Lessons Learned from the Accellion Breaches

A brief history

• At the end of 2020, Accellion fell victim to a two-phase SQL injection attack, and the following months have been rife with data breach disclosures. 
• These breaches sprang from unpatched flaws in Accellion’s File Transfer Appliance (FTA). 
• Now, some attackers (FIN11 and Clop) took advantage of these vulnerabilities and attempted to extort the victims by threatening the publication of sensitive data. 
• The affected firms include the Reserve Bank of New Zealand, Singtel, the state of Washington, Jones Day, the Australian Securities and Investments Commission, the University of Colorado, Qualys, and Kroger. 

What went wrong?

• By mid-December 2020, an SQL injection vulnerability (CVE-2021-27101) was patched by the firm, however, it was only the first in a series of vulnerabilities.
• Other discovered flaws included an XSS vulnerability in the product’s file manager, an unauthorized upload vulnerability, and a blind SQL injection and command injection vulnerability in its admin interface (CVE-2021-27104). 
• After the first flaw was patched, attackers repeatedly targeted FTA. 

Lessons learned

• It is absolutely imperative to carry out analytics and threat detection at the data layer. This is displayed by the fact that just an SQL injection enabled threat actors to execute a successful attack.
• Although organizations have become cyber smart, there is more to be taken care of when it comes to securing data.
• A content firewall is not the only thing that should be between your data and cybercriminals. There must be internal protection in place. Mitigating the first flaw was not enough for Accellion. Attackers found different entry points and the rest is going down in history. 

The bottom line