This post is also available in: 日本語 (Japanese)
File transfers (i.e., upload and download) are vital for organizations and their employees’ productivity. For example, file uploads are essential for expense management platforms, content management systems (CMS), instant messaging and collaboration applications and services. Employees frequently transfer files to teammates, customers and partners, and it’s typically believed that the entire transferring process is safe. However, since the COVID-19 pandemic caused employees to transition to remote workspaces, it has become critical to reduce attack vectors for malicious actors by applying precise measures to guarantee an organization’s security for file transfers.
Cyberthreats involving malware begin with delivering specific malicious code to the victims. Generally, organizations spend a great deal of money on security solutions designed to hinder external threats. However, we should not leave ourselves vulnerable to insider threats either, as we often grant a greater level of trust to people with whom we constantly communicate within our workplace.
In this blog, we aim to evaluate how file transfer security and application allowlisting can diminish both external and insider threats. We look deeper into file transfer security risks and threats that organizations face every day. Our goal is to explain the features within Palo Alto Networks Next-Generation Firewall App-ID that provide support against file transfer threats and protect enterprises from external hacks and internal leaks. In the following sections, we discuss different risk factors, file upload threats and network traffic visibility via the App-ID technology.
When allowing file transfers on your enterprise network, risks can include attacks on infrastructure, users, data and service availability. A file upload vulnerability can have a crucial impact because code can be executed on the server or the client. The uploaded file can be misused to exploit other vulnerable components of an application or trigger vulnerabilities in defective libraries while the file exists on the same machine. Uploaded files that threat actors can use could contain the following:
- Command and control (C2) server information.
- Directions for harassment or violence.
- Steganographic materials.
The other significant risk involves file sharing on storage servers that are often targeted for abuse or misuse. They might host harmful files containing illegal software, malware or adult content. Firefox Send was one of these file-sharing web services. It was shut down no longer than a year after being in business due to the platform's usage by threat actors to spread malware and spear phishing attacks.
On the other hand, the cost of malicious insider attacks is growing every year. Regulations such as HIPAA, GDPR and the PCI Data Security Standard hold businesses to stringent measures whenever data is involved.
The primary problem with data transfers is that most data is now located outside of the enterprise (e.g., in the cloud). In cases in which organizations do not set up proper protection boundaries, policies and controls on the movement of data to and from the cloud, excessive unauthorized transfers can be the result. As a result, malicious or careless insiders can pose serious risks through unapproved file transfers. If there is no traffic visibility over these file transfers, insider threats can cause data loss or breaches. To reduce the risk of data theft and data loss, businesses should allow relevant and limited transfers and have data loss prevention to check for unnecessary data transfers.
Applications with file transfer capability are being used every day, and file uploads are becoming an essential part of any application. Such applications should filter out bogus and malicious files to keep themselves and their users safe. There are best practices to obtain secure file transfers, such as:
- Always verify the file type without trusting the Content-Type header, which attackers can spoof.
- Enforce file name length and size limit, and change the file name while hosting on the server.
- Only allow extensions that are required for business functionality. If files are publicly available, use handler mapping to map ID to filename within the application.
- We also recommend running files through a sandbox or antivirus.
However, due to the nature of some applications – for instance, file hosting or cloud storage applications – some of these practices may not be applicable. Additionally, some applications can be targeted by file upload threats due to the development team's lack of security knowledge.
Uploaded files serve as a critical risk for enterprise networks. In most incidents, attackers need to get malicious code into the system to attack, and then the threat actor needs to engineer a way to get the code executed. Attackers use file upload vulnerabilities to deliver a file for malicious purposes. Different types of file upload threats can be grouped as follows:
- Exploiting vulnerabilities in the file parser by arbitrary file upload in the file submission component. These could be due to input that is unvalidated or not sanitized. CVE-2021-24144, CVE-2021-24142 and CVE-2021-25277 are three example attacks of this type.
- Wrong Content-Type validation, such as is seen in CVE-2017-5638.
- Incorrect exception handling, backtracking regex. CVE-2021-25292 is an example backtracking regex attack.
Client- and server-side attacks such as cross-site request forgery (CSRF), cross-site scripting (XSS) and server-side request forgery (SSRF), are other types of file transfer threats. Examples of client- and server-side attacks include:
- CVE-2020-24984 and CVE-2020-36283 for CSRF.
- CVE-2020-29071 and CVE-2020-35852 for XSS.
- CVE-2020-11451 for SSRF.
Attacks like these could compromise other users or disclose sensitive information (e.g., proprietary, copyrighted or personal data) if files are publicly retrievable. They could also overwrite an existing file on the system. Most of these attacks use the upload component to upload a malicious file with arbitrary extensions and data to exploit vulnerabilities.
It should be mentioned that at the network security level our hands are tied when it comes to controlling and validating user content. Thus, the best approach is to implement a defense-in-depth strategy to get better visibility into upload action. Defense in depth involves building different layers of protection around assets to reduce the effect of exploitation. It consists of policies, operations, human interactions, legal and technical aspects with best practice implementation. If one layer breaks, is taken down or proven inadequate, another security layer could prevent a complete breach.
Network traffic visibility is the beginning of security. We approach this through Palo Alto Networks App-ID technology, which forms a foundation to overcome the attack surface by providing comprehensive application and protocol visibility. Using App-ID capabilities that focus on application and network protocol identification, organizations are empowered to allowlist, block or control applications with file transfer characteristics by configuring policies. App-ID running on the Palo Alto Networks Next-Generation Firewall is competent in accommodating users with extensive visibility on file transfer applications. Currently, App-ID covers more than 352 file-sharing/hosting applications and over 211 applications with file transfer functionalities, such as in-app uploading and downloading features.
The App-ID team’s process for identifying apps with file transfer capabilities includes, but is not limited to, confirming the application has file transfer features. Every app is checked for whether it allows the particular file types that are well-known for being misused for malicious intent, such as VBScript files. Also, Palo Alto Networks Next-Generation Firewall can detect and analyze hundreds of file types with or without extensions. Additionally, all the applications identified as transferring files use PAN-OS forwarding techniques to intercept files from the firewall traffic and automatically send them to WildFire for further analysis.
Most businesses are engaged with file transfers inside their organization, and visibility into those file transfers is the key to avoiding data breaches. Palo Alto Networks Next-Generation Firewall App-ID provides in-depth application allowlisting to run on the organizations’ networks. It helps organizations easily monitor and control applications’ behavior to guard businesses against intruders and insider threats.
Palo Alto Networks customers are protected from this kind of attack by the following:
- Next-Generation Firewalls with App-ID grant granular control and provide in-depth visibility and protection at the level of individual applications and protocols.
- Next-Generation Firewalls with a Threat Prevention security subscription can block the attacks with Best Practices via Threat Prevention signatures, and a WildFire security subscription can stop the malware with static signature detections.