Analysis & Insights

Accellion FTA Breach


Ensign's plans and procedures in response to the recent breach involving Accellion

Situation

Singtel, a major internet service provider in Singapore, shared on its website on 11 February 2021 that a nearing end-of-life third-party file-sharing system provided by Accellion called FTA (File Transfer Application) has been illegally accessed by unidentified hackers. There is an alleged SQL injection vulnerability on Accellion FTA that an adversary can exploit to install a web shell on the victim’s system. A web shell is a malicious script that typically includes different functionalities such as file listing, downloading of files and clean-up on compromised system. An adversary can make use of the web shell to gain control of the server to perform various activities on the file sharing server leading to a potential data breach.

Our Actions

  • We have reviewed the indicators of compromise, and our SOCs have been tasked to support affected clients in threat identification as required. 
  • We do not operate any Accellion systems and are reviewing the use of file transfer type applications within our organisation.
  • Deep analysis will be conducted to uncover attack trends, patterns and TTPs (tactics-techniques-procedures) as information becomes available - these insights will be shared when ready.

Our Recommendations

  • For organisations who are using the Accellion FTA, we recommend that you apply the latest fixes and patches to Accellion FTA. If an update or migration is not possible, we advise you to disable and isolate systems hosting the FTA software. 
  • Ensure that your anti-virus, endpoint protection and firewall applications are updated with the latest definition so that your systems can be protected against new cyber threats. 
  • Perform application and network log reviews to identify possible data exfiltration such as abnormal file size transfer or unusual network connections. 
  • Assess the need to store, handle or transfer sensitive and personal data (e.g. customer database or CVs of job applications) on web and/or publicly accessible servers.
  • Please refer to the following links for more in-depth recommendations:

As investigations are underway, we are expecting additional malware and TTPs to be uncovered. We will continue to provide updates on the incident, and inform you about additional recommendations.

If you suspect that you could have been affected by the incident, you can contact us for digital forensic and incident response services. You can take preemptive measures to protect your assets against new and unknown threats through our threat hunting and threat intelligence programme. Contact us at marketing@ensigninfosecurity.com for more information.