Accellion file-sharing breach claims more Australian victims

Regulators, key agencies counting the cost as cybercriminals flaunt stolen data.

Targeting user behavior.
SARINYAPINNGAM / Danler / Getty Images

As New South Wales road-transport authority Transport for NSW, business regulator ASIC, and the Reserve Bank of New Zealand lick their wounds, the still-expanding footprint from the Accellion SQL-injection exploit has become yet another unfortunate reminder of the importance of constant vigilance about the tools being used in organisations.

The breach saw cybercriminals exploiting a weakness in Accellion’s File Transfer Appliance (FTA), a tool for securely sharing files online, to gain access to files stored on the appliances—and, in some cases, to the networks of the compromised organisations as well.

A breach revealed in January 2021 of the FTA in place at the Reserve Bank of New Zealand, for one, saw cybercriminals downloading files that included personal details and credit information of an unknown number of people.

A similar breach of the FTA system used by TfNSW also emerged in late February 2021, with the agency noting that “some … information was taken” but that forensic analysis had confirmed that the compromised data did not include driver’s licence or other personal details. The Accellion systems have been shut down and a joint investigation with the NSW Police was under way, with peak body Cyber Security NSW reporting that “an assessment of the volume and value of data, and any consequences for customers or government” was in progress.

The Accellion-enabled breach of corporate regulator ASIC follows a similar playbook, with the organisation disabling the relevant servers before conducting a forensic investigation that, it said, showed that “it is highly unlikely that the threat actors accessed any data held on the ASIC server”.

State healthcare agency NSW Health—which was also recently caught up in the high-impact SolarWinds breach—was also named as a victim of the Accellion compromise, although Cyber Security NSW reported that no patient data had been compromised.

Also joining the list of compromised targets was Brisbane-based medical research institute QIMR Berghofer, which recently confirmed that about 620MB of data “appears to have been accessed” from its FTA system on Christmas Day 2020.

The institute shut down its system—which was previously installed outside of its network for security reasons—after a February 2021 notification from Accellion that it had likely been affected in the breach, which would have exposed some staff CVs and a broad range of anonymous data from clinical trials of antimalarial drugs.

Although much of the trial data has to be kept for 15 years, QIMR Berghofer director and CEO Professor Fabienne Mackay said in a statement, “they did not need to be stored in Accellion. … We are examining our protocols for using third-party file-sharing services and will put procedures in place to try to ensure that files are regularly reviewed and saved in the most secure location.”

The Accellion compromise was deemed serious enough that the Australian Cyber Security Centre (ACSC) posted a warning about the high-severity vulnerability, which also spurred a joint advisory involving similar authorities in the US, the UK, New Zealand, and Singapore.

Despite forensic analysis revealing the limited scope of the breach, recent revelations suggested that Transport for NSW had been subsequently approached by the Clop ransomware gang, which followed an increasingly common trend by demanding a ransom payment to prevent the publication of commercially confidential documents.

With two recent breaches in major software causing headaches for enterprise users and an indeterminate number of other systems likely already breached, odds are that the SolarWinds and Accellion breaches are just two in what will be an ongoing string of compromises of commercial software—particularly tools like FTA that, Accellion was quick to point out, are decades old and near their end of life.

Such exposure may prove inevitable when installed legacy systems fail to keep up with the security demands of modern information architectures—but companies will, one security expert advises, need to compensate for this by using a layered security architecture that inherently constrains the potential damage from an attack.

“As public users and consumers give more of themselves away online to access digital services, they expect that their data is safe,” said Auth0 APAC general manager Richard Marr, recommending improvements in cybersecurity awareness training, proactive threat detection, customisable security solutions, and multifactor authentication—and noting that “with the complexity of today’s attacks, one [protection] tactic alone is not enough.”

Copyright © 2021 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)