Morgan Stanley suffered a data breach that exposed sensitive customer data, and it became the latest known casualty of hackers exploiting a series of now-patched vulnerabilities in Accellion FTA, a widely used third-party file-transfer service.
The data obtained included names, addresses, dates of birth, Social Security numbers, and affiliated corporate company names, Morgan Stanley said in a letter first reported by Bleeping Computer. A third-party service called Guidehouse, which provides account maintenance services to the financial services company, was in possession of the data at the time. Unknown hackers obtained the data by exploiting a series of hacks that came to light in December and January.
What took so long?
Morgan Stanley stated:
According to Guidehouse, the Accellion FTA vulnerability that led to this incident was patched in January 2021, within 5 days of the patch becoming available. Although the data was obtained by the unauthorized individual around that time, the vendor did not discover the attack until March of 2021, and did not discover the impact to Morgan Stanley until May 2021, due to the difficulty in retroactively determining which files were stored in the Accellion FTA appliance when the appliance was vulnerable. Guidehouse has informed Morgan Stanley that it found no evidence that Morgan Stanley’s data had been distributed beyond the threat actor.
Guidehouse representatives didn’t immediately respond to an email asking why it took so long for the company to discover the breach, notify customers, and discover if other Guidehouse customers were also compromised. This post will be updated if a reply comes after publication.
Accellion customers use the File Transfer Appliance as a secure alternative to email for sending large data files. Instead of receiving an attachment, email recipients get links to files hosted on the FTA, which can then be downloaded. Although the product is almost 20 years old and Accellion has been transitioning customers to a newer product, the legacy FTA is still used by hundreds of organizations in the finance, government, and insurance sectors.
According to research Accellion commissioned from security firm Mandiant, unknown hackers exploited the vulnerabilities to install a web shell that gave them a text-based interface to install malware and issue other commands on compromised networks. Mandiant also said that many of the hacked organizations later received extortion demands that threatened to publish stolen data on a dark web site affiliated with the Cl0p ransomware group unless they paid a ransom.
The earliest detected activity in the hacking campaign came in mid-December when Mandiant identified the hackers exploiting an SQL injection vulnerability in the Accellion FTA. The exploit served as the initial intrusion point. Over time, the attackers exploited additional FTA vulnerabilities to gain enough control to install the web shell.
Mandiant researchers wrote:
In mid-December 2020, Mandiant responded to multiple incidents in which a web shell we call DEWMODE was used to exfiltrate data from Accellion FTA devices. The Accellion FTA device is a purpose-built application designed to allow an enterprise to securely transfer large files. The exfiltration activity has affected entities in a wide range of sectors and countries.
Across these incidents, Mandiant observed common infrastructure usage and TTPs, including exploitation of FTA devices to deploy the DEWMODE web shell. Mandiant determined that a common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546’s activities.
Other organizations that researchers suspect were breached through the vulnerabilities include oil company Shell, security firm Qualys, gasoline retailer RaceTrac Petroleum, international law firm Jones Day, the Washington state auditor, US bank Flagstar, US universities Stanford and the University of California, and the Reserve Bank of New Zealand.
Last month, authorities in Ukraine arrested six suspected Cl0p affiliates. A week later, the dark web site used to publish data stolen through Cl0p ransomware posted new tranches, demonstrating that a core group of members remained active.
No advance warning
In-the-wild exploits of the FTA vulnerabilities were first detected in late December. The company initially said that it had notified all affected customers and fixed the zero-day vulnerabilities that enabled the attack within 72 hours of learning of them. Later, Mandiant discovered two additional zero-days.
Some customers have complained in the past that Accellion was slow to provide notifications of the vulnerabilities under attack.
“We were over reliant on Accellion—the supplier of the file transfer application (FTA)—to alert us to any vulnerabilities in their system,” officials with New Zealand’s Reserve Bank said in May. “In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning.”
In a statement, Morgan Stanley representatives wrote: “The protection of client data is of the utmost importance and is something we take very seriously. We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”