Cybersecurity Agencies Warn of Accellion Vulnerability ExploitsLatest Victims Include Australia's Transport for New South Wales and Canada's Bombardier
The cybersecurity agencies of five countries have issued a joint advisory warning that hackers are exploiting unpatched vulnerabilities in the Accellion File Transfer Appliance to steal data and execute ransomware, as has been widely reported.
Meanwhile, two additional victims of these attacks have come forward. The state agency Transport for New South Wales in Australia and the Canadian aircraft manufacturer Bombardier both confirm being hit with Accellion-related attacks.
Some of the other victimized organizations are:
- The Reserve Bank of New Zealand;
- ASIC, Australia's financial regulator;
- The Office of the Washington State Auditor;
- The University of Colorado.
Joint Warning Issued
On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency along with its counterparts in the U.K., Australia, New Zealand and Singapore warned that hackers are exploiting unpatched vulnerabilities in Accellion FTA to attack a wide array of public and private entities (see: Accellion: How Attackers Stole Data and Ransomed Companies).
The security agencies recommend updating to Accellion FTA version FTA_9_12_432 or later as the best way to mitigate the risks. If this is not possible, organizations should isolate or block internet access to and from systems hosting the software, check systems for malicious activity and consider moving to a new file-sharing platform.
Accellion says FTA will reach end of life on April 30, 2021, when the company will no longer support it. Accellion is recommending its customers migrate to its newer product, Kiteworks, which it says is more secure.
"Good for Accellion for urging its customers to migrate away from the vulnerable FTA web server that appears to have resulted in 100 companies being attacked and data stolen from 25 of them thus far. Accellion's transparency is commendable," says Sam Curry, chief security officer at Cybereason.
Transport for NSW
Transport for New South Wales reported this week that the agency had been affected by the Accellion FTA vulnerability and that some data had been stolen before servers were taken offline. The agency is part of the New South Wales Department of Transportation that handles planning for road, rail and freight transportation in the state.
Cyber Security NSW, an agency that oversees cybersecurity for the state, is managing the Transport for NSW investigation with the help of forensic specialists. "We are working closely with Cyber Security NSW to understand the impact of the breach, including to customer data," the transport agency said.
The timing of the attack and type and amount of data involved were not disclosed, but the agency says it is informing those whose data was affected.
Cyber Security NSW says that all instances of Accellion FTA have been retired from service in the state.
Transport for NSW says none of its other systems were affected by the breach of Accellion FTA.
The Canadian aircraft manufacturer Bombadier on Wednesday confirmed to Information Security Media Group that a security incident now under investigation was caused by an attack against Accellion FTA. Personal information on employees, customers and suppliers was compromised, the company says. This includes 130 employees at the company's Costa Rica facility.
"The ongoing investigation indicates that the unauthorized access was limited solely to data stored on the specific servers. Manufacturing and customer support operations have not been impacted or interrupted," Bombardier says.
The company did not say when the attack took place or give additional details on the information that was exfiltrated.
Accellion Breach Timeline
In mid-December 2020, Accellion patched a SQL injection vulnerability in FTA and privately notified its customers. At that time, a group designated UNC2546 by FireEye's Mandiant threat team began exploiting this vulnerability to install a newly discovered web shell that Mandiant calls DEWMODE.
The researchers are not clear how the attackers managed to write DEWMODE to disk, but the web shell extracts a list of files and the metadata of those files from FTA's MySQL database.
Accellion says that fewer than 100 customers have been attacked as the result of four now-patched FTA vulnerabilities and that fewer than 25 "appear to have suffered significant data theft."
ISMG Principal Correspondent Prajeet Nair contributed to this story.