Royal Dutch Shell is the latest victim of a series of attacks on users of the Accellion legacy File Transfer Appliance (FTA) product, which already has affected numerous companies & been attributed to the FIN11 & the ‘Clop’ ransomware gang.
Attackers accessed personal & business data from the company’s legacy file-transfer service in a recent data-security incident, but core IT systems remained untouched.
“Shell has been impacted by a data-security incident involving Accellion’s File Transfer Appliance,” the company revealed on its website last week. “Shell uses this appliance to securely transfer large data files.”
Attackers “gained access to “various files” containing personal & company data from both Shell & some of its stakeholders, acknowledged the company. However, because its Accellion implementation of its core IT systems were unaffected by the breach, “as the file transfer service is isolated from the rest of Shell’s digital infrastructure,” the company observed.
Shell, the 5th largest company in the world, also revealed several of its global petrochemical & energy company affiliates were impacted.
According to the company, once it learned of the incident, Shell immediately addressed the vulnerabilities with its service provider & cyber-security team & started an investigation to better understand the nature & extent of the incident.
“Shell is in contact with the impacted individuals & stake-holders & we are working with them to address possible risks,” the company outlined in a statement. “We have also been in contact with relevant regulators & authorities & will continue to do so as the investigation continues.”
Shell did not say specifically how attackers accessed its Accellion implementation, but the breach is likely related to a series of attacks on vulnerabilities in Accellion FTA, a 20-year-old legacy product used by large corporations worldwide. Accellion said that it became aware of a then zero-day security vulnerability in the product in mid-Dec., & subsequently scrambled to patch it.
However, the 1st flaw turned out to be just one of a torrent of now patched zero-day bugs in the platform that Accellion discovered only after they came under attack from cyber-adversaries well into 2021, the company accepted. Other victims of 3rd-party attacks on Accellion FTA include Jones Day Law Firm & telecom giant Singtel.
4 security vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) were found exploited in the attacks, concluded the investigation. Accellion tried to patch each subsequent vulnerability as soon as discovered; however, as shown by Shell’s disclosure, unpatched systems likely remain & further attacks may be likely.
Patching is a complex business even for the most well-run IT organisations & many companies struggle to achieve complete coverage, observed Chris Clements, VP of Solutions Architecture for cyber-security firm Cerberus Sentinel.
“This is especially true for non-Microsoft Windows based systems, the unfortunate reality is that for many organisations, their patching strategy starts & stops with Windows,” he said. “Infrastructure equipment & especially network appliances like Accellion often lag significantly in patch adoption.”
Lack of Communication
There are various reasons for why patches are not immediately applied when they are made available, including lack of communication from vendors when patches are released, complex & manual patching processes, & organisational confusion around who is responsible for patch application, Clements added.
The Accellion attacks also once again shed light on the importance of choosing technology partners carefully when relying on them for critical digital processes that are exposed to potential exploit, commented another security expert.
“The Shell data breach illustrates the criticality of securing vendors & ensuring their systems don’t compromise your own business,” Demi Ben-Ari, CTO & co-founder of security firm Panorays explained.
“Vulnerabilities in vendors’ legacy software can serve as an easy gateway to breach data in target companies or worse.”