Free Book - External Exposure & Attack Surface Management for Dummies
You know that game we played as children where we stood in a line and whispered a phrase to the next kid in line, and then they whispered it to the next kid, and so on, and so on down the line? Every time we played, the phrase changed as it went along, and by the end only the kid who started the game knew what the original phrase really was.
I believe that the world's worst game of telephone is playing out now with the recent spike in supply chain attacks.
You have undoubtedly heard plenty about the Accellion FTA-related breach(es) and how they affected Accellion customers, and even their customers’ customers. (You probably took a break from patching Microsoft Exchange or doing cleanup from the SolarWinds hack to look at Accellion-related disclosures and write-ups.) The reason I call it the worst game of telephone is because when I was researching Accellion I found that more than a month later there are still bits of information trickling out about who was affected and how. Like the game, the story seems to be changing as it progresses, and no one has the full details anymore.
This, on top of other recent supply chain hacks, led me to think about the importance of communication when these breaches happen: What good looks like. And what it doesn’t. With the Accellion breach(es), I found that not all disclosures were public or full or timely, and some weren’t any of those things. Let’s take a look why that’s a bigger problem than this one supply chain attack.
I’ll be frank. On the whole, I found that Accellion’s disclosures left a lot of room for improvement. Hopefully, showcasing this will provide all of us in the security business with an opportunity to learn, grow, and be better next time. Now, let me walk you through the timeline of their communications.
On January 12th Accellion disclosed: “In mid-December, Accellion was made aware of a P0 vulnerability in its legacy File Transfer Appliance (FTA) software. Accellion FTA is a 20-year-old product that specializes in large file transfers. Accellion resolved the vulnerability and released a patch within 72 hours to the less than 50 customers affected.” Keep that “less than 50 customers affected” in mind as we find out how many customers were actually affected and why telephone is an awful game in cybersecurity unless it is to highlight how small misconceptions can make huge differences!
Another possible area of vagueness and ambiguity in that disclosure could be the use of “P0 vulnerability.” What exactly is a P0 vulnerability? If you Google that you won’t get a direct hit (I tried). But if you dig a little deeper into Google you’ll find P0 is for “an issue that needs to be addressed immediately and with as many resources as is required. Such an issue causes a full outage or makes a critical function of the product to be unavailable for everyone, without any known workaround.” Which is confusing because far from creating a full outage, the vulnerabilities exploited here led to a lot of really sensitive data being dumped.
The reality of the situation now, several weeks after the initial disclosure by Accellion, is that worldwide, multiple malicious actors have attacked multiple international government entities; federal, state, and local government organizations; as well as private industry organizations in the information technologies, healthcare, education, legal, retail, transportation, telecommunications, finance, and energy sectors (among others). In most cases attackers have been looking to extort money from these organizations to prevent the posting of personally identifiable information of the victim’s customers. So… in this game of telephone, the “less than 50 customers affected” blooms substantially when you start looking at the supply chain of disclosures which is what this article intends to do.
On February 22nd Accellion finally admitted that out of approximately 300 FTA clients about 100 were victims of the attack and fewer than 25 appeared to have suffered major data thefts. Which made me wonder: who all got hit? And how bad was it for their customers and their customers’ data? It also got me thinking about how these supply chain breaches work at an operational level. How do you re-establish trust? How do you get ahead of these things and communicate with your customers and their customers? Because despite the business world’s increasing digital transformation and IT sophistication, supply chain attack response looks a lot like that old-fashioned game of telephone.
Now that we’ve evaluated the first links in the chain, let’s evaluate the list of fewer than 25 customers who were hosting sensitive data on Accellion FTA. Again, the goal here is to provide us all with a learning experience to hopefully improve disclosures in the future. In this case, I have split the customers into two categories, those who publicly disclosed, and those who did not. Of those that did not, they no doubt reached out to their individual affected customers, or had none that were affected. With the ones that made a public disclosure it’s easy enough to read them and assess the degree to which they tell you what happened, when, and what impact it may have on their customers. Also, like an apology, I think it’s critical that public disclosures also make amends. How is the company going to regain public trust?
Centene, a U.S. managed care provider ranked No. 42 in U.S. corporations by total revenue, has provided no public disclosure as of March 18th but is suing Accellion over the vulnerabilities and hack. It should be noted that HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. This rule applies to individual notification but also requires media notification within 90 days if the breach involves more than 500 citizens. As of the date of my research, we are still within 90 days.
4. Jones Day, the fifth largest law firm in the U.S., the 13th highest grossing law firm in the world, and outside counsel for Donald Trump's 2016 and 2020 campaigns, was apparently a victim of the attack but did not publicly disclose what or if they were affected. The truly interesting thing here is that the company was no longer listed on CLOP’s site for data drops which may mean they paid the ransom?
With that, you can see for yourself a broad set of diverse responses to the Accellion breach(es). There are some good communications in the list above that we can all learn from. But with respect to Accellion, I find this a case study in what not to do with disclosure communications. Because detailing what “bad” looks like is only one, rather negative, part of the story and the really important, interesting piece is what you should do, I intend to publish a follow-up blog in the coming weeks with my take on how to achieve good disclosure communication.