Analysis & Insights

Accellion FTA Breach


Ensign's plans and procedures in response to the recent breach involving Accellion

Updates to the Situation (As of 26 February 2021)

On 22 February 2021, Accellion provided update to FTA security incident following Mandiant’s preliminary findings. UNC2546 has been identified by Mandiant as the criminal hacker behind the cyberattacks and data theft involving Accellion’s legacy File Transfer Appliance product. Extortion emails threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website were sent to FTA customers who have been attacked by UNC2546. Accellion stated that they have patched all known FTA vulnerabilities exploited by the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.

On 24 February 2021, the cybersecurity authorities of Australia, New Zealand, Singapore, the United Kingdom, and the United States have released a joint advisory that provides indicators of compromise (IOCs), and recommended mitigations for this malicious activities. This advisory includes technical details and mitigation approach on regards to the exploitation of Accellion File Transfer. Following is the list of mitigations provided in the joint advisory.

Mitigations from AA21-055A

  • Temporarily isolate or block internet access to and from systems hosting the software.
  • Assess the system for evidence of malicious activity including the IOCs, and obtain a snapshot or forensic disk image of the system for subsequent investigation.
  • If malicious activity is identified, obtain a snapshot or forensic disk image of the system for subsequent investigation, then:

    -        Consider conducting an audit of Accellion FTA user accounts for any unauthorised changes, and consider resetting user passwords.

    -        Reset any security tokens on the system, including the “W1” encryption token, which may have been exposed through SQL injection.

  • Update Accellion FTA to version FTA_9_12_432 or later.
  • Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing.
  • Replace software and firmware/hardware before it reaches EOL to significantly reduce risks and costs. Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021.

We will continue to provide updates on the incident and inform you with any technical details and recommendations. If you suspect that you could have been affected by the incident, you can contact us for digital forensic and incident response services. You can take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence program. Contact us for more information.

 ------------------------------------------------------------------------------------------------------------------------------------------------------------------

Situation

Singtel, a major internet service provider in Singapore, shared on its website on 11 February 2021 that a nearing end-of-life third-party file-sharing system provided by Accellion called FTA (File Transfer Application) has been illegally accessed by unidentified hackers. There is an alleged SQL injection vulnerability on Accellion FTA that an adversary can exploit to install a web shell on the victim’s system. A web shell is a malicious script that typically includes different functionalities such as file listing, downloading of files and clean-up on compromised system. An adversary can make use of the web shell to gain control of the server to perform various activities on the file sharing server leading to a potential data breach.

Our Actions

  • We have reviewed the indicators of compromise, and our SOCs have been tasked to support affected clients in threat identification as required. 
  • We do not operate any Accellion systems and are reviewing the use of file transfer type applications within our organisation.
  • Deep analysis will be conducted to uncover attack trends, patterns and TTPs (tactics-techniques-procedures) as information becomes available - these insights will be shared when ready.

Our Recommendations

  • For organisations who are using the Accellion FTA, we recommend that you apply the latest fixes and patches to Accellion FTA. If an update or migration is not possible, we advise you to disable and isolate systems hosting the FTA software. 
  • Ensure that your anti-virus, endpoint protection and firewall applications are updated with the latest definition so that your systems can be protected against new cyber threats. 
  • Perform application and network log reviews to identify possible data exfiltration such as abnormal file size transfer or unusual network connections. 
  • Assess the need to store, handle or transfer sensitive and personal data (e.g. customer database or CVs of job applications) on web and/or publicly accessible servers.
  • Please refer to the following links for more in-depth recommendations:

As investigations are underway, we are expecting additional malware and TTPs to be uncovered. We will continue to provide updates on the incident, and inform you about additional recommendations.

If you suspect that you could have been affected by the incident, you can contact us for digital forensic and incident response services. You can take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at marketing@ensigninfosecurity.com for more information.