Singtel, Tier 1 telecom carrier throughout Asia and owner of Australian telco Optus, has been impacted by a software security hole in a third-party file transfer appliance targeted by attackers. Singtel is one of multiple organizations affected by the bug, including an Australian medical research institution.
The point of entry for the attack was software company Accellion, maker of (among other things) a legacy large file transfer product called File Transfer Appliance, or FTA. FTA is a 20-year-old product that was targeted by a “sophisticated cyberattack” on Dec. 23, according to a company notice in early February.
Singtel, one of the largest telecom companies in the world, announced Thursday that it was a victim of a cohesive set of cyberattacks. The statement coincided with Accellion’s own public acknowledgment that an ongoing vulnerability in FTA eventually led to an information compromise with Singtel and other customer systems.
Accellion’s Bug-Riddled File Transfer Software
Accellion noted that it became aware of a zero-day security vulnerability in FTA in mid-December, which it scrambled to patch quickly. But that turned out to be just one of a cascade of zero-days in the platform that the company discovered only after they came under attack from cyber-adversaries.
“This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021,” the company explained. “Accellion identified additional exploits in the ensuing weeks, and rapidly developed and released patches to close each vulnerability. Accellion continues to work closely with FTA customers to mitigate the impact of the attack and to monitor for anomalies.”
The system is now fully patched – as far as the company knows. But in the midst of the mad scramble of discovery, attacks and patching, companies like Singtel were caught in the crossfire.
“The Accellion file transfer product used by Singtel is 20 years old, and continues to be used by many organizations in the financial, governmental and commercial sector to transfer large files, despite Accellion’s offering of newer and more secure file-sharing solutions,” Chloé Messdaghi, chief strategist, Point3 Security, said via email. “That’s problematic – it’s the kind of decision that puts companies at sharply increased risk. The fact is that breaches are going to happen, and possibly through a third party.”
Singtel: Unpatched Security Bug Led to Attack
Accellion disclosed the initial vulnerability to Singtel on Dec. 23 when it discovered it. The telco applied the given patches, starting the next day.
“The second and last patch was applied on 27 December,” according to the telecom giant. “There were no patches issued by Accellion since.”
But then a month later on Jan. 23, Accellion issued another advisory citing a new vulnerability that bypassed the Dec. 27 patch, Singtel said.
“We immediately took the system offline,” according to the statement. “On 30 January, Accellion provided another patch for the new vulnerability which triggered an anomaly alert when we tried to apply it. Accellion informed thereafter that our system could have been breached and this had likely occurred on 20 January.”
Singtel Zero-Day Attack: Damage Unknown
Singtel used Accellion FTA “to share information internally as well as with external stakeholders,” it said in a website statement.
It is working to uncover the scope of the damage, according to the statement. That could be extensive, given that Singtel has both business- and consumer-focused operations in Singapore; throughout Australia via its subsidiary Optus; across India, South Asia and Africa via Bharti Airtel; in Indonesia via Telkomsel; in the Philippines via Globe Telecom; and in Thailand via Advanced Info Service.
“We are currently conducting an impact assessment with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed. Customer information may have been compromised. Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks. We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed.”
Garret Grajek, CEO at YouAttest, noted that espionage-motivated hackers are usually inside an enterprise, undetected, for a long time – weeks if not months, as evidenced in the sprawling Solar Winds campaign.
“By this time, we have to assume that an attacker is going to penetrate our network, servers, applications in some form or another,” he said via email. “Billions of scans are running daily — looking for known, published vulnerabilities. It is known conduct in the attacker’s kill chain that the hacker will usually do the two following actions: conduct lateral movement across the enterprise (to find valued resources) and to escalate their own privileges (say to admin account) to help move to all resources have the privileges and access to exfiltrate the data.”
Medical Research Under Attack
QIMR Berghofer, an Australian medical research institute, also announced this week that it was a victim of the attack.
It said in a statement that it uses Accellion FTA “to receive and share data from clinical trials of anti-malarial drugs,” and that about 4 percent of data held on the file-sharing was accessed by an unknown party on Christmas Day.
“These clinical trials are conducted with healthy volunteers,” QIMR Berghofer said. “No names, contact details or other personally identifiable details of study participants are in the files held in Accellion. Instead, codes are used to refer to study participants. Some of the documents in Accellion include de-identified information such as the initials, date of birth, age, gender, and ethnic group of clinical trial participants, as well as the participant codes. Some other documents include participants’ de-identified medical histories, along with their codes.”
QIMR Berghofer had been scheduled to migrate the software in March.
The Accellion Victim List Grows
Singtel and QIMR Berghofer join other victims, such as the Reserve Bank of New Zealand – Te Pūtea Matua, in being affected by the attack. In a short statement in January, the bank said that it used FTA to “share and store some sensitive information” which has been illegally accessed.
“We are working closely with domestic and international cyber security experts and other relevant authorities as part of our investigation and response to this malicious attack,” Governor Adrian Orr said in the statement. “The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information.”
The system was taken offline, Orr added.
For its part, the Silicon Valley-based Accellion said it has things under control. “Our latest release of FTA has addressed all known vulnerabilities at this time,” Frank Balonis, Accellion CISO, said in a statement. “Future exploits, however, are a constant threat. We have encouraged all FTA customers to migrate…and have accelerated our FTA end-of-life plans in light of these attacks.”
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.