The first quarter of the year has not even ended, but the list of cyber-attacks have been exponentially increasing. Solarwinds and Microsoft were the earlier victims and now it is the energy giant Shell. Energy goliath Royal Dutch Shell has become a recent casualty of a series of attacks on users of the Accellion legacy File Transfer Appliance (FTA), which as of now has influenced various organizations and been credited to the FIN11 and the Clop ransomware group. Accellion FTA helps worldwide enterprises transfer large and sensitive files securely using a 100% private cloud, on-premise or hosted. The attackers had compromised the company’s secure file-sharing system powered by Accellion’s File Transfer Appliance (FTA).
The multinational company engulfs a group of petrochemical and energy companies more than 80k employees spread across 70 countries. Shell is also the fifth largest company in the works based on its 2020 revenue results according to Fortune’s Global 500 rankings. Shell has been affected by a data security incident encompassing Accellion’s File Transfer Appliance,” the organization disclosed on its site a week ago. “Shell utilizes this application to safely move enormous information records.” Attackers “accessed “different documents” containing individual and corporate information from both Shell and a portion of its partners, recognized the organization.
Be that as it may, on the grounds that its Accellion implementation its center IT frameworks were unaffected by the attack, “as the file transfer service is segregated from the remainder of Shell’s digital infrastructure,” the organization said. “Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident,” Shell said. While the attackers’ identity was not revealed in Shell’s assertion, a joint statement published by Accellion and Mandiant a month ago shed all the more light on the attacks, connecting them to the FIN11 cybercrime group. The Clop ransomware gang has additionally been utilizing an Accellion FTA zero-day vulnerability (uncovered in mid-December 2020) to compromise and gather information from various organizations. Accellion said that 300 clients utilized the 20-year-old heritage FTA programming, with under 100 of them being breached by the Clop ransomware gang and FIN11 (the cybercrime bunches behind these assaults). Under 25 casualties show up “to have endured huge information theft,” as per Accellion. [Reference]
ThreatPost quotes, the first flaw turned out to be just one of a cascade of now patched zero-day bugs in the platform that Accellion discovered only after they came under attack from cyber-adversaries well into the new year, the company acknowledged. Other victims of third-party attacks on Accellion FTA include Jones Day Law Firm and telecom giant Singtel. Eventually, four security vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) were found to be exploited in the attacks, according to the investigation. Accellion tried to patch each subsequent vulnerability as soon as it was discovered; however, as evidenced by Shell’s disclosure, unpatched systems likely remain and further attacks seem likely. Indeed, patching is a complicated endeavor even for the most well-run IT organizations and many companies struggle to achieve complete coverage across their environments. [Reference]
There are various purposes behind why patches aren’t promptly applied when they’re made available, including lack of correspondence from vendors when patches are delivered, unpredictable and manual fixing measures, and authoritative disarray around who’s liable for fix application. The Accellion attacks likewise shed light on the significance of picking technology partners cautiously while depending on them for basic computerized processes that are presented to potential exploit. This most recent breach fills in as a token of how significant it is for organizations to adopt a threat informed strategy towards online protection, as it’s limitlessly harder to safeguard the production environment without the context of the enemy’s practices. With ATT&CK as an establishment, a clear path to consistent security advancement can be utilized through automated adversary emulation – permitting defenders to acquire information on their program’s adequacy against known adversary threats and attacks.
Article by Kaushik Sundararajan
I am a security professional specializing in network security. With vivid experience in different industries, I am looking to explore the current cyberspace and discuss the ideology of certain ideas from a different perspective.