Accellion failed to notify customers of a zero-day vulnerability in its file transfer application (FTA) and related cyber-attacks targeting the security flaw, according to a new report from professional services firm KPMG.
FTA is a large file transfer service that was retired at the end of April 2021, after being in use for roughly 20 years. In mid-December, Accellion identified a critical vulnerability in the service and later discovered in-the-wild hacking attempts targeting the flaw.
At the time of attack, FTA still had roughly 50 customers, and some already confirmed impact from the incident, including The Reserve Bank of New Zealand, the U.S.-based law firm Jones Day, the Office of the Washington State Auditor (SAO), and security and compliance solutions provider Qualys.
While Accellion did issue patches for the targeted security bugs, a problem with its email system prevented it from notifying impacted customers of the attacks in a timely manner, explains KPMG, which was engaged by the Reserve Bank of New Zealand – Te Pūtea Matua – to review the bank’s response to the breach.
The bank was alerted to the vulnerability on January 6 only and applied the available patches the day after. However, the bank also received system-generated alerts of potential anomalous behavior.
“We have not sighted evidence that the vendor informed the Bank that the System vulnerability was being actively exploited at other customers. This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the Bank at the time,” KPMG said in the report.
One other issue that the investigation revealed was the fact that the bank used the service for more than just secure file transfers, as intended, but instead relied on it as an information repository and collaboration too, which increased the volume of information at risk.
“We were over-reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning,” the bank’s Governor Adrian Orr said.
Orr also said that the bank takes full responsibility for the identified shortfalls. The total cost of the breach is estimated at around $3.5 million.
The attacks on FTA were linked to the FIN11 cybercrime group. The attackers published some of the stolen information on the Tor website associated with the Clop ransomware gang.