The fallout from the breach of Accellion, a provider of file transfer services, continued this week with revelations about a wave of attacks against colleges and universities that were Accellion customers.
In a statement on April 2, Stanford University’s School of Medicine announced that it had been the victim of a data breach that resulted in sensitive data being stolen and published online. In its statement, Stanford said that the breach was the result of an attack on Accellion’s File Transfer Appliance.
That makes the prestigious medical school just the latest in a string of universities that have fallen victim to the Accellion compromise. The past month has also brought word from the University of California, the University of Colorado, and the University of Maryland that they were victims of the attacks on Accellion’s FTA technology. And colleges and universities are just one class of Accellion victims. As we noted back in February, prominent law firms like Jones Day, which also had data stolen and were threatened by the perpetrators with publishing the stolen data to force the firm to pay their demands. The healthcare sector was badly impacted as were large firms including Shell and the security firm Qualys have also been victims of the hackers targeting Accellion FTA customers. Accellion’s list of victims is long, indeed - and growing.
The publication of data from Stanford and others underscores that third party risks like the one posed by Accellion are refracting for organizations in both the public and private sector. For all intents and purposes, Accellion started out as an attack on a public facing web application that led to a data breach and then a campaign of doxing and extortion. For all we know, more and different attacks await the hundreds of customers who were using Accellion’s vulnerable FTA product including, in all likelihood, ransomware attacks.
A Grab Bag of 0Days
As Mandiant’s excellent analysis of the Accellion FTA application indicates, the attackers targeted previously undiscovered (or “zero day”) flaws in FTA that included SQL Injection, Command Injection and Server-Side Request Forgery vulnerabilities.
Attacks on Accellion began in December 2020 and ran through February. The adversaries behind the attacks demonstrated a “high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software, likely obtained through extensive reverse engineering of the software,” Mandiant concluded. Attackers behavior betrayed a knowledge not just of the vulnerabilities, but also of how to chain them together to be able to do unauthenticated remote code execution.
Among other things, the hackers were able to call internal Accellion FTA APIs to obtain keys to decrypt filenames; forge tokens used to secure internal API calls; navigate the FTA database and avoid triggering the application’s built in “anomaly detection” features, Mandiant said.
Mandiant has pinned the blame for the attacks on separate malicious actors. The initial compromise was attributed to a threat actor with the label UNC2546, and the subsequent extortion activity to a group known as UNC2582. Mandiant said both groups played a role in prior cyber operations by a group it calls “FIN11,” an active and financially motivated hacking group that is known to rely on sophisticated phishing email campaigns and to conduct high-volume ransomware and extortion operations involving - lately - the CL0P ransomware.
Refracting Cyber Risk from Third Parties
For companies that increasingly rely on third party applications and cloud-based services like Accellion’s however, the breach is a stark warning about how third party risk can refract and end up impacting far more than the narrow confines of a select application or service. That’s especially true when sophisticated attackers with finely honed skills and a broad mandate set their sites on a third party application or service that your organization relies on.
In the months since the attacks first came to light, multiple FTA customers who have been attacked by UNC2546 have received extortion emails threatening to publish stolen data on the “CL0P^_- LEAKS" .onion website. With hundreds of Accellion customers using the aging FTA product at the time of the compromise, it is likely that more victims will find their data posted online in the months ahead.
[Check out our webinar: Threat Hunting After SolarWinds Solar Storm]
The Accellion incident underscores the growing risk posed to organizations by third party software- and cloud application providers. Even putting aside the specter of disruptive ransomware infections, organizations that find themselves downstream from a successful attack on a hosted application provider are susceptible to a wide range of other risks, from compliance violations and reputation risk to data theft and extortion. Increasingly, firms find themselves at risk of cyber-physical disruptions that can halt operations or even put lives at risk.
Better Monitoring To Address Third Party Risk
With limited visibility into the security of third party providers (see also: SolarWinds), organizations are left to secure what they can secure, and to improve their detection capabilities for the assets they do control and manage. Detecting compromises and lateral movement early in an incident is the best way to limit the damage caused by third party breaches and compromises. That’s especially true as attackers pivot to “file-less” attacks and “live off the land” strategies that leverage APIs, administrative tools and other methods to avoid detection.
Organizations across industries need better tools and methods to detect lateral movement within your environment. That means more detailed logging of network, server and host activity. We also advise organizations to conduct frequent audits of on premises and cloud-based Active Directory environments.
QOMPLX helps its customers with just these problems, using a range of tools and detection methods, including the application of streaming analytics to provide near real-time detection of lateral movement. If you want to learn more about how QOMPLX can help your company spot signs that may signal a compromise, contact our team now.