The Accellion Mess: What Went Wrong?Company Should Have Retired Legacy File Sharing App Sooner
Several data breaches stemming from unpatched vulnerabilities in Accellion's File Transfer Appliance have been revealed. What went wrong? Where does the fault lie? And what can organizations do about it?
See Also: Stopping BEC and EAC
It’s not a straightforward story, and it points to problems around balancing use of an aging software product with risk, a reluctance to move onto a newer platform and internal patching hiccups.
It’s prudent for those still using Accellion's FTA to wean themselves off of it if possible.
To recap: Accellion, a privately held company based in Palo Alto, California, developed the File Transfer Appliance as a secure way to overcome limits imposed on the size of email attachments. Recipients get links to files hosted on the FTA, which can then be downloaded.
The product is nearly 20 years old, yet it's still used by hundreds of organizations in the finance, government and insurance sectors to transfer sensitive files. Accellion prides itself on secure file sharing, so the appliance – given its age and wide use – is a juicy target. Over the last seven weeks or so, several SQL and other vulnerabilities have emerged in the product.
Joel York, Accellion’s chief marketing officer, tells me that a recent external audit of FTA found no problems and claimed the vulnerabilities were hard to find. He likened Accellion’s situation with that of other companies such as FireEye and Microsoft, which were among the many organizations hit by the SolarWinds incident (see Microsoft Describes How SolarWinds Hackers Avoided Detection).
“We don’t miss much [as far as vulnerabilities],” York says. “We have very thorough processes.”
But a batch of SQL injection vulnerabilities uncovered in an aging product is very different than a supply chain compromise involving the infiltration of a company’s build infrastructure.
The Kickoff: SQL Injection
In mid-December, Accellion patched a SQL injection vulnerability in FTA and privately notified its customers. But that was just the first of a series of vulnerabilities that have been found.
The Australian security podcast Risky.biz writes that the issues include a SQL injection flaw in the FTA web interface, an XSS flaw in FTA’s file manager a blind SQL injection and command injection flaw in FTA’s administrative interface and an unauthorized upload vulnerability.
On Monday, a new victim came forward that stirred more attention. The Washington State Auditor’s Office says personal information related to 1.6 million unemployment claims on its FTA may have been exposed (see Washington State Breach Tied to Accellion Vulnerability).
Until Washington’s announcement, Accellion’s problems had stayed in the southern hemisphere. The Reserve Bank of New Zealand was the first organization to come forward - on Jan. 11 - about a breach tied to Accellion's FTA, followed by Australia’s securities regulator, ASIC, and an Australian law firm (see Australian Financial Regulator Hit by Data Breach).
Following New Zealand’s disclosure, Accellion estimated there were less than 50 customers affected, but York says that figure could be in flux now. Web searches turn up public facing portals for customers apparently still using FTA.
Although there was much York says he can’t comment on, he did provide some background on what Accellion has faced. After the first vulnerability was patched in December, the attackers came after the FTA again and again, he says.
“This was essentially cyber warfare between mid-December and just a week or so ago,” York says. “So we weren’t going to disclose any technical details publicly at that point, just to protect our customers and protect our efforts to mitigate. This was a concerted attack by a determined actor against a secure system.”
Disclosure of a vulnerability often leads to findings of related vulnerabilities, given that simply knowing where to look is enough of a clue to shake other flaws out. But it also deprives Accellion of other outside expert analysis, which could be helpful, and obfuscates just how bad of a situation the FTA is in.
York says Accellion has retained a forensics firm to figure out what went wrong and how. When Washington state came forward, Accellion issued a statement Monday saying “all known vulnerabilities” had now been patched and that it had added new monitoring and alerting capabilities to flag anomalies. York says the company plans to eventually release a full post mortem.
Given the danger of using old software, why haven’t Accellion’s customers moved to the company’s latest content sharing and firewall platform, kiteworks, as Accellion has been recommending for years? Accellion offers a license and free migration support to kiteworks as an incentive.
York says there are other factors that may have dissuaded its customers: Data has to be migrated, processes need to be changed and employees need to be trained on the new system.
Ironically, Washington state had finished its migration to kiteworks and was preparing to shut off its FTA, York says. “They [Washington state] did everything right,” York says. “They got caught on a very narrow window.”
There also appear to be communication issues at play.
Washington state is alleging that it wasn’t informed of the vulnerabilities that led to its suspected breach. York, however, says Accellion has aggressively reached out to customers, many of who are in highly regulated industries with high security requirements.
“We take the safety and security of our clients very, very seriously,” York says. “We are a security company. It’s our one mission in life.”
Internal process problems at Accellion’s clients may have also contributed.
One week after New Zealand’s Reserve Bank announced its breach, the bank’s governor, Adrian Orr, said he personally owned the breach (see NZ Reserve Bank Governor Says He 'Owns' Breach).
Orr directed some polite blame at Accellion, saying that “we believe service provisions have fallen short of our agreement” but also that “the bank has also fallen short of the standards expected by our stakeholders.”
Orr, of course, didn’t describe how the bank may have stumbled, but from his mild mea culpa, it’s certainly possible it didn’t patch its FTA fast enough after the initial vulnerability in December, leading to the breach.
FTA: An Obituary
The obituary for FTA has been slowly written over the past few years in CVEs. XSS and SQL injection vulnerabilities were found in 2016 by security researcher going by the name Orange Tsai as well as Qualys.
In light of the latest issues, Accellion plans to firmly retire FTA effective April 30, according to a company notice. Obviously, this should have been done sooner. But it’s understandable, given that Accellion likely didn’t want to overly aggravate its customers, particularly given the plethora of secure file-sharing alternatives.
In the meantime, it’s prudent for those still using Accellion's FTA to wean themselves off of it if possible, says Drew Schmitt, a senior threat intelligence analyst with GuidePoint Security, based in Herndon, Virginia. If an organization continues to use the product, it at minimum should mitigate risk with a layered approach by patching and implementing additional log and access review, he says.
Schmitt published on Thursday an analysis of a backdoor web shell designed for FTA after an attacker breached the application.
“At the end of the day, it’s all about how much risk you can tolerate as an organization,” Schmitt tells me. “You have to have this conversation to say, ‘Can we live with this? Can we live with the worst possible outcome?’ And if so, you can assume that risk. Me being in security, I would try to push for ‘Let’s move off this platform as soon as possible’.”