Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Report: Accellion Failed to Notify Customers of FTA Zero-Day

Accellion failed to notify customers of a zero-day vulnerability in its file transfer application (FTA) and related cyber-attacks targeting the security flaw, according to a new report from professional services firm  KPMG.

Accellion failed to notify customers of a zero-day vulnerability in its file transfer application (FTA) and related cyber-attacks targeting the security flaw, according to a new report from professional services firm  KPMG.

FTA is a large file transfer service that was retired at the end of April 2021, after being in use for roughly 20 years. In mid-December, Accellion identified a critical vulnerability in the service and later discovered in-the-wild hacking attempts targeting the flaw.

At the time of attack, FTA still had roughly 50 customers, and some already confirmed impact from the incident, including The Reserve Bank of New Zealand, the U.S.-based law firm Jones Day, the Office of the Washington State Auditor (SAO), and security and compliance solutions provider Qualys.

While Accellion did issue patches for the targeted security bugs, a problem with its email system prevented it from notifying impacted customers of the attacks in a timely manner, explains KPMG, which was engaged by the Reserve Bank of New Zealand – Te Pūtea Matua – to review the bank’s response to the breach.

[ SEE: Shell Says Personal, Corporate Data Stolen in Accellion Incident ]

The bank was alerted to the vulnerability on January 6 only and applied the available patches the day after. However, the bank also received system-generated alerts of potential anomalous behavior.

“We have not sighted evidence that the vendor informed the Bank that the System vulnerability was being actively exploited at other customers. This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the Bank at the time,” KPMG said in the report.

One other issue that the investigation revealed was the fact that the bank used the service for more than just secure file transfers, as intended, but instead relied on it as an information repository and collaboration too, which increased the volume of information at risk.

“We were over-reliant on Accellion – the supplier of the file transfer application (FTA) – to alert us to any vulnerabilities in their system. In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning,” the bank’s Governor Adrian Orr said.

Orr also said that the bank takes full responsibility for the identified shortfalls. The total cost of the breach is estimated at around $3.5 million.

The attacks on FTA were linked to the FIN11 cybercrime group. The attackers published some of the stolen information on the Tor website associated with the Clop ransomware gang.

Related: City of Chicago Hit by Data Breach at Law Firm Jones Day

Related: Shell Says Personal, Corporate Data Stolen in Accellion Incident

Related: Cybercriminals Publish Data Stolen From Shell, Universities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...