Unexpected Extortion Move: Attackers Reverse-Engineered Outdated FTA to Steal Data
One question posed by the zero-day attacks against the Accellion File Transfer Appliance remains: Why were firms continuing to use such over-the-hill technology?
The short answer is that many organizations, having invested in on-premises file-transfer technology, apparently saw no compelling reason to pay for newer, often cloud-based options, even if they offer easier manageability and scalability – and better security.
“For CISOs attempting to evaluate the threat posed by continuing to use older technology … the FTA attacks add an obvious wrinkle to their organization’s risk management calculus.”
Fresh cloud-based options are widely available. Various newer options include Accellion’s own Kiteworks, as well as Box, Citrix Content Collaboration, Dropbox Business, Google Drive, Microsoft OneDrive and many more.
Many CISOs apparently didn’t see a persuasive reason to adopt cloud-enabled file-transfer technology, especially if legacy systems were supporting complex business processes.
As a result, many organizations had continued to use on-premises, “legacy” – as Accellion describes it – FTA technology. These included security firm Qualys, Flagstar Bank, Australia’s Transport for New South Wales, Canada’s Bombardier, the Reserve Bank of New Zealand, U.S. grocery chain Kroger and energy giant Shell.
Unfortunately, all of those organizations recently lost data after attackers reverse-engineered the FTA code and began exploiting zero-day flaws to steal data. The Clop ransomware operation has been receiving the data and running an extortion scheme. If victims don’t meet its ransom demands, Clop first attempts to name and shame them via its site, then begins leaking their data.
The full roster of victims has yet to be revealed. Numerous victims have yet to appear on Clop’s leak site, including three that operate in the healthcare sector: insurer Centene, which says attackers stole all of the 9GB of data it was storing in its Accellion FTA system; Oregon-based Trillium Community Health Plan, for which data on 50,000 individuals was exposed; and Arizona Complete Health, which said more than 27,000 individuals’ personal details were exposed.
Obviously, the risk calculus around continuing to use legacy FTA technology isn’t what holdout users might have hoped it would be.
Frequent Imperative: Securely Share Documents
Many organizations rely on file sharing to do business – not just healthcare providers and insurers, but also law firms and financial services companies.
“Managed file transfer services have been around for decades and used by highly regulated enterprises. They offer larger corporations many additional options that are not found in a consumer file-sharing service,” says Chris Pierson, CEO of concierge cybersecurity firm BlackCloak.
But a crucial change has happened since the mid-2010s: The cloud came along, and services that were once seen as being for consumers only also gained more enterprise-class features, improving their manageability, security and scalability.
Pierson says these “secure file-sharing technologies have become much more ubiquitous, easy to manage and offer more controls than a decade ago.”
But those controls must still be used in an appropriate manner. For example, documents protected using strong encryption can be easily cracked, and read by others, if not set to use a strong password or if stored on a misconfigured server that allows for public access.
“It doesn’t matter how good the strength of the encryption used, if a simple guess of the password unlocks the file,” says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements. “The key is to treat the individual file with the appropriate level of protection. If the file contains sensitive information, it should be encrypted at rest, transferred in an encrypted state and if possible, removed once successfully delivered.”
To ensure that such essentials happen – and can be audited – many organizations that handle a huge volume of documents have opted for much more robust approaches to file-sharing and collaboration ecosystem, backed by strong identity and access management controls, Pierson says.
“Many times these products are used in an automated fashion for documents needed in client onboarding, legal discovery processes or encrypted file-sharing processes,” he says. “Key for all services and products is to ensure file upload/sharing permissions are set correctly and reviewed regularly, client files are purged when no longer needed or moved to longer-term encrypted storage, and software updated on a continuous basis.”
Pandemic Drives More Rapid Change
Because of the shift to remote work during the pandemic, more organizations began to retire legacy file-transfer technology, says Oru Mohiuddin, IDC’s research manager for enterprise communications and collaboration.
