Software manufacturers failed to notify customers of product vulnerabilities in a timely manner, and more than 100 institutions around the world were hacked

Similar to the SolarWinds incident, the Accleion breach also sounded the alarm for supply chain vulnerabilities.


Reserve Bank of New Zealand Governor Adrian Orr said Accellion did not report it immediately after the hack.

The recent large-scale cyberattack by the cybercriminal organization FIN11 on the file sharing product FTA, owned by the American software company Accellion, has led to nearly 100 government and enterprise institutions including the Washington State Audit Office, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, and the Singapore telecom giant Singtel. Sensitive data leakage. The incident once again raised concerns among security experts about supply chain attacks, and the complicated response process also revealed the real difficulty of defending against supply chain attacks in a timely manner.

A number of affected customers have disclosed the timetable for the attack, stressing that the software patch was not released in time as Accellion claims. Some security experts mentioned that Jones Day, a law firm that handles sensitive information for clients, has confirmed that it has been affected. In other words, even organizations that have never used Accellion’s software products could be affected by this incident.

Anthony J. Ferrante, head of cybersecurity at FTI Consulting, said the real effects are likely to trigger mixed reactions among victims, culminating in a wave of accusatory, blaming court battles. Ferrante, who has served as an expert witness in such corporate lawsuits on several occasions, believes that “everything is just the beginning, and there will be an inevitable war of words.”


Convoluted Vulnerability Response Timeline

The California-based company Accellion mentioned in a blog post on January 12 that they first discovered a security vulnerability in the File Transfer Appliance (FTA) software in mid-December last year (2020). This software has been around for 20 years and is designed for sharing large documents. Accellion said, “The vulnerability has been officially fixed and a patch package has been released to nearly 50 affected customers within 72 hours.”

In an update released on February 1 this year, Accellion emphasized that they had notified “all FTA customers” of the vulnerability on December 23 last year.

Accellion also mentioned that “the incident began with a wave of organized attacks on Accellion FTA products that will continue until January 2021.”

But some customers affected by the attack gave a completely different time clue.

The Washington State Audit Office reported that attackers may have accessed the personal data of more than 1 million jobless claimants through FTA tools. In a February 1 press release, the Audit Office stated that “the actual reporting time of the incident was January 12.”

Audit Commission spokeswoman Kathleen Cooper stressed in a statement that Accellion will only disclose more relevant information “in the next few weeks”, and the Audit Commission has also reached the above conclusion.

The Central Bank of New Zealand reported that some documents were stolen in this round of attacks. The Reserve Bank of New Zealand noted on its website dedicated to the breach that Accellion did not immediately alert customers’ security teams to install the patches, although it released software patches on December 20 last year.

Reserve Bank of New Zealand Governor Adrian Orr said in a statement on February 9, “Accellion did not promptly notify customers around the world of the potential impact of the attack within five days, nor did it highlight that patches existed to prevent event impact.”

A spokesman for the bank declined to comment further as investigations continued.

Singtel, a major corporation, reported that the breach lasted for several weeks, and hackers managed to steal a large amount of data, including information from 129,000 individual customers and 23 businesses (including suppliers and corporate customers).

On Wednesday, Singtel said it had installed a series of patches for the Accellion software by December 27. But by January 23 this year, “Accellion urgently notified that a new vulnerability was discovered, so the patch installed in the previous December could not provide protection.” After trying to continue to update the software, Singtel’s system appeared “abnormal” Alert”, which ultimately proved that this security breach did exist.


When the vulnerability is exposed, it is announced to be eliminated. How to ensure business continuity for old products?

A spokesperson for Accellion said in a statement that they are working with external investigators to assess the initial hacking campaign and newly discovered vulnerabilities. The company also emphasized that they will help customers replace their legacy FTA software with Kiteworks, a relatively new product, by April 30, and will no longer offer FTA renewal licenses after that.

Network experts believe that this kind of direct obsolete behavior of old tools often means that software vendors have quietly stopped updating investment.

Accellion said on Feb. 1 that it had been encouraging customers to switch to Kiteworks for the past three years, claiming that the new tool has “the latest security architecture and a rigorous security development process.” But Singtel said on its breach disclosure website. As mentioned above, Accellion did not explicitly announce the “termination” date of the FTA until January 28 this year.

An Accellion spokesman declined to comment on the customer’s remarks and did not respond to the formal termination of the FTA. The official only said, “We will share more information after the evaluation is complete.”

Security experts say the revelation has angered the security review industry after last year’s hack of Texas-based software vendor SolarWInds affected at least nine federal government agencies and more than 100 private companies.

Sachin Bansal, general counsel at SercurityScorecard Ltd., a network vendor in charge of enterprise security posture assessments, said the attack on Accellion was “a miniature version of the SolarWinds incident.”

Scott Crawford, director of information security research at 451 Research, S&P’s global market intelligence unit, believes that management and security teams should coordinate software upgrade schedules to avoid business disruption and minimize risk.

Crawford concludes, “Today, businesses are already highly dependent on third-party suppliers. Without immediate attention, there are bound to be more troubles in the future.”


The Links:   VT2-5TB MG300J2YS50

Bookmark the permalink.

Comments are closed.