The cybersecurity authorities of Australia, New Zealand, Singapore, the United Kingdom, and the United States have released Joint Cybersecurity Advisory AA21-055A: Exploitation of Accellion File Transfer Appliance.

Cyber actors worldwide have exploited vulnerabilities in Accellion File Transfer Appliance to attack multiple federal, and state, local, tribal, and territorial government organizations as well as private industry organizations in the medical, legal, telecommunications, finance, and energy fields. In some instances, the attacker extorted money from victim organizations to prevent public release of information exfiltrated from a compromised Accellion appliance.

Accellion says this activity involves attackers leveraging four vulnerabilities to target FTA customers. In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.

According to CISA, organizations with Accellion FTA should:

  • Temporarily isolate or block internet access to and from systems hosting the software.
  • Assess the system for evidence of malicious activity including the IOCs, and obtain a snapshot or forensic disk image of the system for subsequent investigation.
  • If malicious activity is identified, obtain a snapshot or forensic disk image of the system for subsequent investigation, then:
    • Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes, and consider resetting user passwords.
    • Reset any security tokens on the system, including the “W1” encryption token, which may have been exposed through SQL injection.
  • Update Accellion FTA to version FTA_9_12_432 or later.
  • Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing.
    • Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021.[9] Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.

Additional general best practices include:

  • Deploying automated software update tools to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
  • Only using up-to-date and trusted third-party components for the software developed by the organization.
  • Adding additional security controls to prevent the access from unauthenticated sources.

The Joint Cybersecurity Advisory provides indicators of compromise (IOCs) and recommended mitigations for this malicious activity. For a downloadable copy of IOCs, see: AA21-055A.stix and MAR-10325064-1.v1.stix.

Click here for a PDF version of this report.