. Through such techniques, along with visibility and monitoring of such applications, asset owners can either prevent future exploitation entirely or identify potentially malicious activity quickly, even when vulnerability information remains scarce or incomplete.