Two months after cloud service vendor Accellion first identified one of its legacy products was targeted by a sophisticated cyber-attack, users of the product continue to feel the impact.
Grocery chain Kroger on Friday became the latest to reveal it was affected by the breach. “No credit or debit card information or customer account passwords were affected by this incident,” Kroger said in a statement, adding the breach was isolated to Accellion’s services. Kroger said it has since “discontinued the use of Accellion’s services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident.”
Accellion announced Jan. 12 it was made aware of a vulnerability in its legacy file transfer software (FTA) in mid-December 2020. The company said it “resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.” In a follow-up statement on Feb. 1, Accellion said it has since “patched all known FTA vulnerabilities exploited by the attackers and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.”
Still, more victims of the attack have come to light this month. Singapore-based telecommunication company Singtel announced Feb. 11 it was also affected. Calling it “an isolated incident involving a standalone third-party system,” Singtel said it “suspended all use of the system and activated investigations, working closely with cyber-security experts and the relevant authorities, including the Cyber Security Agency of Singapore, which is providing additional guidance.”
The University of Colorado announced it believes personally identifiable information from students, employees, and others may have been compromised in the Accellion breach. Global law firms Jones Day and Goodwin Procter were also impacted.
Outside the United States, the Reserve Bank of New Zealand said it “continues to respond with urgency” to the breach and is “working with domestic and international cyber-security experts and other relevant authorities” as part of its investigation. The Australian Securities and Investment Commission, which was also impacted, said it is responding in a similar manner.
While different from the SolarWinds cyber-attack that received significant attention in the United States in late 2020, the Accellion hack similarly points to the vulnerabilities that can lurk in the software of the third-party supply chain. Both vendors were lesser-known IT firms that were exploited to gain access into the systems of much larger targets.
“Software supply-chain risk is far from a new concept,” Kunal Anand, chief technology officer at Imperva, said in previously discussing the SolarWinds hack with Compliance Week. “Over the last decade we’ve seen many instances of what happens when the supply chain is tampered with and subsequently tainted. What makes this problem intractable is that every business, whether they acknowledge it or not, relies on a software supply chain for both homegrown and third-party applications.”
Mandiant, the incident response arm of security vendor FireEye, on Monday announced it had determined a group called UNC2546 was behind the Accellion attack.