Beginning in December with hacks of the Office of the Washington State Auditor and the Reserve Bank of New Zealand (among several other targets), reports began to circulate that Accellion’s 20-year-old file transfer system FTA was wide open to cyber attacks. It didn’t take long for opportunistic hackers to pounce on the remaining organizations still using the outdated software.
A new report from cybersecurity firm Mandiant, a subsidiary of FireEye, has mapped out recent cyber attacks against FTA and finds it is likely that more organizations have been compromised than Accellion initially estimated. Among the bigger names suffering data breaches due to FTA are United States grocery giant Kroger, Singapore telecom industry leader Singtel, the Australian Securities and Investments Commission (ASIC), and the University of Colorado. Organizations in at least five countries are believed to have been compromised by this spree of cyber attacks, and a pattern of ransomware attempts points to several different threat actors with ties to the Clop ransomware gang.
FTA is scheduled for end-of-life soon, but the US Cybersecurity & Infrastructure Security Agency (CISA) has issued a joint advisory with cybersecurity authorities of Australia, New Zealand, Singapore and the UK warning anyone who has yet to move away from it as to the scope of the threat.
Cyber attacks on FTA file transfer system result in ransomware, stolen personal data
The CISA advisory, which should be mandatory reading for anyone still running FTA, contains a concise summary of the situation. At least four vulnerabilities in the file transfer software are being actively exploited. These have been patched as of FTA version 9_12_432, but the rapid development of new exploits after the first was spotted in December (plus the looming product end of life in April) should really accelerate any plans to upgrade to newer software.
FireEye has linked that initial December cyber attack, along with more recent attacks, to an unknown threat actor it is calling UNC2546. The group’s hallmark is the use of a new web shell called DEWMODE that it installs via a SQL injection vulnerability and uses to execute remote commands, download files and deliver ransomware. The identity of the attackers is unknown, but there are ties to the Clop group in the use of their ransomware and the doxxing of some victim organizations that failed to pay a ransom on the “CL0P^_- LEAKS” dark web site. There may be ties to another unknown group identified by FireEye as FIN11, which was active from 2018 to 2020 targeting a wide variety of banking, retail and hospitality organizations; both groups used CL0P^_- LEAKS to shame targets that won’t pay up, and they have shared certain IP addresses and email accounts. These groups are not believed to be state-sponsored given the long history of being financially motivated.
Accellion has about 300 clients that still use FTA. When the first reports of cyber attacks came out in January, it initially estimated that fewer than 50 of these clients were impacted. It has since upgraded that estimate to “fewer than 100,” though it also claims that no more than 25 of these customers suffered theft of data.
The biggest name on the list of victims is Kroger, the US grocery chain that has over 2,750 stores under its various regional brands (such as Smiths and Ralphs). Kroger appears to have used FTA for its “Little Clinic” pharmacy service found in a number of these locations. The chain issued a statement saying that the names, phone numbers, Social Security numbers and some medical history information of “fewer than 1%” of its pharmacy customers may have been exfiltrated by the cyber attackers. The chain says that payment information was not accessed.
Singtel says that about 130,000 customers may have had their names, dates of birth, mobile numbers and addresses exposed in the cyber attack. Banking information for a limited number of former company employees was also exposed. The University of Colorado says that 447 of its students and employees at its Boulder and Denver campuses were impacted and may have had their personally identifiable information as well as some health data stolen. ASIC says that its stolen data relates to recent credit licence applications.
Connection with SolarWinds hack?
Mandiant has made a point to note that there is no apparent connection between these cyber attacks and the SolarWinds breach that impacted thousands of organizations across the world. However, Garret Grajek, CEO of YouAttest, points out that there are similarities between the attacks that security professionals and their organizations should take note of: “The compromise of the legacy Accellion FTA software demonstrates that the SolarWinds hack was not an anomaly. And the fact that the hackers chose a legacy version of Accellion and not the latest version, Kiteworks, shows the effort and diligence the hackers are going to to find flaws in all our software systems. Whether the hackers attempt an Accellion/SolarWinds infected agent or a more traditional method like embedding malware in an email phishing attack, the bottom line on these attacks is that the hackers will usually follow the same Cyber Kill Chain, where known patterns of activity are conducted. These include Intrusion, exploitation, privilege escalation and lateral movement. The key to detection and damage mitigation is to have the practices and procedures in place to detect these known activities.”
Official support for FTA ceases at the end of April. Accellion is advising clients to switch to its kiteworks software, which provides the same large file transfer functionality in an entirely new product with a unique codebase and more regular security patching.