US cloud service provider Accellion has announced the end-of-life for its FTA product after the software has been abused in recent attacks to breach tens of companies and government agencies across the world since December 2020.
Developed in the early 2000s, Accellion’s FTA was among the first products of its kind to provide a simple way to share large files.
Created long before the age of cloud-based products like Box, Dropbox, Google Drive, and OneDrive, companies would buy an FTA license, install the software on their own servers, and use it to allow employees and customers to store and share large files that couldn’t be sent via email.
While Accellion eventually developed better products, such as Kiteworks, which superseded FTA in features and security, many FTA appliances remained in use across thousands of companies and government organizations across the world, even to this day.
The FTA zero-day and subsequent attacks
And as the FTA code aged, security researchers also began finding vulnerabilities in the appliance, most of which were privately reported to the company and fixed before any damage could be done to its customers.
But in December last year, the person who found one of these bugs was a threat actor who began exploiting FTA appliances installed across the world.
The first case of an FTA-linked hack was reported by the Reserve Bank of New Zealand and then followed by other cases at the Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, and this week, at the QIMR Berghofer Medical Research Institute and Singtel, Singapore’s largest telco.
According to a report from Guide Point Security, the attacker(s) appears to have been using an SQL injection to install a web shell and use this initial access to steal files stored on the FTA appliance.
In a press release [PDF] published on January 11, Accellion said it knew about the attacker’s zero-day vulnerability since mid-December 2020 and had responded by releasing an FTA firmware update within three days of the first attacks.
At the time, Accellion said that based on its data, less than 50 FTA customers appeared to have been attacked, but now, critics believe the company was being too positive in its assessment.
But the team behind infosec podcast Risky Business also noted that the software vendor failed to inform its customers. Besides releasing patches on Christmas Eve, when most IT staffers were away, Accellion didn’t publish patch notes for its firmware update, nor did it assign CVE security bug identifiers to the vulnerabilities it patched.
When IT staff returned from their winter holidays, many didn’t even know that a crucial firmware update was waiting to be applied for days.
Accellion announces official EOL for FTA appliances
Now, the Palo Alto-based company is seeing an ever-increasing fallout from the December 2020 attacks. Every time a new FTA-related hack is discovered and exposed, the company’s reputation takes a hit.
Last week, a Seattle law firm filed the first lawsuit against Accellion in relation to the Washington State Auditor Office, and many others are expected to be filed in the coming months as companies review appliances and discover signs of a breach.
And more hacks are expected to come to light. In a press release on February 1, the company said the initial December 2020 attacks “continued into January 2021.”
Two days later after this press release, Accellion published a PDF on its website announcing a formal end-of-life date for the FTA appliance, scheduled for April 30, 2021. After this date, Accellion said it wouldn’t honor requests to extend FTA appliance licenses.
While Accellion had designated Accellion a legacy product for years, the move to retire the appliance might have come a little bit too late, for both its reputation and its customers’ networks.