How the zero-day attack on Accellion’s FTA solution should have been avoided?- Rabbon’s point-of-view
The zero-day attack on Accellion’s FTA solution demonstrates how a vendor vulnerability can lead to a massive data breach incident for huge number of organisations. Firewall vendor Accellion is known to deliver secure file transfer solution “File Transfer Appliance” (FTA). FTA is in the market for the last 20 years and was used by organisations as a secure alternative to FTP based file transfer solutions.
Accellion engaged Mandiant to perform a security assessment of Accellion’s File Transfer Appliance (FTA) software, in the wake of two related but distinct exploits used to attack client Accellion FTA systems. Accellion identified two zero-day vulnerabilities that were part of the December Exploit
- CVE-2021-27101 and
and two zero-day vulnerabilities that were part of the January Exploit
- CVE-2021-27102 and
Through the source code analysis and penetration testing, Mandiant did not identify any new such unauthenticated remote code-execution vulnerabilities. Mandiant did identify two previously unknown authenticated-user vulnerabilities:
(1) Argument Injection (CVE-2021-27730), accessible to authenticated users with administrative privileges; and
(2) Stored Cross-Site Scripting (CVE-2021-27731), accessible to regular authenticated users.
The Argument Injection finding yielded a Common Vulnerability Scoring System (CVSS v3.0) score of 6.6 (medium severity) and the Stored Cross-Site Scripting finding was rated 8.1 (high severity). Accellion has developed a patch for these two vulnerabilities (FTA 9.12.444), which Mandiant has validated.
The number of victims of this attack is increasing, oil giant Shell is one of them. According to a report from news.com.au Australian NSW government is also listed as one of the victims of this attack. There are multiple private enterprises that are also listed as victims. Australian Cyber Security Centre (ACSC) has released information regarding this attack.
We must understand and acknowledge the fact that zero-day vulnerabilities are the hard reality of all solutions that we use to achieve our business goals. Even Microsoft is not spared from this risk. Consider reading our article on Microsoft 365 zero-day vulnerability.
In this case, Accellion did what was right to limit this attack. In December 2020, Accellion identified vulnerabilities and released the patches. They engage Mandiant to analyse the attack and Mandiant, in their report, has validated that Accellion has remediated these vulnerabilities. Accellion has officially declared FTA as an obsolete product and its end of life date is April 2021.
Security is a collective effort.
We as customers cannot assume and practice that security is only the vendor’s responsibility. If you are one of the affected victims of this attack then you should take ownership of those security mistakes that lead to you becoming a victim of this attack. Here are a few things that could have saved the victims from this attack.
- To begin with, why are these organisations still using FTA? Accellion is continuously engaging with customers and convincing them to migrate to new solution kiteworks. Accellion launched kiteworks to replace FTA, which is a newer, better and secure solution to transfer file. Do we need a catastrophic event to understand the importance of innovation, upgrades and enablers for change? Or our CTOs, CIOs need to change their security strategy and their approach towards security? One way is to engage CISO in the Board of Directors(B.O.D), where they can raise their voice in favour of security.
- Accellion identified these vulnerabilities in mid-December 2020. This is the time when one portion of the staff is on holidays and the other is overloaded with work. Accellion did inform their customers about the patch but the email got lost. To deal with this issue a validation process for critical vulnerabilities could be introduced. Accellion and their customer could have worked together to ensure that information regarding such critical vulnerability is received by their customer.
- A risk-based approach for any solution that handles critical and sensitive data can ensure that solution and its eco-system is secured.
- WAF is an underrated but effective tool. A lot of organisation do not consider WAF as it is a complex solution, requires high maintenance and skills to be effective. However, if any organisation choose to use a 20 years old solution to handle critical data, then WAF must be considered as a mitigation control.
- Monitoring and alerting is absolutely critical to identify such attacks. Many organisation opt for the SIEM tool for gaining visibility over their infrastructure. However, if SIEM tools are not configured with the right use cases to monitor and alert then the SIEM tool is nothing more than a log collection solution.
- Most important is to build a resilient cyber security strategy. If your cyber security strategy is not well aligned with your business goals then your organisation is exposed to multiple unknown threats and zero-day vulnerabilities.
Cybersecurity is what we do
Rabbon is Cybersecurity services and solution provider, we lead a team of expert cybersecurity consultants and engineers to help your organisation achieve their cybersecurity goals.