2 More Breaches Tied to Accellion File Transfer ApplianceLatest Victims: Telecom Company Singtel and Australian Medical Research Institute QIMR Berghofer
Two more breaches have been tied to the vulnerable 20-year-old Accellion File Transfer Appliance. The latest victims are Singapore telecom company Singtel and Australian medical research institute QIMR Berghofer.
Singtel reports that it's working closely with the Cyber Security Agency of Singapore after a breach of its Accellion FTA system, which it uses to share information internally and externally.
In a blog post on Thursday, Singtel said it was informed by Accellion that FTA had been attacked by unidentified hackers.
"We are currently conducting an impact assessment with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed. Customer information may have been compromised," Singtel says.
The telcom company says the core operations of the company were not affected by the FTA breach. Singtel has suspended use of FTA while it continues its investigation.
Meanwhile, on Friday, the QIMR Berghofer Medical Research Institute in Brisbane, Australia, reported that data it stored in Accellion's FTA had been accessed. It says it discovered the breach on Feb. 2 despite having patched the FTA system on Jan. 4.
QIMR Berghofer says about 4% of the data held in its Accellion system, including data related to clinical trials of anti-malaria drugs, was stolen, but not personally identifiable data.
String of Breaches
Accellion made an end-of-life announcement for its 20-year-old legacy FTA software effective April 30, 2021, having previously announced end-of-life on Nov. 30, 2020, for its CentOS 6 product, seeking to transition customers to what it describes as its "modern and more secure platform, Kiteworks," which it launched four years ago. But in the dying days of FTA, attackers have been taking advantage of vulnerabilities.
In February, the Washington state auditor said that a data breach exploiting an FTA vulnerability exposed 1.4 million unemployment claimants’ records (see: Washington State Breach Tied to Accellion Vulnerability).
In January, the Reserve Bank of New Zealand disclosed that hackers had infiltrated its network after compromising FTA. The nation’s central bank acknowledged that the attack may have exposed commercial and consumer information (see: Reserve Bank of New Zealand Investigates Data Breach).
Also in January, the Australian Securities and Investments Commission revealed a breach involving FTA (see: Australian Financial Regulator Hit by Data Breach).
On Thursday, Accellion released a statement saying that it had been made aware in mid-December of what it termed a “P0” vulnerability in FTA. It indicated that it had released a patch for the flaw to the fewer than 50 customers affected.
But the Washington state auditor's office claimed it never received notification of a patch before its FTA installation was breached.
FTA Still in Wide Use
Accellion, a privately held company based in Palo Alto, California, developed FTA as a secure way to overcome limits imposed on the size of email attachments. Recipients get links to files hosted on the FTA, which can then be downloaded.
Chloé Messdaghi, chief strategist at Point3 Security, notes that many organizations in the financial, government and commercial sectors still use FTA to transfer large files, despite Accellion’s offering of newer and more secure file-sharing solutions.
"That’s problematic - it’s the kind of decision that puts companies at sharply increased risk," Messdaghi says. "The fact is that breaches are going to happen and possibly through a third party. The takeaway is that when a company pushes out security updates and urges their customers to adopt them, companies then need to take that advice and implement them. Like patches, product upgrades are crucial to sustaining a strong security posture.”
Concerns about third-party software and supply chain vulnerability have been in the spotlight over the past two months as a result of the investigation in the SolarWinds supply chain attack (see: SolarWinds Hackers Cast a Wide Net).
Saryu Nayyar, CEO at security firm Gurucul, says organizations that fail to promptly patch systems face serious risks.
"Attackers know there is usually a limited time between an exploit being released and a defense going in place, so they tend to move quickly," Nayyar notes. "That means cybersecurity needs to move at least as quickly. … While other mitigations, such as specific firewall configurations, detection rules and security analytics, can help, the first line of defense should be taking known-vulnerable systems out of the line of fire."