The drumbeat of data breach disclosures is unrelenting, with new organizations chiming in all the time. But a series of breaches in December and January that have come to light in recent weeks has quietly provided an object lesson in how bad things can get when hackers find an inroad to dozens of potential targets—and they're out for profit.
Firewall vendor Accellion quietly released a patch in late December, and then more fixes in January, to address a cluster of vulnerabilities in one of its network equipment offerings. Since then, dozens of companies and government organizations worldwide have acknowledged that they were breached as a result of the flaws—and many face extortion, as the ransomware group Clop has threatened to make the data public if they don't pay up.
On March 1, security firm FireEye shared the results of its investigation into the incident, concluding that two separate, previously unknown hacking groups carried out the hacking spree and the extortion work, respectively. The hackers seem to have connections to the financial crimes group FIN11 and the ransomware gang Clop. Publicly known victims so far include the Reserve Bank of New Zealand, the state of Washington, the Australian Securities and Investments Commission, the Singaporean telecom Singtel, the high-profile law firm Jones Day, the grocery store chain Kroger, and the University of Colorado; just last week, cybersecurity firm Qualys joined their ranks.
The four vulnerabilities are in Accellion's File Transfer Appliance, essentially a dedicated computer used to move large and sensitive files within a network.
“These vulnerabilities are particularly damaging, because in a normal case an attacker has to hunt to find your sensitive files, and it's a bit of a guessing game, but in this case the work is already done," says Jake Williams, founder of the security firm Rendition Infosec, which is working on remediating an Accellion FTA-related breach. “By definition, everything sent through Accellion FTA was pre-identified as sensitive by the user.”
Widespread Accellion FTA exploitation has played out in recent months alongside other massive nation-state hacking sprees that targeted the IT services firm Solarwinds and the managed email system Microsoft Exchange Server. Both of those initiatives appear to have hit thousands of companies, but primarily for espionage purposes. The Accellion hackers, by contrast, seem motivated by criminal profit.
“Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors,” the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said at the end of February in a joint statement with international authorities. “In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.”
Accellion has consistently emphasized that its FTA product, which has been around for more than 20 years, is at the end of its life. The company had already planned to end support for FTA on April 30, and had discontinued support for its operating system, Centos 6, on November 30. The company says it has been working for three years to transition customers away from FTA and onto its new platform, Kiteworks.
“Since becoming aware of these attacks, our team has been working around the clock to develop and release patches that resolve each identified FTA vulnerability, and support our customers affected by this incident,” Accellion CEO Jonathan Yaron said in a statement last Monday.
Incident responders say, though, that Accellion was slow to raise the alarm about the potential risk to FTA users.
“The Accellion zero days were particularly damaging because actors were mass-exploiting this vulnerability quickly, and the severity of this wasn't being communicated from Accellion,” says David Kennedy, CEO of the corporate incident response consultancy TrustedSec. “We had a number of customers that were reaching out to Accellion to understand the impact without any response. There was a large time window for active exploitation.”
The company faces multiple lawsuits in Northern California and Washington state court as a result of the widespread intrusions.
There are likely more Accellion victims out there, and not all known victims have had samples of their data leaked on Clop websites. Brett Callow, a threat researcher at the antivirus firm Emsisoft, says that the ransomware group has been releasing its extortion demands and corresponding leaked data from a handful of victims per week. It's possible, he says, that they're releasing the data slowly to keep up with the logistics of managing the extortion requests, and that much more is to come.
“With attacks like these, which are carried out through groups looking to profit from hacking, we often don't see large exploitation all at once,” TrustedSec's Kennedy says. “This was well-crafted, thought out, and executed by these specific adversaries to maximize monetary gain for the attacks.”
Accellion devices sit on-premises, meaning attackers had to seek out vulnerable pieces of equipment within targets' networks. But incident responders say that the situation also raises the specter of how catastrophic it would be if similar types of vulnerabilities were to occur in public cloud services, like those offered by Amazon Web Services, Google Cloud, or Microsoft Azure. The effect of one key that opens many doors would be amplified even more.
“Public cloud is absolutely great except when it isn’t,” Emsisoft's Callow says. “Data that is in the cloud can be just as vulnerable as on-premises data. There is a misconception that using the cloud automatically makes your data more secure, but that’s not necessarily the case.”
In an incident at the end of 2020, for example, hundreds of organizations worldwide, including universities and charities, suffered data breaches because of vulnerabilities in the Blackbaud cloud platform.
“It absolutely could happen at a cloud provider too,” Rendition Infosec's Williams says. “The only thing with on-premises appliances like FTA is that the code is easier to inspect for vulnerabilities," because attackers can get the devices themselves.
For a product like FTA that's at the end of its life, attackers certainly saved the worst for last. But given that it can take years for organizations to actually transition away from legacy network equipment, more FTA-related breaches may come to light, and others could still occur in the future in unpatched devices.