Accellion breach raises notification concerns

Victims of the breach continue to emerge, and one customer said it could have acted sooner, but a critical alert about a zero-day never left Accellion's email system.

Six months after attackers utilized a zero-day vulnerability in an Accellion product nearing end of life, resulting in a notable number of breach disclosures, questions regarding the software vendor's response and customer notifications have arisen.

The target of Accellion attack, which was first disclosed in January, was the company's 20-year-old file-sharing product, File Transfer Appliance (FTA). Following incident response analysis, Mandiant attributed the "highly sophisticated cyberattack" to the operators behind Clop ransomware, identified as UNC2546 and known for using double extortion tactics to pressure victims into paying. Customers attacked by UNC2546 started to receive extortion emails threatening to publish stolen data on its leak site.

While patches were released for the zero-day and other vulnerabilities discovered later on, the threat actors continued to attack a growing list of enterprises still using FTA, including Qualys, Inc., Bombardier Inc., Shell, Singtel, the University of Colorado, The Kroger Co., the University of California, Transport for New South Wales, Office of the Washington State Auditor (SAO), law firm Jones Day and several others. Those are just victims that have confirmed a breach related to FTA.

The most recent breach disclosure came earlier this month from New South Wales Health, which said it was "notifying people whose data may have been accessed in the global Accellion cyber-attack." Two months prior, the University of California said it identified that some of the data, in connection with the Accellion attack, was posted on the internet. According to the statement, the university decommissioned the Accellion FTA and is "transitioning to a more secure solution."

Notification failures?

While the scope of the attack continues to expand and highlights just how many enterprises were still using the legacy product that was retired at the end of April, one victim publicly stated Accellion's alert process failed.

Accellion FTA
In February, Accellion announced end of life for its legacy FTA product, which was exploited by threat actors in December.

The Reserve Bank of New Zealand (RBNZ) expressed concerns on the timeliness of alerts it received from Accellion. In a statement last month responding to the data breach, the bank said it was over-reliant on Accellion to alert it to any vulnerabilities in the system. But RBNZ said it never got the initial alert.

"In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning," RBNZ governor Adrian Orr said in the statement.

That discovery was made by KPMG International, which conducted and published an incident response public assessment and found that the email tool used by Accellion failed to work.

"Software updates to address the issue were released by the vendor in December 2020 soon after it discovered the vulnerability. The email tool used by the vendor however failed to send the email notifications and consequently the Bank was not notified until 6 January 2021," the assessment said. "We have not sighted evidence that the vendor informed the Bank that the System vulnerability was being actively exploited at other customers. This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the Bank at the time."

SearchSecurity reached out to Accellion about its notification process and systems, but the software vendor declined to comment.

However, according to Accellion's FTA attack scope, timeline and response, customers were first notified of the need to patch their systems on Dec. 20, when the first patch was released. "An email alert was sent to FTA customers describing the software update as critical and time-sensitive, and strongly encouraging customers to update as soon as possible," the statement said.

This was not the first time RBNZ pinned a lack of communication on Accellion.

In its original disclosure from Feb., RBNZ said the bank was never notified that a security update was available. Additionally, the bank said it would have acted sooner if it had received an alert.

"Accellion released a patch to address the vulnerability on 20 December 2020, but failed to notify the Bank a patch was available. There was a period of five days from the patch on 20 December until 25 December when the breach occurred, during which the bank would have applied the patch if it had been notified it was available," the disclosure said.

Accellion customers weigh in

It's unclear if other FTA customers experienced issues with notifications. SearchSecurity contacted other victims about Accellion's notification and alert process. Some of them say they were informed in a timely manner in December, while others say they did not receive notifications or alerts from the vendor until January.

One organization, which asked to remain anonymous, told SearchSecurity that the "original Accellion incident did not create an alert; however, when Accellion created the first patch -- it included an alert that was triggered."

A University of Colorado spokesperson said Accellion notified the university in late January of the attack on the software vulnerability. Accellion's first public disclosure was issued on Jan. 12; it's unclear why the university wasn't directly notified of the vulnerability until later that month.

"We turned off the service on our campuses immediately and applied patches provided before resuming our services," a University of Colorado spokesperson said in an email to SearchSecurity.

An SAO spokesperson told SearchSecurity the state agency is in active litigation and can't comment on any details of its experience, but referred to the timeline on its website which said that in mid-January 2021, SAO was alerted to a potential security incident involving the Accellion File Transfer Service. "SAO immediately contacted Accellion for specific details," the statement said.

It is not clear from the statement how SAO was originally alerted. SAO's lawsuit does not accuse Accellion of failing to properly notify the agency of the vulnerability and patch.

Similarly, a spokesperson for the Transport NSW said the investigation into the Accellion breach is ongoing and being led by Cyber Security NSW and NSW Police. They did not provide further details.

Several other victims did not respond to SearchSecurity's request for comment.

Next Steps

Microsoft posts emergency 'PrintNightmare' patch

Dig Deeper on Data security and privacy