Tag Archive for: Accellion

Morgan Stanley’s Third-Party Data Breach Leaks Customers’ Sensitive Information via an Accellion Hack

/in


Leading investment banking firm Morgan Stanley reported that hackers accessed its customers’ sensitive information in a third-party data breach.

In a July 2  letter to the New Hampshire Attorney General’s office, the bank said that Guidehouse disclosed that hackers had accessed customers’ records in the Accellion hack. Guidehouse offers account maintenance services to Morgan Stanley’s StockPlan Connect business.

Morgan Stanley is among the hundreds of customers compromised via the Accellion FTA vulnerability first reported in December 2020.

Other victims include Jones Day, Shell, Qualys, the Reserve Bank of New Zealand, Singtel, Kroger, the Office of the Washington State Auditor (“SAO”), the Australian Securities and Investments Commission (ASIC), among others.

Third-party data breach exposed Morgan Stanley’s decryption key

The Accellion hack leaked Morgan Stanley’s encrypted files under Guidehouse’s possession. The hackers also managed to obtain the decryption key in the third-party data breach first reported by Bleeping Computer.

However, the data did not include any security credentials like passwords that could allow the hackers to access customers’ financial accounts.

However, it included personally identifiable information (PII) like customers’ names, addresses, dates of birth, social security numbers, and company names.

Morgan Stanley disclosed that 108 New Hampshire residents were affected by the third-party data breach. However, the investment bank did not disclose the total number of customers exposed in the Accellion hack.

“The protection of client data is of the utmost importance and is something we take very seriously,” the company said. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”

Morgan Stanley’s Accellion hack was discovered almost half a year later

Guidehouse said it patched the Accellion FTA vulnerability within 5 days after the company released security fixes in January 2021. However, the company said that the threat actors had obtained the files by then.

Additionally, the company did not discover the Accellion hack until…

Source…

Accellion Vulnerabilities, Cyberattacks and Victims: Customer List and Status Updates

/in


by Joe Panettieri • Apr 5, 2021

The Accellion cyberattack continues to impact partners and customers worldwide. Here’s a regularly updated list of Accellion supply chain victims and what happened.

First, a little background: Accellion specializes in secure file sharing and collaboration software. The company develops an enterprise content firewall leveraged by more than 3,000 global corporations, government organizations, hospitals and universities. Key investors include Baring Private Equity Asia and Bregal Sagemount.

Accellion Vulnerabilities Discovered: In December 2020, the Accellion File Transfer Appliance product suffered a zero-day exploit. Acellion patched multiple vulnerabilities between December 2020 and January 2021. For details, look for CVE (Common Vulnerabilities and Exposures) codes 2021-27101, 2021-27102, 2021-27103 and 2021-27104.

Hacker Group that Targeted Accellion: Researchers have identified a set of threat actors (dubbed UNC2546 and UNC2582) with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the Accellion attack. Source: Threatpost, February 22, 2021.

Accellion Cyberattack Victims List: Updated Regularly

Hackers leveraged the vulnerabilities to attack multiple Accellion partners and customers. Here’s a regularly updated victims list…

Australian Securities and Investments Commission: One of its servers was breached in relation to Accellion software used by the agency to transfer files and attachments. Source: ZDnet, January 27, 2021.

Australia’s Transport for New South Wales: Details were disclosed in February 2021. Source: ZDnet, February 23, 2021.

Bombardier: The jet maker and Canadian aviation company had some of its data lifted and posted on the dark web. Source: ComputerWeekly, February 24, 2021.

Flagstar Bank: The bank told customers that hackers gained unauthorized access to their names, Social Security numbers and home addresses and it is giving them two free years of identity-monitoring services as compensation. Source: Detroit Free Press, March 24, 2021.

Jones Day Law Firm: Hackers have stolen and leaked files belonging to the Jones Day law firm, one of the largest law firms in the world….

Source…

NSW Transport agency extorted by ransomware gang after Accellion attack

/in


Transport for NSW

The transport system for the Australian state of New South Wales has suffered a data breach after the Clop ransomware exploited a vulnerability to steal files.

Transport for NSW is New South Wales’ transport system in charge of the buses, ferries, regional air operators, and cargo transportation.

Last week, Transport for NSW disclosed that their agency suffered a data breach after their secure file-sharing system, Accellion FTA, was attacked and hackers stole data.

The agency is currently investigating the breach to determine what data was stolen and is receiving help from Cyber Security NSW, the New South Wales government information security team.

“Cyber Security NSW is managing the NSW Government investigation with the help of forensic specialists.”

“We are working closely with Cyber Security NSW to understand the impact of the breach, including to customer data,” Transport for NSW disclosed in a data breach notification.

Data leaked on Clop ransomware site

In December, threat actors began using a zero-day vulnerability in the Accellion FTA secure file sharing application to download and steal data.

