Unpatched Aging Software is a Gold Mine for Attackers

by Kath Kennelly

Most organizations, including those in the government sector, use file transfer software systems for transferring large amounts of data. The Accellion Data Breach, first discovered in December 2020, was a result of vulnerability in a file transfer system that is used by many organizations globally. This attack is similar to the SolarWinds breach as both hacks targeted vulnerabilities in third-party software. Let's go through some of the details of the attack and then discuss ways to keep your organization safe.

(Click to enlarge)

The Attack

The U.S. company Accellion offers Kiteworks File Transfer Software, but many of its customer still use the company's legacy file transfer system. Unfortunately, while Accellion was in the process of persuading its clientele to move to Kiteworks, a zero-day vulnerability in the legacy software caught them unguarded.

The Acellion File Transfer Application (FTA), which was specifically designed to move large amounts of data, potentially allowed bad actors to access troves of sensitive data from many companies all over the globe. Despite being nearly 20 years old, hundreds of organizations in the finance, government, and insurance sectors use the Acellion FTA product to transfer sensitive files.

The company scrambled to patch the zero-day security vulnerability in FTA when it learned of it in mid-December, however they've since come under attack from cyber-adversaries and we now know the zero-day security vulnerability was just one of the anomalies. According to Accellion, “This initial incident was the beginning of a concerted cyberattack on the Accellion File Transfer Application product that continued into January 2021. Accellion identified additional exploits in the subsequent weeks, and rapidly developed and released patches to close each vulnerability. Accellion continues to work closely with its customers to mitigate the impact of the attack and to monitor for anomalies and have added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.”

At this point it seems the system is now fully-patched...as far as the company knows. But in the midst of the mad scramble of discovery, attacks, and patching, large government and private companies have been caught in the crossfire. Acellion has announced End of Life for its Legacy Software effective April 30, 2021, however it looks like a reactive approach and may be too little, too late. It also provides insight into a lack of processes on the company's part to migrate away from an aging software. The use of an aging software product is a massive security risk and is a gold mine for attackers.

Determining a Security Strategy

This attack was preventable. Enterprises and their third parties cannot simply rely on patches when managing legacy systems like Accellion’s FTA. It's also important to containerize legacy systems so that they're not connected to external systems directly and that all information should be encrypted with strong encryption standards. Re-architecting applications can be costly and time-consuming, but containerizing legacy systems and/or encrypting the data before putting it in a file transfer solution can maintain the speed of workflow and keep up with cybersecurity requirements all while providing many benefits to multiple parties.

In the midst of SolarWinds and now Acellion, it's imperative for organizations to follow proper due diligence across their third-party ecosystem and to understand which ones do not have a sufficient set of controls that make them vulnerable to different attacks. It also highlights the need for timely patching and the process for emergency patching for zero-day vulnerabilities. Although patching is one of the baseline controls across all regulatory and industry standards, many companies, including mature large organizations, still grapple in operationalizing this key information security process.

It also reflects that just questionnaire-based assessments are not enough; you need to combine them with continuous monitoring solutions and review the resultant residual risk on an ongoing basis. In the scenario of third-party software, apart from enterprise due diligence, it's important to attain additional understanding of how the software has been developed, its feature set, and whether it has been vetted, tested, and certified by organizations with common criteria.

Organizations needs to be vigilant about their third parties. A recent study found that more than half of the cyber breaches today can be traced back to third parties. And as the number of third-party interactions increases, so does the risk pose to the primary businesses. Attackers look for the path of least resistance and an unpatched, aging software is a gold mine for attackers. Attackers have also recognized that companies have historically focused their attention on their own defenses so they've evolved their methods. Now instead of direct attacks, compromising the supply chain or a key vendor and using that as a means to gain access has become a preferred approach.