The drumbeat of data breach the disclosures are relentless, with new organizations ringing all the time. But a slew of breaches in December and January that have come to light in recent weeks has quietly provided an object lesson in how things can go wrong when hackers find a breakthrough into dozens of potential targets – and they do. are looking for a profit.
Firewall vendor Accellion quietly released a room end of December, then more fixes in january, to remedy a set of vulnerabilities in one of its network equipment offerings. Since then, dozens of businesses and government organizations around the world have admitted to being violated because of these loopholes – and many face extortion, as the Clop ransomware group threatened to release the data to the public. ‘he wasn’t paying.
On March 1, security firm FireEye shared the results of its investigation in the incident, finding that two separate, previously unknown hacking groups respectively carried out the hacking frenzy and extortion work. Hackers seem to have Connections to the FIN11 financial crime group and the Clop ransomware gang. Victims known to the public to date include Reserve Bank of New Zealand, Washington State, Australian Securities and Investments Commission, Singaporean telecommunications company Singtel, high-profile law firm Jones Day, the Kroger grocery chain, and the University of Colorado. ; last week, cybersecurity firm Qualys joined its ranks.
All four vulnerabilities are found in Accellion’s file transfer appliance, essentially a dedicated computer used to move large and sensitive files across a network.
“These vulnerabilities are particularly damaging, because in a normal case an attacker would have to hunt for your sensitive files, and it’s a bit of a guessing game, but in this case the job is already done,” says Jake Williams, founder of security firm Rendition Infosec, which works on resolving a breach related to Accellion FTA. “By definition, everything sent through Accellion FTA has been pre-identified as sensitive by the user.”
The widespread exploitation of Accellion FTA has taken place in recent months alongside other massive nation-state hacking spree which targeted the IT services company Solarwinds and the Microsoft Exchange Server managed messaging system. These two initiatives appear to have hit thousands of companies, but mainly for espionage purposes. Accellion’s hackers, on the other hand, appear to be motivated by criminal profit.
“Actors around the world have exploited vulnerabilities to attack multiple federal and state, local, tribal, and territorial government organizations, as well as private sector organizations, including those in the medical, legal, telecommunications, finance, and other sectors. of energy, ”said the Homeland Department. The Cybersecurity and Infrastructure Security Agency said security at the end of February in a joint statement with international authorities. “In some observed cases, the attacker subsequently extorted money from victim organizations to prevent public disclosure of information exfiltrated by the Accellion device.”
Accellion has consistently emphasized that its FTA product, which has been around for over 20 years, is at the end of his life. The company had previously planned to end support for FTA on April 30 and discontinued support for its operating system, Centos 6, on November 30. platform, Kiteworks.
“Since learning about these attacks, our team has worked tirelessly to develop and release fixes that address every FTA vulnerability identified and support our customers affected by this incident,” said Jonathan Yaron, CEO of Accellion, in a declaration last Monday.
Incident responders say, however, that Accellion has been slow to sound the alarm about the potential risk to FTA users.