For much of 2021, the eyes of the cybersecurity community have been focused on SolarWinds and the astonishing state-backed campaign that is still unfolding in front of us. But arguably just as important is a campaign that targeted little-known US software company Accellion and its customers over December and January.
This is a story that’s still running. But even what we know about it so far provides a useful reminder of the importance of prompt patching, and the risks associated with running legacy software.
Ground Zero: FTA
Accellion is a Palo Alto-based provider of file sharing and collaboration tools. One of these tools, File Transfer Appliance (FTA), is a decades-old solution used by a relatively small number of global organizations. At the start of the year, it emerged that attackers had compromised data from the New Zealand Central Bank in December 2020 after exploiting a zero day vulnerability in FTA for which a patch had recently been made available.
Soon after, a growing list of other organizations started reporting similar incidents. These included:
- The Office of the Washington State Auditor (SAO), a department of Washington's state government
- Jones Day, a major US law firm which has represented former President Donald Trump (although the firm has countered claims its network was breached)
- Retail chain Kroger, which admitted customer and employee data may have been taken
- Australian financial regulator ASICS
- Australian state agency Transport for New South Wales
- Security vendor Qualys
- Canadian aircraft maker Bombardier
- Telco giant Singtel, which noted that the two patches issued for Accellion products in December didn’t stop a further January attack in which it was breached
In many of these cases, some stolen data then began to appear on an extortion site. Such tactics have become commonplace among ransomware gangs, although there appears to have been no such use of ransomware in these attacks.According to Accellion, fewer than 100 of its 300 FTA customers were affected by the attacks and, of these, fewer than 25 “appeared to have suffered significant data theft.” But for the organizations, partners, customers and employees affected, that’s still 25 too many.
The Link to FIN11
A February analysis by cyber-forensics specialist Mandiant shed new light on the case. It claimed to have found links between the attack group, known by codename UNC2546, and well-known cybercrime group FIN11, notably:
- FIN11 has previously published stolen victim data from CLOP ransomware attacks on the same .onion site that victim data from the Accellion attacks was posted to.
- Many of the organizations compromised by UNC2546 were previously targeted by FIN11.
- Some of the attack infrastructure used by UNC2546 (an IP address associated with a webshell) was used in the past by FIN11.
Tracking the subsequent extortion activity as UNC2582, Mandian said this group also had overlaps with FIN11, in terms of its attack infrastructure. Threat activity also seems to have peaked just as FIN11 underwent a hiatus.
What We Can Learn
Details are still emerging about this case, but what we know so far already tells us a great deal about the cyber risks facing businesses today from legacy software, and the problems many have even if their approach to patch management is virtually faultless.
First of all, we can say that patching is a major challenge for many companies. Some of those affected in this campaign didn’t apply critical updates to their FTA software in time, leading to compromise. The problem is only going to get worse, with a record 18,000 CVEs recorded last year. According to one security firm, over half (57%) were classified as “critical’ or “high risk” and 63% were classed as “low complexity,” meaning an attacker with low technical skills could exploit them. Even worse, 68% required no user interaction to exploit, making them doubly dangerous. Even when patches are applied promptly, zero-day vulnerabilities can catch firms out, as it means attackers have found weaknesses in software before the vendor can develop a fix. This is what happened to Singtel.
Another factor is that, increasingly, patches are being rushed out by some vendors without due care, making it easy for attackers to craft follow-on zero-day exploits. Google warned recently that a quarter of zero-day exploits could have been avoided if more thorough patching and investigation took place. In some cases, miscommunication can expose customer businesses. The central bank of New Zealand claims it wasn’t told about a critical patch in time.
Legacy software is also prone to containing vulnerabilities. Mandiant said it found two more vulnerabilities in FTA during its investigation, although these weren’t exploited by attackers.
What To Do
We often talk about digital transformation expanding the corporate attack surface. But in reality there’s also plenty of risk involved in running decades-old software. So what should organizations’ next steps be? Here are a few ideas:
- Conduct a major asset/inventory management project to understand what IT assets you have and the software (and versions) running on it. You can’t protect what you can’t see.
- Deploy effective risk-based patch management tools to prioritize and automate security updates. In such a set-up, fixes for zero-day vulnerabilities will be put to the top of the queue.
- To protect legacy software and systems from known and unknown threats, consider virtual patching. This will keep them safe until you can migrate to newer, more secure platforms.
- Conduct a full risk assessment of your IT supply chain to understand where legacy solutions exist, and where vendor patching programs may be deficient.
Accellion has been encouraging its FTA customers to upgrade to newer, more secure products for years. It finally announced plans to retire FTA from the end of April, which should put an end to attacks targeting the platform. But there are many more such legacy products still being used which could expose organizations in a similar manner. It’s time to acknowledge the potential criticality of such risks.