Singapore telecom company Singtel informed customers that its file-sharing system called FTA was it with a cyberattack. The company statement said the system was “illegally attacked by unidentified hackers. This is a standalone system that we use to share information internally as well as with external stakeholders. Accellion has informed us that this incident is part of a wider concerted attack against users of their file-sharing system. Cybersecurity experts offer perspective.
7 Responses
<p>The breach experienced by Singtel is another harsh reminder of the dangers organisations face when sharing customer data with third parties. When the technology used to transfer data possess poor security, it impacts consumer privacy, can result in security breaches and irreparable brand and financial damage.</p> <p> </p> <p>Companies therefor need to establish a new and secure way where they can safely exchange data with their partners – without compromising security. One of the biggest trends we are seeing is the adoption of data safe rooms, which take a walled garden approach to data sharing. This is by far a better way to collaborate and exchange data with third parties and is much more secure that using outdated technology with unknown numbers of security vulnerabilities.</p>
<p>In the vein of what we witnessed post FireEye breach at the end of 2020, the fallout from this has the potential to be significant, especially for a company as high profile as Accellion to be associated.</p> <p> </p> <p>Much like the response we saw from FireEye back in December, the key here will be for Singtel to ensure transparency with it customers and stakeholders, regarding how this breach may impact them and the support and precautions necessary for clients to manage potential risks.</p>
<p>Business leaders and organizations need to take time out of their day to carry out due-diligence in relation to the Accellion breach. This will help them determine the likelihood of their exposure to the breach and establish the full use of Accellion in their organizations.</p> <p> </p> <p>It\’s critical to ask each business leader if they are using an Accellion account belonging to a customer, partner, and/or vendor organization to send or receive shared files. An organization may not be directly exposed to the breach, but they could be using the Accellion version of the agent\’s organization which is exposed. It is important to incorporate access control and data lifecycle management into the risk assessment by asking about past data/files transfers, and whether those files have been properly managed, such as having access removed when it is no longer required.</p> <p> </p> <p>The results of the cross-functional risk assessment will determine if the organization is vulnerable per the versions of Accellion exploited by malicious attacker/s. Having your security and/or technology organization monitor and track official communications issued by Accellion will allow them to keep up-to-date. This is especially important because as the investigation continues more data will become available which may impact the associated risk to your organization, and require your organization to take more actions to reduce risk. If you are unclear from official communications where your organization is using a vulnerable version of not, reach out to Accellion for clarity – don’t just assume its ok.</p>
<p>The breaches revolving around Accellion’s decades-old software—most recently affecting Singtel—underscores several points about effective cybersecurity. With older, legacy software embedded within your operations, always work with vendors to update frequently or replace software that works with sensitive information, regardless of the potential costs. The risk of exposure is too expensive not to factor into your decision-making and capital expenditures.</p> <p> </p> <p>In addition, take data security seriously, because even if you don’t, the regulators certainly will make sure you do. Reconsider your defensive posture and the tools you use to thwart intentional or even unintentional breaches and data leaks. Ask yourself: am I protecting borders and perimeters around sensitive data, or am I protecting the actual data itself? The latter, which is known as data-centric security, ensures that no matter where data goes (even if it falls into the wrong hands) it remains protected and the sensitive nature of the information obfuscated. If data security is not on the mind of your IT professionals at all times, then an unfortunate data-related incident might be just around the corner. And you don’t want to go there.</p>
<p>The key here is to note that hackers are usually INSIDE the enterprise, undetected for a long time. F5 reported in 2021 the average time it takes to discover a \":credential spill\" is 327 days.</p> <p> </p> <p>By this time, we have to assume that an attacker is going to penetrate our network, servers, applications in some form or another. Billions of scans are running daily – looking for known, published vulnerabilities. Chances are one of our systems is not fully patched or even SHIPPED w/ a vulnerability (e.g. SolarWinds). Thus what\’s our defense? We have to be able to detect the actions of these attackers. </p> <p> </p> <p>It is known conduct in the attacker\’s kill chain that the hacker will usually do the two following actions: conduct lateral movement across the enterprise (to find valued resources) and to escalate their own privileges (say to admin account) to help move to all resources have the privileges necess to exfiltrate the data.</p> <p> </p> <p>These privilege escalations are detectable if the enterprise is conducting regular and triggered access and privilege reviews. This is what a cloud identity governance product can do for the enterprise. It is imperative to an enterprise to have regular reviews and be dynamically triggered when privilege escalations are occurring.</p>
<p>The Accellion file transfer product used by Sintel is 20 years old, and continues to be used by many organizations in the financial, governmental and commercial sector to transfer large files, despite Accellion’s offering of newer and more secure file sharing solutions. That’s problematic – it’s the kind of decision that puts companies at sharply increased risk. The fact is that breaches are going to happen, and possibly through a 3rd party.</p> <p> </p> <p>The takeaway is that when a company pushes out security updates and urges their customers to adopt them, companies then need to take that advice and implement them. Like patches, product upgrades are crucial to sustaining a strong security posture.</p>
<p>The data breach at Singtel appears isolated to the Accellion FTA (File Transfer Appliance) but it highlights a number of potential risks with 3rd party assets, the inherent challenge of keeping kit in service past it\’s useful life, and delaying security patches.</p> <p> </p> <p>Accellion themselves reported an exploit in the wild in late December 2020 and quickly released a patch to address the problem. Unfortunately, it would appear the patch wasn\’t applied to Singtel\’s system, resulting in the breach.</p> <p> </p> <p>Patch cycles in enterprise environments can be complicated, especially for mature organizations with a robust change management system. But the malicious actors don\’t wait. They know there is usually a limited time between an exploit being released and a defense going in place so they tend to move quickly. That means cybersecurity needs to move at least as quickly. Patches need to go in place as quickly as practical. While other mitigations, such as specific firewall configurations, detection rules, and security analytics can help, the first line of defense should be taking known-vulnerable out of the line of fire.</p>