Accellion Supply Chain Hack
A vulnerability in the Accellion file-transfer program is being used by criminal groups to hack networks worldwide.
There’s much in the article about when Accellion knew about the vulnerability, when it alerted its customers, and when it patched its software.
The governor of New Zealand’s central bank, Adrian Orr, says Accellion failed to warn it after first learning in mid-December that the nearly 20-year-old FTA application—using antiquated technology and set for retirement—had been breached.
Despite having a patch available on Dec. 20, Accellion did not notify the bank in time to prevent its appliance from being breached five days later, the bank said.
CISA alert.
EDITED TO ADD (4/14): It appears spy plane details were leaked after the vendor didn’t pay the ransom.
Kurt Seifried • March 23, 2021 9:40 AM
The problem is on the one hand:
React quickly and patch fast
And on the other hand:
That may break things, and most of the time won’t become an immediate problem.
I personally experienced this with a combination of a PHP/WordPress vuln and local Linux Kernel exploit. I knew about it Friday evening, decided it could wait until Monday to fix. I got hacked over the weekend. All the other times I put maintenance off I didn’t get hacked (AFAIK).
We also have the problem of selection bias: older technology, not well maintained by the vendor (e.g. not a lot of proactive security, mostly reactionary to security researchers or attackers) and not operationally maintained by the end-user (budget cuts, resource constraints, etc.). By definition, people don’t typically stay on 10 or 20-year-old software because they’re willing to put a lot of resources into keeping that entire system fresh and up to date.
On the flip side, these systems are easier for attackers to research and compromise, they are much slower to change (e.g. Google Chrome keeps hardening the system and making changes, Apple iMessage, etc.). These systems are based on 10 or 20 year old technology, languages, and programming cultures that didn’t value security (we still don’t in a meaningful way but that’s another story).
These types of hacks are virtually guaranteed to happen at some point with these older IT systems.