The Accellion FTA file transfer service has been at the heart of recent hacks at banks, law firms, telcos, and government organizations across the world
Eric De Grasse
Chief Technology Officer
16 February 2021 (Paris, France) – As widely reported by multiple media outlets, Jones Day says hackers got their hands on confidential client data and firm communications when an outside vendor’s file transfer system was breached. Jones Day is the second major law firm in two weeks to have private data exposed as a result of a breach at Accellion, which provides file transfer and other services for a number of firms. Goodwin Procter said on 2 February that certain client and employee data was also left unprotected. From the Jones Day press release:
“Jones Day has been informed that Accellion’s FTA file transfer platform, which is a platform that Jones Day—like many law firms, companies and organizations—used was recently compromised and information taken. Jones Day continues to investigate the breach and has been, and will continue to be, in discussion with affected clients and appropriate authorities.”
The firm is the tenth largest in the U.S. , with more than $2 billion in gross revenue, according to AmLaw 2020 rankings. Jones Day’s clients also include Alphabet Inc.’s Google, JPMorgan Chase & Co., Walmart Inc., Procter & Gamble Co., and McDonald’s Corp.
At the risk of repeating myself (our cyber security listserv knows all of this), Accellion’s FTA was developed in the early 2000s and was among the first products of its kind to provide a simple way to share large files. Created long before the age of cloud-based products like Box, Dropbox, Google Drive, and OneDrive, companies would buy an FTA license, install the software on their own servers, and use it to allow employees and customers to store and share large files that couldn’t be sent via email. While Accellion eventually developed better products, such as Kiteworks, which superseded FTA in features and security, many FTA appliances remained in use across thousands of companies and government organizations across the world, even to this day.
NOTE: Accellion recently announced the end-of-life for its FTA product. Nice timing.
As I have noted many times before, cyber-attacks against law firms are increasing and repeatedly targeted due to the vast amounts of money, information and client data that they retain. This is a troubling realization, considering they are inherently built upon strict confidence and trust from clients. Even taking this into account, many firms do not even know they have been compromised when a cyber-attack takes place. By the time they realise a breach has taken place, significant damage may already have been done, with most then not knowing what to do next. And law firms are an easy target due to their lack of the critical infrastructure to prevent a cyber-attack.
And better “cyber hygiene” seems not to be a priority. The 2020 ABA Legal Technology Survey Report noted the number of law firms experiencing a known security breach increased to 29 per cent in 2020. The survey notes that despite the ethical issues and pending challenges, the use of certain, specific cyber security tools remained at less than half of respondents, and only 36 per cent of the respondents have committed to cyber insurance policies. Three years ago at the Georgetown Law Cyber Security Forum “white hat” cyber security vendors showed the ease of attacking law firms, how the Chinese hacked a U.S. law firm in Washington, DC from a Starbucks as two associates were taking a break but sending print requests back to their office. As my business partner, Greg Bufithis, explained in his series “Beyond SolarWinds”: cyber (in)security” :
Most law firms lack basic cyber security. As my cyber/pentest clients know, back in 2018 I was sitting in a Starbucks in Washington, DC with a “white hat” colleague and he showed how he could access (almost) everybody’s laptop sitting in that Starbucks. We got into a D.C. law firm via its printer system, using Wireshark. The law firm employee had VPN but we took advantage of “the gap” between start-up and connection. We communicated all of that information to the law firm.
Worse, hard drives in networked copiers like HP and Xerox copiers offer the potential for hackers who are already on the LAN to extend their attacks.
Accellion’s vulnerabilities have long been known. As the FTA code aged, security researchers constantly found vulnerabilities in the appliance, most of which were privately reported to the company and fixed before any damage could be done to its customers, but never reported back to Accellion clients. However, this past December, security researchers found one of these bugs was “out in the wild” and the threat actor (believed to be Chinese) began exploiting FTA appliances installed across the world getting us to our present state.
NOTE: you can Google and read the reports but the first case of an Accellion FTA-linked hack was reported by the Reserve Bank of New Zealand and then followed by other cases at the Australian Securities and Investments Commission (ASIC), the law firm Allens, the University of Colorado, the Washington State Auditor Office, the QIMR Berghofer Medical Research Institute and Singtel, Singapore’s largest telco.
According to one of my primary cyber attack resources, a report from Guide Point Security stated the attacker(s) appears to have been using an SQL injection to install a web shell and use this initial access to steal files stored on the FTA appliance. In a press release published on January 11, Accellion said it knew about the attacker’s zero-day vulnerability since mid-December 2020 and had responded by releasing an FTA firmware update within three days of the first attacks. At the time, Accellion said that based on its data, less than 50 FTA customers appeared to have been attacked. We now realize the company was being less candid (too positive?) in its assessment.
And worse … Accellion failed to inform its customers. Besides releasing patches on Christmas Eve, when most IT staffers were away, Accellion didn’t publish patch notes for its firmware update, nor did it assign CVE security bug identifiers to the vulnerabilities it patched. When IT staff returned from their winter holidays, many didn’t even know that a crucial firmware update was waiting to be applied for days.
Last week, a Seattle law firm filed the first lawsuit against Accellion in relation to the Washington State Auditor Office, and many others are expected to be filed in the coming months as companies review appliances and discover signs of a breach.
And more and more hacks are expected to come to light. In a press release on February 1, the company said the initial December 2020 attacks “continued into January 2021”. Guide Point Security, who I mentioned above, is working with many Accellion clients, and told me there will be more hack announcements to come, including several more law firms.
While Accellion had designated Accellion a legacy product for years, the move to retire the appliance might have come a little bit too late, for both its reputation and its customers’ networks.