Morgan Stanley suffered a data breach that exposed sensitive customer data, and became the latest known victim of hackers exploiting a series of now-patched vulnerabilities in Accellion FTA, a widely used third-party file transfer service.
The data obtained included names, addresses, dates of birth, Social Security numbers and names of affiliates, Morgan Stanley said in a letter first reported by Bleeping Computer. A third-party service called Guidehouse, which provides bookkeeping services to the financial services company, was in possession of the data at the time. Unknown hackers obtained the data by exploiting a series of hacks that came to light in December and January.
What took so long?
Morgan Stanley said:
According to Guidehouse, the Accellion FTA vulnerability that led to this incident was patched in January 2021, within 5 days of the patch becoming available. Although the data was obtained by the unauthorized person at that time, the vendor only discovered the attack in March 2021 and did not discover the impact on Morgan Stanley until May 2021, due to the difficulty of retroactively determining which files were stored in the Accellion FTA appliance when the appliance was vulnerable. Guidehouse informed Morgan Stanley that he had found no evidence that the Morgan Stanley data had been released beyond the threatening actor.
Guidehouse representatives did not immediately respond to an email asking why the company took so long to uncover the breach, notify customers and find out if other Guidehouse customers were also compromised. This message will be updated if a response arrives after posting.
Accellion customers use the File Transfer Appliance as a secure alternative to email for sending large data files. Instead of receiving an attachment, email recipients receive links to files hosted on the FTA, which can then be downloaded. Although the product is almost 20 years old and Accellion has upgraded its customers to a newer product, the old FTA is still in use by hundreds of organizations in the finance, government and insurance industries.
According to a study commissioned by Accellion from security firm Mandiant, unknown hackers exploited the vulnerabilities to install a web shell that gave them a text-based interface to install malware and issue other commands over compromised networks. Mandiant also said that many hacked organizations have subsequently received extortion requests threatening to post stolen data on a dark website affiliated with the Cl0p ransomware group unless they pay a ransom.
The first activity detected in the hacking campaign took place in mid-December when Mandiant identified hackers exploiting an SQL injection vulnerability in Accellion FTA. The exploit served as the initial point of intrusion. Over time, attackers exploited additional FTA vulnerabilities to gain enough control to install the web shell.
Mandiant researchers wrote:
In mid-December 2020, Mandiant responded to several incidents in which a web shell we call DEWMODE was used to exfiltrate data from Accellion FTA devices. The Accellion FTA device is an application specially designed for a business to securely transfer large files. The exfiltration activity has affected entities in a wide range of sectors and countries.
During these incidents, Mandiant observed common use of infrastructure and TTPs, including the operation of FTA devices to deploy the DEWMODE web shell. Mandiant determined that a common threat actor that we are now tracking such as UNC2546 was responsible for this activity. While full details of the vulnerabilities exploited to install DEWMODE are still being analyzed, evidence from multiple customer surveys has shown multiple commonalities in the activities of UNC2546.
Other organizations that researchers suspect have been breached by the vulnerabilities include oil company Shell, security firm Qualys, gasoline retailer RaceTrac Petroleum, international law firm Jones Day, auditor of the Washington State, the American Flagstar Bank, the American Stanford Universities and the University of California Reserve Bank of New Zealand.
Ukrainian authorities arrested six suspected Cl0p affiliates last month. A week later, the dark website used to post data stolen via Cl0p ransomware released new installments, demonstrating that a core membership group remains active.
No prior warning
Exploits in the nature of FTA vulnerabilities were first detected in late December. The company initially said it notified all affected customers and fixed zero-day vulnerabilities that allowed the attack within 72 hours of becoming aware of it. Mandiant later discovered two more zero days.
Some customers have complained in the past that Accellion is slow to provide notifications of vulnerabilities under attack.
“We were too dependent on Accellion – the provider of the file transfer application (FTA) – to alert us to any vulnerabilities in their system,” officials at the Reserve Bank of New Zealand said in May. “In this case, the notifications they sent to us did not leave their system and therefore did not reach the Reserve Bank before the breach. We have not received any prior warning.
In a statement, Morgan Stanley representatives wrote, “Protecting customer data is of the utmost importance and something we take very seriously. We are in close contact with Guidehouse and take steps to mitigate potential risks to customers.