American cloud provider Accellion ended support for its FTA product after cybercriminals used it to attack dozens of companies and government agencies around the world in December 2020.Developed in the early 2000s, Accellion FTA was one of the first solutions for storing large files. Accellion FTA has been around long before the era of cloud storage like Box, Dropbox, Google Drive and OneDrive. Companies could buy an FTA license and install the product on their servers, giving employees the opportunity to share large files that could not be emailed.
Accellion later introduced improved products like Kiteworks with new features and enhanced security, but many organizations continue to use the Accellion FTA to this day.
As the Accellion FTA code became obsolete, vulnerabilities began to be discovered in it, which the researchers privately reported to the manufacturer. Typically, the company managed to fix them before attackers could take advantage of them.
However, in December last year, cybercriminals managed to find an unpatched vulnerability in the software and through it attacked organizations around the world. The victims of the cyberattacks were the Central Bank of New Zealand, the law firm Allens, the University of Colorado, the Singapore telecommunications company Singtel, etc.
“Attackers performed SQL injections, deployed a web shell and through it entered IT networks and stole files stored in Accellion FTA installations”, – says the report of the information security company Guide Point Security.
As Accellion stated in a January 11 press release, the company became aware of a zero-day vulnerability in its product being exploited by hackers and released an emergency fix. At that time, according to the company, the zero-day vulnerability was exploited in attacks on fewer than 50 Accellion FTA users, but according to experts, this statement is too optimistic.
“The company didn’t bother to notify its users of the problem. Not only did the patch come out on Christmas night, when IT staff at most companies were away from work, Accellion has not issued any security notices or assigned a CVE to the vulnerability”, – Risky Business reports.
After returning to work after the holidays, many IT specialists did not even realize that a critical update had been waiting for installation for several days.
Two days after the press release, Accellion posted a PDF on its website announcing the formal end of support for Accellion FTA on April 30, 2021. After that date, the company will not honour renewal requests for FTA device licenses.
Let me also remind you that researchers discovered in Google Cloud, AWS, and Azure Explore 34 Million Vulnerabilities.
User Review( votes)