GoAnywhere, Aspera, and The Problem with Self-Hosted File Transfer

by | Last updated June 6, 2023

A trio of far-reaching data breaches of major file transfer platforms GoAnywhere, IBM Aspera, and MOVEit have laid bare the significant risk of pairing your own servers with large file transfer services.

Below, we break down the nature of these incidents, who was affected, and how pairing your own servers with large file transfer services can easily lead to increased vulnerability to a data breach — and possibly much worse.

Table of Contents

Secure Cloud File Transfer

MASV is an ISO 27001, SOC 2, and TPN-compliant (Gold Shield status) secure file transfer service.

What Are These Data Breaches? And How Do They Relate to Self-Hosted File Transfer?

Critical vulnerabilities were discovered in both IBM Aspera, GoAnywhere, and MOVEit software this year.

The Aspera Vulnerability

The IBM Aspera vulnerability, tracked as CVE-2022-47986, allows unauthenticated users to remotely execute malicious code on servers running IBM Aspera. The vulnerability garnered a severity rating of 9.8 out of 10 – or “as bad a security hole as you can get,” according to The New Stack.

Security researchers from Sentinel One say CVE-2022-47986 was used to install ransomware or other malware on the servers of various companies by IceFire, a criminal hacking group.

IBM warned of this vulnerability in late January, releasing a patch to the flaw at the same time.

The GoAnywhere Vulnerability

GoAnywhere, owned by Fortra (previously HelpSystems), recently experienced a similar issue.

A vulnerability in GoAnywhere’s platform, tracked under CVE-2023-0669, was used by the Cl0p ransomware gang to breach the servers of GoAnywhere users and install ransomware. The group threatened to publish sensitive data it had collected should the ransom not be paid.

Media reports say around 130-plus organizations were affected, including Hitachi Energy, Saks Fifth Avenue, the City of Toronto, and Galderma, although some organizations could have been affected and aren’t yet aware.

Unlike the IBM Aspera breach, however, details of the GoAnywhere breach didn’t become public until security researcher Brian Krebs first reported details of the issue on Feb. 2, after he noticed a warning behind a GoAnywhere login page.

While Fortra initially released a workaround mitigation (involving finding and removing a specific servlet-mapping configuration in the code) and recommended administrators audit their installations, the company released a patch five days later.

The MOVEit Vulnerability

The most recent of the three incidents, a vulnerability in the MOVEit managed file transfer service (CVE-2023-34362) exploits a weakness that can provide bad actors with escalated privileges and unauthorized user environment access. The vulnerability affects both on-premises and cloud-based systems, and evidence of exploitation and data exfiltration has already been observed.

Progress Software, the parent company of Ipswitch (MOVEit’s developer), asked users to immediately shut down internet traffic to the MOVEit environment after discovering the issue.

Patches have already been released by Progress. These should be applied by all MOVEit users right away, along with proactive monitoring of your system for indicators of unauthorized access — particularly over the last 90 days.

Immediate Software Update Required

While IBM, Fortra, and Progress released patches for these bugs in relatively short order, all three breaches were zero-day vulnerabilities that could have gone on for months before being discovered.

“So you need to immediately update your software to the latest patch level to safeguard your systems,” explains The New Stack article we mentioned earlier. “That’s it, kids.”

Simple, right? But companies often take weeks (or even months) to get around to applying manual patches to software, if they do so at all. In the meantime, in situations such as this, their data is profoundly vulnerable.

Enhanced Security Controls

All MASV transfers are encrypted in-flight and at-rest and you can set custom passwords, download limits, and file expiry dates.

Why Self-Hosted File Transfer Won’t Solve Your Trust Issues

Some organizations who use large file transfer services prefer to house their transfer data on their own servers. This is usually for one of the following reasons:

  • Many mature media and entertainment (M&E) organizations have already invested in on-premises data servers. They don’t see a viable business case in starting their journey to adopt the cloud without a sunk cost.
  • They have strict data sovereignty or other regulatory requirements
  • They don’t trust their file transfer service to responsibly look after their data (which is fair enough considering the number of data breaches out there)

The latter is a common sentiment among companies who feel more comfortable keeping their data on their own infrastructure. Unfortunately, however, self-hosting your data only provides an illusion of security.

That’s because, by plugging various software applications — such as GoAnywhere or Aspera — into your system, you automatically invite other people’s code into your infrastructure, making the trust and security benefits of self-hosting essentially moot. And a platform such as GoAnywhere doesn’t just store media files on your server: It also stores critical data such as authentication information and user records.

No problem, you might say…

…Security is a shared responsibility between yourself and your providers. You can just beef up your own security.

But adding more security measures on the server side, such as a virtual private network (VPN), usually causes a dramatic slowdown in file transfer speeds.

That means most users of self-hosted file transfer solutions don’t add any extra protections at all. They’re totally exposed and susceptible to a breach if (and when) vulnerabilities crop up, a bit like a supply chain attack driven by compromised software from suppliers.

If this all sounds bad, it gets worse

Any breach in a self-hosted file transfer setup will inevitably be much more expensive, stressful, and disruptive than it otherwise could have been.

Organizations using self-hosted file transfer who discover they’ve been breached have a couple of response options.

