bluebay2014 - Fotolia
Wide net cast on potential Accellion breach victims
While Accellion fixed the zero-day vulnerability within 72 hours and said the breach affected 'less than 50 customers,' the attack's impact has expanded two weeks after the disclosure.
After cloud service vendor Accellion first reported an attack against its legacy file transfer platform FTA late last year, multiple potential victims that use the platform have come forward and disclosed breaches.
FTA, a 20-year-old product used by enterprises to transfer large files securely, was impacted by a zero-day vulnerability in mid-December that threat actors used to attack numerous organizations still using the platform around the world.
According to a January press release, Accellion "resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected." The company's newer product, Kiteworks, which effectively replaced FTA, was not involved the company said, and that "the kiteworks product has never reported an external P0 [critical] vulnerability during its four years in the marketplace."
On Feb. 1, Accellion released a follow-up statement announcing an acceleration of plans to bring FTA to end-of-life and encouragement for remaining FTA customers to switch to Kiteworks. Moreover, the company said it discovered and patched additional FTA vulnerabilities and added "new monitoring and alerting capabilities to flag anomalies associated with these attack vectors."
While only a seemingly small number of customers were impacted by the initial attack, several large private and public sector organizations have come forward to report data breaches, all noting their usage of FTA. Three of these organizations include global law firm Jones Day, a Washington State government office and Singapore-based telco giant Singtel.
Three potential victims
Jones Day confirmed a breach Tuesday and pointed a finger at Accellion. The confirmation follows a Feb. 13 article from DataBreaches.net, which reported that gigabytes of confidential data from the law firm had apparently been published by the operators of Clop ransomware online. However, the threat actors told Vice that data was only stolen, not encrypted.
Jones Day -- one of the largest law firms in the world and recently known for representing former President Donald Trump in challenges to 2020 election results -- provided a statement to multiple media outlets that said the firm was not breached and that Accellion was the cause. They referenced the FTA compromise and said that they were continuing to investigate.
Asked about Jones Day's statement, a spokesperson for Accellion shared the following statement with SearchSecurity.
"Accellion is conducting a full assessment of the FTA data security incident with an industry-leading cybersecurity forensics firm. We will share more information once this assessment is complete. For their protection, we do not comment on specific customers. We are working with all impacted FTA clients to understand and mitigate any impact of this incident, and to migrate them to our modern kiteworks content firewall platform as soon as possible," the statement read.
The Office of the Washington State Auditor (SAO), a department of Washington's state government that provides citizens with audits of public funding usage, disclosed a breach last week. The department, which uses Accellion's FTA, said the attack on the file transfer service "may have allowed unauthorized access to data being used by SAO. "
The SAO said the incident may have exposed personal information, including Social Security numbers and driver's license information, for residents who filed for unemployment last year, as well as some data within the state's Department of Children, Youth and Families. Singtel disclosed its use of FTA last week and was working to ascertain the scope of accessed data. The telco was also working with experts and authorities in its response.
Alexander Culafi is a writer, journalist and podcaster based in Boston.