Pages

Sunday, April 4, 2021

Advance Knowledge: Accellion Breach


Although UC is just now reporting the Accellion breach, it appears that techie types were aware of the problem a month ago, as the headline and date above indicates. Whether UC knew at that point that it was among the targets is unclear. However, at least one university - the U of Colorado - was known a month ago to be a victim. From the article above: 

The drumbeat of data breach disclosures is unrelenting, with new organizations chiming in all the time. But a series of breaches in December and January that have come to light in recent weeks has quietly provided an object lesson in how bad things can get when hackers find an inroad to dozens of potential targets—and they're out for profit. Firewall vendor Accellion quietly released a patch in late December, and then more fixes in January, to address a cluster of vulnerabilities in one of its network equipment offerings. Since then, dozens of companies and government organizations worldwide have acknowledged that they were breached as a result of the flaws—and many face extortion, as the ransomware group Clop has threatened to make the data public if they don't pay up. 

On March 1, security firm FireEye shared the results of its investigation into the incident, concluding that two separate, previously unknown hacking groups carried out the hacking spree and the extortion work, respectively. The hackers seem to have connections to the financial crimes group FIN11 and the ransomware gang Clop. Publicly known victims so far include the Reserve Bank of New Zealand, the state of Washington, the Australian Securities and Investments Commission, the Singaporean telecom Singtel, the high-profile law firm Jones Day, the grocery store chain Kroger, and the University of Colorado; just last week, cybersecurity firm Qualys joined their ranks...

“Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors,” the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said at the end of February in a joint statement with international authorities. “In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.”

Accellion has consistently emphasized that its FTA product, which has been around for more than 20 years, is at the end of its life. The company had already planned to end support for FTA on April 30, and had discontinued support for its operating system, Centos 6, on November 30. The company says it has been working for three years to transition customers away from FTA and onto its new platform, Kiteworks...

Incident responders say, though, that Accellion was slow to raise the alarm about the potential risk to FTA users. “The Accellion zero days were particularly damaging because actors were mass-exploiting this vulnerability quickly, and the severity of this wasn't being communicated from Accellion,” says David Kennedy, CEO of the corporate incident response consultancy TrustedSec...

The company faces multiple lawsuits in Northern California and Washington state court as a result of the widespread intrusions...

Full story at https://www.wired.com/story/accellion-breach-victims-extortion/

To paraphrase Watergate: What did UC know and when did it know it?

No comments:

Post a Comment