Cybersecurity agencies across five countries have issued a global alert to organizations using the Accellion FTA file transfer application after a number of organizations in the past six weeks admitted to being hacked through vulnerabilities in the software.
Organizations should temporarily isolate or block internet access to and from systems hosting Accellion FTA, says the warning from the U.S., the U.K., Australia, New Zealand and Singapore. The alert includes indicators of compromise.
Systems should then be assessed for evidence of malicious activity – indications of compromise, for example – and obtain a snapshot or forensic disk image of the system for subsequent investigation.
If malicious activity is identified consider conducting an audit of Accellion FTA user accounts for any unauthorized changes, and consider resetting user passwords, says the report. Security tokens on the system should be reset, including the “W1” encryption token, which may have been exposed through SQL injection.
The report also urges organizations to evaluate potential solutions for switching to a supported file-sharing platform after completing appropriate testing. As a result of the sudden rash of successful attacks, Accellion has announced that FTA will reach end-of-life on April 30. “Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs,” the alert says.
At the very least, users should update Accellion FTA to version FTA_9_12_432 or later to close known vulnerabilities.
Recent victims through Accellion FTA vulnerability
Canadian business jet manufacturer Bombardier and the pharmacy operations of the U.S. Kroger supermarket chain are the latest North American firms to acknowledge they were victimized through Accellion FTA.
“Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors,” says the alert. “According to Accellion, this activity involves attackers leveraging four vulnerabilities to target FTA customers. In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.”
One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Threat actors have exploited this vulnerability to deploy a webshell on compromised systems.