We’ve been talking about the dangers of so-called free or do-it-yourself file transfers for a long while now. Not the kind of one-off transfers that every organization encounters from time to time, but business-critical file transfers of the kind that must be done on time, securely, and often within the boundaries of industry standards or government regulations. The files involved contain sensitive information. Usually that information includes things like financial and account data, personally identifiable information, protected health information, intellectual property, customer profiles and the like. When these files don’t get delivered to the right destination, or are late in arriving, business processes get disrupted or worse. When mishandled, data breaches can occur.
In our experience these file transfer mishaps take place because someone didn’t appreciate the importance of reliable and secure managed file transfer and thought they could cobble together a “free” solution with some open-source tools and a little ingenuity. But free can be mighty expensive. What’s more, the risks of relying on someone in-house to build, manage, and operate a home-baked file transfer solution can easily become a DIY horror story (we’ve seen it). Besides, if you hire someone for one job, why would you ask them to do something important that isn’t in their area of expertise? It typically costs more in the long run.
A Malicious Campaign
Image Credit: The Hacker News
If you run a roll-your-own file transfer solution, or were considering taking that route, the risks just got a little steeper. The Hacker News recently reported on a clever scheme by a ransomware group to distribute malware payloads through digital ads for the open source WinSCP file transfer application.
According to the article, threat actors known to use BlackCat ransomware have been cloning and weaponizing banner ads from legitimate organizations as a means to trick them into downloading malicious code that establishes a back door.
“The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a Cobalt Strike Beacon that connects to a remote server for follow-on operations, while also employing legitimate tools like AdFind to facilitate network discovery.
“The access afforded by Cobalt Strike is further abused to download a number of programs to conduct reconnaissance, enumeration (PowerView), lateral movement (PsExec), bypass antivirus software (KillAV BAT), and exfiltrate customer data (PuTTY Secure Copy client). Also observed is the use of the Terminator defense evasion tool to tamper with security software by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.”
Game, Set, Match
The implications of this attack campaign are serious. It means that someone who might have been tasked with building a cheap in-house file transfer solution could well have been tricked by an SEO campaign into inadvertently installing malware that gave threat actors access to your network and thus putt your systems and data at grave risk. In fact, the article cites one incident in which the attackers were able to use their ill-got access to steal administrative privileges to an organization’s network. Once that happens, it is game-set-match for the hackers. They can wreak havoc before anyone figures out something is wrong.
The bottom line is: free solutions are good, until they are not. And it never ceases to amaze me the risks that people are willing to incur to cut corners or costs. Rather than spend a reasonable amount of money on a reputable commercial software product (including product updates, and technical and customer support), they’ll take their chances with something untested. And they do it knowing that the data they’re sending via that shareware is important to their viability as a business and to their customers, partners, employees, and more.
Don’t Go It Alone
Yes, Coviant Software would love it if you were to select our reliable, proven, and award-winning Diplomat MFT secure managed file transfer software. Lots of others have. But we’d love it almost as much if you were to ditch your plans to do it yourself and went with another MFT vendor. You probably wouldn’t get Diplomat MFT’s excellent value, and you might not get Coviant Software’s industry-best service and support, but you’d be a lot better off with a commercial product in the long run.
So, before you download bogus WinSCP, why not give Diplomat MFT a try for free? You can test us against your needs, have access to customer support, and know exactly what you are getting and for what price before you buy. And when you do, you’ll be joining the ranks of some of the most trusted companies in their respective industries who rely on us for their most important file transfers.
