The Accellion FTA Vulnerability—What’s Happening and How Should Cyber Insurance Respond
February 26, 2021
You may have read recent reports about the 20-year old Accellion File Transfer Appliance (FTA) and the crime actors exploiting significant security vulnerabilities. These attacks have impacted businesses of varying sizes in countries around the globe with reports including Kroger Co., the law firm Jones Day, the State of Washington, the Reserve Bank of New Zealand, and Singtel (Singapore Telecommunications).
Security vulnerabilities in legacy products aren’t new, so you may be wondering why this is different. From a cyber security perspective, the crime actors used a tried and true attack method. What’s interesting is what happened next.
The Accellion FTA vulnerability
In the recent cyber attack, businesses worldwide have become victims of data theft and extortion emails from a threat actor employing new techniques. These attacks started making an appearance in December of 2020, exploiting zero-day vulnerabilities in a File Transfer Appliance from Accellion.
Zero-day vulnerabilities are not yet publicly disclosed by the vendor, nor has a patch been developed. They’re especially concerning as neither the vendor, nor the user of the product, can do anything to prevent the attack or mitigate their risk.
Once the attacker had access, they installed a custom web shell, DEWMODE. Web shells allow a criminal actor to control a web server, enabling them to steal data and remotely control an affected server.
Reports note that the attackers that leveraged DEWMODE used “smash and grab” techniques to steal large amounts of data from exploited Accellion FTA appliances.
In January of 2021, some of the Accellion FTA victims began receiving extortion demands. The crime actors had stolen their data directly from these appliances and then threatened to publish it on a shaming website.
By February 2021, the number of shaming victims had grown even larger on the shaming website, with victims in the United States, Canada, Singapore, and the Netherlands.
Why is this important?
This new attack is important for a few reasons. First, the high profile of the purported victims is critical to note (Kroger Co., Jones Day, the State of Washington, the Reserve Bank of New Zealand, and Singtel).
The threat actors have moved beyond relying on phishing emails to utilizing zero-day exploits on both SaaS and PaaS vendor products. This marks a significant evolution in the attackers strategy and demonstrates an alarming increase in their capabilities.
The use of an extortion announcement/shaming platform as part of the attacks that didn’t involve ransomware is another evolved attack method. Traditional ransomware attacks involve encryption of the victims data and the threat of public distribution as a motivation for payment. In this case, data was stolen from a third-party managed appliance and moved directly to extortion.
Criminals typically repeat processes that work for them, only changing their behavior when necessary. This new campaign represents a clear and deliberate change in strategy. And that is alarming. It demonstrates how tools and techniques developed as part of the explosion in ransomware activity can now be leveraged in more diverse cyber crime activity.
How can I protect myself?
As with all cyber security issues, a well-trained and well-funded internal team or external partner to handle cyber security is critically important. In this instance, a well-informed team may have pushed FTA customers to move to Accellion’s new Kiteworks product as soon as possible. Legacy FTA customers are the key target in the Accellion case.
However, it is not possible to have perfect cyber security as not all existing exploits are known. This serves as a particularly interesting example for why cyber insurance should be a consideration for organizations of all sizes when deciding how to allocate funds to mitigate cyber risks.
Even if you do have cyber insurance, you are likely asking “Does my cyber policy cover me?” Unfortunately, the answer is rarely clear.
Some policies are triggered only on the basis of a credible ransomware event—one that is characterized by encrypted data, which is managed by the victim themselves. In these cases:
- There was no in-place encryption
- There was no traditional ransomware demand
- The data was stored on a proprietary vendor device, not on the victim’s infrastructure
These cases are complex—determining liability, contractual obligations, indemnifications, and more. They require top-tier claims experts and legal counsel to ensure your business is properly represented.
As you make decisions about cyber insurance, choose a partner who prioritizes excellent coverage and provides the experts you will need in the event of a cyber attack.
The Measured Insurance approach
Measured Insurance is smarter insurance, built to help customers rest easy. Our CyberGuard Insurance policy provides our Insureds with the coverage and assurance of knowing that assets are fully protected against financial loss implications posed by third-party technology vendor vulnerabilities.
Whenever any of our Insured’s data is compromised, even if only from a threatened or suspected attack, our policy will respond. Our claims team reacts with a two-fold approach—first addressing the breach issue and then pursuing a subrogation action against the culpable party, which in many cases, is the technology vendor.
At Measured, we're committed to supporting Insureds. With Measured, you’ll find protection and services you can rely on to safeguard your most valuable technology assets and business workflows.
To learn more about CyberGuard, click here.