Energy giant Royal Dutch Shell is the latest victim of a series of attacks on users of the Accellion legacy File Transfer Appliance (FTA) product, which already has affected numerous companies and been attributed to the FIN11 and the Clop ransomware gang.
“Shell has been impacted by a data-security incident involving Accellion’s File Transfer Appliance,” the company revealed on its website last week. “Shell uses this appliance to securely transfer large data files.”
Attackers “gained access to “various files” containing personal and company data from both Shell and some of its stakeholders, acknowledged the company. However, because its Accellion implementation its core IT systems were unaffected by the breach, “as the file transfer service is isolated from the rest of Shell’s digital infrastructure,” the company said.
Shell, the fifth largest company in the world, also revealed several of its global petrochemical and energy company affiliates were impacted.
According to the company, once it learned of the incident, Shell immediately addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.
“Shell is in contact with the impacted individuals and stakeholders and we are working with them to address possible risks,” the company said in a statement. “We have also been in contact with relevant regulators and authorities and will continue to do so as the investigation continues.”
Shell did not say specifically how attackers accessed its Accellion implementation, but the breach is likely related to a series of attacks on vulnerabilities in Accellion FTA, a 20-year-old legacy product used by large corporations around the world. Accellion revealed that it became aware of a then zero-day security vulnerability in the product in mid-December, and subsequently scrambled to patch it.
However, the first flaw turned out to be just one of a cascade of now patched zero-day bugs in the platform that Accellion discovered only after they came under attack from cyber-adversaries well into the new year, the company acknowledged. Other victims of third-party attacks on Accellion FTA include Jones Day Law Firm and telecom giant Singtel.
Eventually, four security vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) were found to be exploited in the attacks, according to the investigation. Accellion tried to patch each subsequent vulnerability as soon as it was discovered; however, as evidenced by Shell’s disclosure, unpatched systems likely remain and further attacks seem likely.
Indeed, patching is a complicated endeavor even for the most well-run IT organizations and many companies struggle to achieve complete coverage across their environments, observed Chris Clements, vice president of solutions architecture for cybersecurity firm Cerberus Sentinel, in an email to Threatpost.
“This is especially true for non-Microsoft Windows based systems, the unfortunate reality is that for many organizations, their patching strategy starts and stops with Windows,” he said. “Infrastructure equipment and especially network appliances like Accellion often lag significantly in patch adoption.”
There are a number of reasons for why patches aren’t immediately applied when they’re made available, including lack of communication from vendors when patches are released, complex and manual patching processes, and organizational confusion around who’s responsible for patch application, Clements added.
The Accellion attacks also once again shed light on the importance of choosing technology partners carefully when relying on them for critical digital processes that are exposed to potential exploit, said another security expert.
“The Shell data breach illustrates the criticality of securing vendors and ensuring their systems don’t compromise your own business,” Demi Ben-Ari, CTO and co-founder of security firm Panorays said in an email to Threatpost. “Vulnerabilities in vendors’ legacy software can serve as an easy gateway to breach data in target companies — or worse.”
Register for this LIVE Event: 0-Day Disclosures: Good, Bad & Ugly: On Mar. 24 at 2 p.m. ET, Threatpost tackles how vulnerability disclosures can pose a risk to companies. To be discussed, Microsoft 0-days found in Exchange Servers. Join 0-day hunters from Intel Corp. and veteran bug bounty researchers who will untangle the 0-day economy and unpack what’s on the line for all businesses when it comes to the disclosure process. Register NOW for this LIVE webinar on Wed., Mar. 24.