  1. They can simply shut down their system, for example, to give the IT team time to patch the software while mitigating damage. But that’s hugely disruptive if you have hundreds of users, partners, and employees.
  2. They can also try to patch the vulnerability on a live system, but that comes with a whole host of other problems. Before running the update, however, you must perform a host of other tasks including verification, testing, and certification of the patched software. These updates are usually expensive and take time that small IT departments simply don’t have.

Neither of these options are particularly appetizing. The good news? They can usually be avoided altogether through a large file transfer service that houses your data for you.

Premium Cloud Security

MASV runs on premium and secure AWS cloud infrastructure.

The Advantages of Cloud-Hosted Large File Transfer

No company or individual is immune to vulnerabilities, cyberattacks, or data breaches. These potential problems can apply to any software.

The difference is that remedying a vulnerability within a cloud-hosted large file transfer service is usually much less painful and doesn’t include shutting everything down, or depending on users to first notice the issue and then manually patch their versions.

Instead, cloud-hosted large file transfer services that manage their own infrastructure — such as MASV — can patch any vulnerability within minutes for all of their users, with minimal to no disruption. All customers automatically receive the latest update without any effort on their end.

MASV and AWS: A More Secure File Transfer Solution

a laptop is used discreetly for secure file sharing

While MASV facilitates easy integrations to most major cloud storage platforms, our primary cloud service provider is AWS.

We’ll be straight up: If a similar breach happened at AWS, it would affect MASV customers.

A key difference, however, is that it’s much, much harder to breach AWS than a random on-premises server. AWS hosts a ton of sensitive data, including for the U.S. Department of Defence, and regularly makes massive security investments to protect their customers.

We’re also most likely in a better position to protect your large file transfer data than an in-house IT team, who likely have a million more important things to do — and may not be experts on cloud security best practices, anyway.

At MASV, we are experts in cloud security, and built our software with a leveled security methodology front and center:

1. Compliance & Certifications

Third-party security audits and certifications from leading organizations help to validate our security posture.

  • MASV is certified under ISO 27001, an international information security standard that respects information security best practices and principles.
  • We have also achieved SOC 2 Type II compliance in accordance with the American Institute of Certified Public Accountants (AICPA). SOC 2 ensures that third-party service providers store and process client data in a secure manner.
  • MASV is also a member of the Trusted Partner Network (TPN) vendor roster after undergoing a rigorous third-party security assessment to ensure compliance with TPN standards. We have recently graduated from Blue Shield status to Gold Shield status. TPN is a global film and television content protection initiative owned and managed by the Motion Picture Association (MPA).

Furthermore, we are compliant with the EU’s General Data Protection Regulation (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Software Supply Chain Security

MASV always maintains proper code protection through a strict change management process, no matter if we’re leveraging our own or third-party, open-source code. No MASV developer has the power to deploy code changes unilaterally, and every code change must follow a well-documented approval process involving senior-level developers. Additionally, all code changes are automatically reviewed for vulnerabilities and regressions.

3. Employee Safeguards

MASV uses a strict set of employee safeguards, including mandatory and regular security awareness training, least privileged access controls, and endpoint monitoring.

4. Protecting Customer Data

MASV provides both internal and external guardrails to protect customer data. Internally, we deploy multiple safeguards to prevent access without proper authorization, like least privileged access in addition to periodic access reviews and audits. All elevated internal access requests generate automated alerts requiring mandatory justification.

Our global cloud infrastructure is built on AWS and includes built-in enforcements to prevent deploying publicly open resources, such as leaky S3 buckets. And, just in case, our external monitoring ensures these enforcements are never disabled.

At the product level we provide multiple security controls that allow our customers to further protect their data from unauthorized access, like automatic file transfer expiry, access limits, and user access controls such as password protection and Single Sign-On (SSO). MASV supports SSO with SAML-based authentication, which strengthens your security posture by reducing the number of required login attempts. Afterall, each login attempt to any application is a potential opportunity for hackers to gain access.

MASV also supports multi-factor authorization (MFA) using authenticator apps such as Authy and Google Authenticator. We will soon expand our MFA options to also include hardware security key logins.

MFA guards against account takeover attacks by verifying the identity of a user attempting to log in to your account. It achieves this by asking for additional credentials beyond a login and password.

Self-Hosted File Transfer: The Reality

The cold, hard reality of self-hosted file transfer is that it isn’t as secure as it may seem.

That’s because self-hosted servers are only as secure as the applications running on them. And by plugging software applications like file transfer apps into your system, you’re automatically inviting third-party code (and risk) into your infrastructure.

Should a major vulnerability surface, you’re on your own to first notice the issue, find a patch, and then manually patch and update your version (usually while having to shut down the system in the meantime).

Cloud-hosted file transfer solutions such as MASV, on the other hand, don’t have these issues. Although no one is totally immune to cyber security issues, cloud-hosted services manage their own infrastructure and can patch vulnerabilities for all users in a matter of minutes, with next to no disruption.

Sign up for MASV today and give our secure and compliant large file transfer a test drive.

MASV File Transfer

Get 20 GB free to use with the fastest, most secure large file transfer service available today, MASV.