Accellion customers are not warned of a zero-day attack due to a problem with the mail tool


Due to a problem with a mail tool last December, Accellion customers were not warned by the software company about a zero-day attack in which two previously unknown vulnerabilities were used to take over systems. This is according to a report from KPMG that investigated the abuse of the security holes at the central bank of New Zealand ( pdf ).


The zero-day attack targeted the Accellion File Transfer Appliance (FTA) server. FTA was a twenty-year-old solution that organizations used to exchange large files. On December 16, a customer warned Accellion of an attack. Further investigation revealed that the attackers exploited two zero-day leaks to gain access to FTA servers. After gaining access, the attackers installed a web shell to maintain their access and steal data. The Clop ransomware group, among others, took advantage of the leaks.


On December 20, Accellion released a security update for the vulnerabilities. One of the organizations attacked through the vulnerabilities on December 25 was the Central Bank of New Zealand . The bank had KPMG investigate the attack and the resulting data breach. This shows that Accellion wanted to warn customers by e-mail. However, a problem with the email tool prevented this alert from being sent.


The bank was finally notified on January 6 of this year and rolled out the available security update a day later. According to investigators, the delayed warning contributed to the break-in and the way the bank could have responded to prevent the attack. "We were too dependent on Accelloin, the provider of the FTA, to warn us of vulnerabilities in their system. In this case, the warnings were left on their system and did not reach the central bank before the attack took place. We have no prior warning. received, "said the bank.


The bank acknowledges that it could have taken measures to limit the impact of the attack. FTA has now been phased out by Accellion. In addition to the central bank of New Zealand, the Nederlandse Aardolie Maatschappij (NAM), security company Qualys , the Australian Securities and Investments Commission (ASIC), the US state of Washington , the American supermarket chain Kroger and law firm Jones Day announced that their FTA server was broken into.

Previous Post Next Post