Accellion FTA is commonly used by government agencies, educational instructions, and organizations to share files with people external to their organization securely.

After the Clop ransomware gang began leaking data stolen during these attacks and ransoming victims, it became clear that the ransomware group was behind the attacks. A report by Mandiant further confirmed the connection after analysis found shared IOCs between the attacks and the ransomware group.

Accellion FTA attack ransom note
Accellion FTA attack ransom note

This weekend, the Clop ransomware published screenshots of alleged emails and documents stolen from the NSW government during an attack on their Accellion FTA device.

Transport for NSW data leak
Transport for NSW data leak

In a message on the data leak site, the ransomware gang states that Transport for NSW or other interested parties can make a payment to prevent the leak or buy the stolen data.

“Want to delete a page or buy data? write to the email indicated on the home page,” the Clop gang states on the data leak site.

The leaked data includes confidential documents, steering committee documents, and…

Source…

Exploitation of Accellion File Transfer Appliance

/in


This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia,[1] New Zealand,[2] Singapore,[3] the United Kingdom,[4] and the United States.[5][6] These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA).[7] This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States.

Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors. According to Accellion, this activity involves attackers leveraging four vulnerabilities to target FTA customers.[8] In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.

This Joint Cybersecurity Advisory provides indicators of compromise (IOCs) and recommended mitigations for this malicious activity. For a downloadable copy of IOCs, see: AA21-055A.stix and MAR-10325064-1.v1.stix.

Click here for a PDF version of this report.

Accellion FTA is a file transfer application that is used to share files. In mid-December 2020, Accellion was made aware of a zero-day vulnerability in Accellion FTA and released a patch on December 23, 2020. Since then, Accellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities.

  • CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier)
  • CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier)
  • CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier)
  • CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)

One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Actors have exploited this vulnerability to deploy a webshell on compromised systems. The webshell is located on the target system in the file /home/httpd/html/about.html or /home/seos/courier/about.html. The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The clean-up functionality of the webshell helps evade detection and analysis during post incident response. The Apache /var/opt/cache/rewrite.log file may also contain the following evidence of compromise:

  • [.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
  • [.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
  • ['))union(select(loc_id)from(net1.servers)where(proximity)=(0))] (1) pass through /courier/document_root.html

These entries are followed shortly by a pass-through request to sftp_account_edit.php. The entries are the SQL injection attempt indicating an attempt at exploitation of the HTTP header parameter HTTP_HOST.

Apache access logging shows successful file listings and file exfiltration:

  • “GET /courier/about.html?aid=1000 HTTP/1.1” 200 {Response size}
  • “GET /courier/about.htmldwn={Encrypted Path}&fn={encrypted file name} HTTP/1.1” 200 {Response size}

When the clean-up function is run, it modifies archived Apache access logs /var/opt/apache/c1s1-access_log.*.gz and replaces the file contents with the following string:

      Binary file (standard input) matches

In two incidents, the Cybersecurity and Infrastructure Security Agency (CISA) observed a large amount of data transferred over port 443 from federal agency IP addresses to 194.88.104[.]24. In one incident, the Cyber Security Agency of Singapore observed multiple TCP sessions with IP address 45.135.229[.]179.

Organizations are encouraged to investigate the IOCs outlined in this advisory and in AR21-055A. If an Accellion FTA appears compromised, organizations can get an indication of the exfiltrated files by obtaining a list of file-last-accessed events for the target files of the symlinks located in the /home/seos/apps/1000/ folder over the period of malicious activity. This information is only indicative and may not be a comprehensive identifier of all exfiltrated files.

Organizations with Accellion FTA should:

  • Temporarily isolate or block internet access to and from systems hosting the software.
  • Assess the system for evidence of malicious activity including the IOCs, and obtain a snapshot or forensic disk image of the system for subsequent investigation.
  • If malicious activity is identified, obtain a snapshot or forensic disk image of the system for subsequent investigation, then:
    • Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes, and consider resetting user passwords.
    • Reset any security tokens on the system, including the “W1” encryption token, which may have been exposed through SQL injection.
  • Update Accellion FTA to version FTA_9_12_432 or later.
  • Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing.
    • Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021.[9] Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.

Additional general best practices include:

  • Deploying automated software update tools to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
  • Only using up-to-date and trusted third-party components for the software developed by the organization.
  • Adding additional security controls to prevent the access from unauthenticated sources.

Resources

  • FireEye Blog – Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion 
  • Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense, known as “CIS Controls” 
  • Australia, Canada, New Zealand, the United Kingdom, and the United States Joint Advisory on Technical Approaches to Uncovering and Remediating Malicious Activity 
  • CISA and MS-ISAC’s Ransomware Guide 

Source…