Third-Party Vendor Hack Results in Finance Giant Data Breach
A major U.S. financial institution reported a data breach earlier this month, which was a result of a string of attacks on Accellion FTA servers. These attacks resulted in stolen data from numerous companies, universities, and organizations. According to Accellion, less than 100 out of 300 customers have been affected by the attack on their servers.
Guidehouse, a third-party vendor, provides account maintenance services to Morgan Stanley’s StockPlan Connect business. In a May notice, the company alerted Morgan Stanley of an attack on their servers that stole data from their stock plan clients.
There Is No Evidence That Stolen Data Has Been Distributed Or Sold
Hacking into Guidehouse’s Accellion FTA server, attackers stole encrypted files as well as the corresponding decryption key from Morgan Stanley. According to Morgan Stanley, the documents stolen related StockPlan Connect clients included:
- Participants’ names
- Physical addresses
- Date of birth
- Social security numbers
- Corporate company names
There were no passwords or credentials stolen that could be used to gain access to stock plan clients’ financial accounts.
Guidehouse’s server was breached in January, due to an Accellion FTA vulnerability that could not be patched in time. They discovered the breach in March, notifying Morgan Stanley in May after they learned that the financial institution had been affected. According to Guidehouse, there is no evidence that the files stolen from Morgan Stanley have been distributed or sold on any hacking forums.
Morgan and Stanley assured them that no Morgan Stanley applications were breached. The only files involved were those in Guidehouse’s possession according to a notice to their affected customers shared on Bleeping Computer.
FIN11 Cybercrime Group
Accellion and Mandiant published a joint statement, directly linking FIN11 threat group to the attacks. The cybercriminals are also responsible for a series of Accellion attacks that preceded the Guidehouse attacks. FN11 and the Clop ransomware gang are responsible for attacks on multiple companies that use Accellion’s services. a zero-day vulnerability was used to carry out these attacks, which means that an unpatched bug or security flaw resulted in a successful attack.
The known targets of recent Accellion FTA attacks include:
- Royal Dutch Shell plc (known to us as Shell)
- Reserve Bank of New Zealand
- Kroger (supermarkets)
- The Office of the Washington State Auditor (SAO)
- The Australian Securities and Investments Commission (ASIC)
- Stanford Medicine
- University of Maryland Baltimore (UMB)
- The University of California
- ABS Group (a technical services company)
- Jones Day law firm
- Danaher (a Fortune 500 science and technology corporation)
- Fugro (a geo-data specialist)
- The University of Colorado
There were additional universities targeted in Colorado and Miami, Florida.
How Zero-Day Exploits Work
A zero-day vulnerability is a flaw or bug in a system that has been discovered but has yet to be fixed. A zero-day exploit means that an attacker releases malware into the system before a developer is able to patch it. A threat actor would see the flaw and either beat the developer to it or take advantage of it before the developer even has a chance to spot it. The attacker would create an exploit code before the vulnerability is patched and it is released. These attacks usually result in identity or data theft.
A zero-day exploit is no longer a zero-day exploit after it is patched.
While the way it writes makes it seem like a mad dash to the vulnerability, developers often don’t find it until an attack has occurred. In the case of Accellion, the vulnerability occurred before the company learned of an attack. It wasn’t until looking into the breach that the source was discovered.
This type of post-mortem discovery is useful in determining the lifespan of an attack, however, it does not guarantee that such an attack will not happen in the future. Much of a developer’s day is spent fixing bugs that were not there the day before and depending on the magnitude of a project or the profile level of a company, attackers may already be poised to attack.