U.S.-based cloud solutions company Accellion will soon retire FTA, its legacy enterprise file-sharing solution, vulnerabilities in which have recently been exploited by attackers to breach a variety of organizations, including the Australian Securities and Investments Commission, the Washington State Auditor Office, and Singapore telecom Singtel.
What is Accellion FTA?
Accellion FTA (File Transfer Appliance) is a file-sharing product that allows organizations to “transfer large and sensitive files securely using a 100% private cloud, on-premise or hosted.”
It is also a 20-years-old solution, and Accellion has been pushing its customers towards their newer and more secure platform for several years now.
Unfortunately, it’s not unusual for organizations to stick with technology and solutions that work, right up until something major forces them to make a switch.
This time, the push will come from the discovery and active exploitation of several security vulnerabilities, as well as the company’s decision to retire FTA on April 30, 2021, and not to renew organizations’ licenses for it.
Accellion said in early January that, in mid-December, they were made aware of a zero-day vulnerability in its FTA software, and that they “resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.”
Then, on February 1, they said that the software was targeted by cyber attackers and that the initial incident they’ve been notified of in December was the beginning of a “concerted cyberattack” on the product and that it continued into January 2021.
“Accellion identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability,” the company noted, and added that they have “added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.”
“In regard to this incident, Accellion is contracting with an industry-leading cybersecurity forensics firm to conduct a compromise assessment and will share their findings when available,” they concluded.
Various organizations have been breached through bugs in Accellion FTA
Since mid-December, several organizations confirmed that attackers have exploited vulnerabilities in FTA to get their hand on sensitive files that have been shared by each organizations through it (whether among employees or with external partners).
The New Zealand’s central bank, for example, notified the public in early January that “a third party file sharing service used by the Bank to share and store some sensitive information has been illegally accessed.”
On Tuesday (February 9), the Bank’s Governor said that they” had no warning to avoid the attack which began in mid-December. Accellion failed to notify the Bank for five days that an attack was occurring against its customers around the world, and that a patch was available that would have prevented this breach.”
“For security reasons, we can’t provide specific details about the number of files downloaded, or information they contain. We have been in regular communication with all organizations who have had files illegally downloaded,” he also shared.
“As a priority, we have engaged with the organizations whose files contained sensitive information, to support them and assist in managing the impact on their customers and staff.”
The breach was apparently limited to this stand-alone system and the Bank’s core functions were unaffected.
The Australian Securities and Investments Commission suffered similar limited impact. The Office of the Washington State Auditor said that attackers were able to access audit records stored temporarily in Accellion’s system during the file transfer process.
The University of Colorado shared that they are “one of some 300 Accellion customers that were affected by the attack” and that they believed “personally identifiable information from students, employees and others may have been compromised.”
Singtel said that they still don’t know what information was compromised in the breach of its stand-alone FTA system, but offered more insight into Accellion’s issuing of patches.
“After Accellion first informed us of the vulnerability on 23 December, we had in a timely manner, made a series of patches they provided to plug the vulnerability – the first patch was applied on 24 December and the second and last patch was applied on 27 December. There were no patches issued by Accellion since,” the company explained.
“On 23 January, Accellion issued another advisory citing a new vulnerability which the 27 December patch was not effective against and we immediately took the system offline. On 30 January, Accellion provided another patch for the new vulnerability which triggered an anomaly alert when we tried to apply it. Accellion informed thereafter that our system could have been breached and this had likely occurred on 20 January. We continued to keep the system offline and activated cyber and criminal investigations which has confirmed the 20 January date. Given the complexity of the investigations, it was only confirmed on 9 February that files were taken.”