Accellion: Another Data Breach, Defined
Written by: Black Kite
Deemed one of the most sophisticated attacks in the last decade, the magnitude of the SolarWinds is yet to be fully understood. Yet, just as risk management teams stop to catch their breath, cybercriminals have struck once again. Enter: the attack on Accellion that continues to wreak havoc on its supply-chain.
So much has been said and written about the data breach that affected dozens, perhaps hundreds, of companies. However, the factors leading up to this story’s climax don’t necessarily jump off the page. Still, our analysis revealed a common theme: missed risk signals. So, should Accellion be defined as a gray rhino, or black swan?
Unfortunately for Accellion, its timeline to eliminate its File Transfer Appliance (FTA) was too little too late. On December 23, a malicious actor was discovered after it hacked its way into Accellion’s client data via a zero-day vulnerability. Similar to SolarWinds, the application enabled the actor to access troves of data through a “weaker” link.
Were There Signals That Went Under the Radar?
1. The Overall Score
When we take a closer look at Accellion’s score and technical report, the Black Kite platform detected multiple signals that should have set off alarms. Following September 2020, Accellion’s score was on a decline. Although a decline does not always mean a breach is happening, it is a signal that something is going wrong.
Similarly, a declining score also raises attention when we consider it from a hacker’s point of view. It is likely that most companies enter hackers’ radar when their performance trend is falling, which brings us to our next point found in the patch management category:
2. Patch Management
Accellion designed its (FTA) product to run both on-premises and on-cloud. It was primarily developed to accommodate massive data transfers whereas users could surpass email attachment limits by transferring links that provided access to FTA files. Introduced decades ago, the FTA became an outdated commodity that the company planned to formally withdraw in April.
It became the perfect access point for hackers to infiltrate. Hackers look for weak links in company cyber defenses. Obsolete systems are easy targets for them. Because of its legacy systems, Accellion’s Patch Management Score received an “F” on the Black Kite technical cyber risk report.
While the company declared the associated vulnerability was patched within days following the discovery, the breach window was probably wider than expected. Activity likely occurred throughout December through early January. Although the exact number of victims has not been declared by Accellion, as many as 300 companies could have been affected.
A company with many out-of-date services lures hackers, as they oftentimes indicate signs of flaws in risk and vulnerability management at an organization. Eventually, those organizations become a target. The first to come forward, The Reserve Bank of New Zealand was followed by Australia’s securities regulator, Washington State Auditor’s Office, Goodwin Procter, and more.
3. Hacktivist Shares & IP Reputation
There are many exploits involving earlier versions of the FTA software. Some of these exploits are flagged on Black Kite’s ‘Hacktivist Shares’ category although these are not the recent zero-day exploits leveraged in the attack. Recent research revealed that these latest attacks are eerily similar to techniques researcher Orange Tsai disclosed back in 2016.
As a result, these issues signal for a legacy product that’s notorious for its vulnerabilities. These circumstances all negatively impact a company’s IP reputation. These serve as an avenue for phishing and stuffing campaigns once hackers have the emails through compromised credentials, allowing for robust resource development to support potential attacks.
4. Credential Management
The number of breached credentials within a company is also a key indicator of existing resource development by hackers. For Accellion, 20 credentials were leaked in late 2020. This often happens when staff uses the network to sign into other platforms. If those platforms suffer a breach, credentials can be accessed, causing a ripple effect.
Cit0day Leak
Cit0day collects hacked databases and then provides access to usernames, emails, addresses, and cleartext passwords to other hackers for a daily or monthly fee. When the Cit0day website went down on September 14, the site’s entire collection of the hacked database was provided as a free download on a well-known forum for Russian-speaking hackers in October.
123RF Leak
Another source of the credential leak was associated with royalty-free image platform 123RF. Its database of 8.3 million users was leaked on an infamous hacker forum for download in early November, following the May 2020 hack.
5. Application Security
Although Accellion’s application security grade of 88 was considered “good”, the number of findings is quite high. Cross-site request forgery, cross-content mixing and plain-text transmission of sensitive information are among the alarming signals reflected in this category. Despite their low severity, the high number of findings should have constituted for further investigation.
The Accellion Breach, Defined
Gray rhinos are not random surprises, but occur after a series of warnings and visible evidence. The threat in a gray rhino incident is often ignored or minimized by decision-makers and the potential impact of the event itself is dismissed. Whether the Accellion was a “gray rhino” or not is not so black and white.
At first glance, Accellion’s cyber hygiene wouldn’t necessarily call for immediate action. Also supporting this view, the recent external audit of FTA that found no problems and the CISO claimed the exploited vulnerabilities were hard to find. Yet, after a more thorough look into the cyber landscape, the signals were there.
Human research and involvement remain absolutely critical to collecting preventive, detective intelligence and using it to support solid processes. Understanding your risk landscape—which includes the extent of your partner and supplier ecosystem, including their business, and incident response capabilities—will help you quickly identify and reduce the potential impact of a cyberattack.
Ready to better understand your third-party risk landscape? Request a free, fully functional cyber risk rating for your company today.