“With people working remotely, there has been a boost in the adoption of remote-communication technology, such as Microsoft Teams and videoconferencing,” she says. “Along with this, the culture of collaboration has been changing, which has impacted content/file sharing too.”
As a result, collaboration platforms have been adding more file-sharing features. “Microsoft OneDrive dominates the market, and most cloud-native collaboration players now integrate with Box, Dropbox and so on,” Mohiuddin says. She adds that these services “have also upgraded their security protocols and measures during the pandemic” to make them more enterprise-appropriate.
Increasingly, she says, “content/file sharing will not be viewed as a standalone function but as part of overall collaboration functions and is being – or will be – built into the solution either as a homegrown application or through third-party integration.”
In other words, “file sharing as a standalone function is now fast dissipating and taking on a new shape: It needs to have a context as well as follow-up actions and include the option for multiple people to make changes simultaneously in real time,” she says.
In this respect, file sharing – at least for individuals – may finally be going the way that Steve Jobs once predicted. Dropbox CEO Drew Houston in 2011 recounted to Forbes a 2009 meeting in which Jobs said Apple planned to encompass the file-sharing market. “He said we were a feature, not a product,” Houston told Forbes.
Attackers Reverse-Engineered FTA
Unfortunately for organizations still using Accellion FTA, they became a target.
To recap the Accellion File Transfer Appliance mess, an investigation by FireEye’s Mandiant incident response team reported early this month that attackers had reverse-engineered the nearly 20-year-old FTA code and found four zero-day flaws. Over the course of two separate attack campaigns in December and January, attackers exploited the flaws to drop a web shell onto any server running the FTA software, which they used to gain remote access and exfiltrate data.
Accellion has said about 100 FTA-using customers got hit and that about 25 of them lost a significant amount of data. At least in some cases, this data has ended up in the hands of the Clop ransomware operation.
On Monday, Clop added the University of Maryland, based in Baltimore, and Yeshiva University in New York to its leak site. “I would assume they’re Accellion-related cases,” says Brett Callow, a threat analyst at security firm Emsisoft. “If so, they’re the 26th and 27th organization to have had data exfiltrated via Accellion posted on Clop’s site.” Later on Monday, Clop listed as the 28th apparent victim energy giant Shell, which on March 16 had warned that it too fell victim to the Accellion attacks.
Accellion says it quickly patched the zero-day flaws attackers were targeting. But it’s urging FTA users to move to new technology, such as its own Kiteworks, an “enterprise content firewall” that it says is more secure than FTA.
“Our latest release of FTA has addressed all known vulnerabilities at this time,” Frank Balonis, CISO of Accellion, said last month. “Future exploits, however, are a constant threat. We have encouraged all FTA customers to migrate to Kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks. We remain committed to assisting our FTA customers, but strongly urge them to migrate … as soon as possible.”
In the meantime, Clop’s extortion tactics continue. The gang appears to have recently begun emailing customers of organizations for which it has stolen data, urging them to demand that the organization pays a ransom, or else the gang will begin dumping stolen information, including pertaining to the email recipient.
For example, customers of Motherhood.com, which Emsisoft’s Callow suspects was one of the Accellion FTA attack victims, have been receiving emails that read: “Call or write to this store and ask to protect your privacy!!!!”
Motherhood.com didn’t immediately respond to a request for comment.
As the rise of ransomware as a criminal moneymaker has demonstrated, criminals who can innovate their online attacks stand to reap massive illicit profits. This helps explain why attackers devoted the time and resources required to reverse-engineer legacy FTA software, use that knowledge to steal data from large organizations, then feed that data to a group that has devoted itself to industrializing online extortion.
For CISOs attempting to evaluate the threat posed by continuing to use older technology – even if it regularly gets patched by the manufacturer – the FTA attacks add an obvious wrinkle to their organization’s risk management calculus. How many other legacy products might attackers now target, and at what cost for customers?