The Accellion Mess: What Went Wrong?
February 3, 2021 – Article posted on BankInfoSecurity
Several data breaches stemming from unpatched vulnerabilities in Accellion’s File Transfer Appliance have been revealed. What went wrong? Where does the fault lie? And what can organizations do about it?
It’s not a straightforward story, and it points to problems around balancing use of an aging software product with risk, a reluctance to move onto a newer platform and internal patching hiccups.
To recap: Accellion, a privately held company based in Palo Alto, California, developed the File Transfer Appliance as a secure way to overcome limits imposed on the size of email attachments. Recipients get links to files hosted on the FTA, which can then be downloaded.
The product is nearly 20 years old, yet it’s still used by hundreds of organizations in the finance, government and insurance sectors to transfer sensitive files. Accellion prides itself on secure file sharing, so the appliance – given its age and wide use – is a juicy target. Over the last seven weeks or so, several SQL and other vulnerabilities have emerged in the product…
…In the meantime, it’s prudent for those still using Accellion’s FTA to wean themselves off of it if possible, says Drew Schmitt, a senior threat intelligence analyst with GuidePoint Security, based in Herndon, Virginia. If an organization continues to use the product, it at minimum should mitigate risk with a layered approach by patching and implementing additional log and access review, he says.
Schmitt published on Thursday an analysis of a backdoor web shell designed for FTA after an attacker breached the application.
Read More HERE.