[BreachExchange] Singtel hit by third-party vendor's security breach, customer data may be leaked

[Destry Winant]

https://www.zdnet.com/index.php/category/2381/index.php/article/singtel-hit-by-third-party-vendors-security-breach-customer-data-may-be-leaked/

Singtel says it is investigating the impact of a cybersecurity breach
that may have compromised customer data, after it ascertained on
February 9 that "files were taken". The attack had affected a
file-sharing system developed two decades ago by a third-party vendor
Accellion, which the Singapore telco had used internally and with
external stakeholders.

Singtel revealed in a statement Thursday it was notified by Accellion
that the file-sharing system, called FTA (File Transfer Appliance),
had been breached by unidentified hackers. The telco said the tool was
deployed as a standalone system and used to share information within
the organisation and with external stakeholders.

All use of the system had been pulled back and relevant authorities,
including Singapore's Cyber Security Agency and local police, were
notified. Singtel added that it currently was assessing the nature and
impact of the breach, and the extent of data that might have been
illegally accessed.

"Customer information may have been compromised," the telco said. "Our
priority is to work directly with customers and stakeholders whose
information may have been compromised to keep them supported and help
them manage any risks. We will reach out to them at the earliest
opportunity once we identify which files relevant to them were
illegally accessed."

Adding that the incident was "isolated" since it involved a standalone
third-party system, it said its "core operations" was not unaffected.
In its FAQ posted online, Singtel said it was reviewing its processes
and file-sharing protocols to "further enhance our information
security posture".

It noted that due to the "complexity of the investigations", its
impact assessment would take some time. It said it would contact those
that might have had their data illegally downloaded.

Accellion on February 1 said its FTA system was a 20-year-old
large-file transfer software nearing the end of its lifecycle. It had
been the target of a "sophisticated cyberattack", which was first made
known on December 23 when Accellion informed all its customers of an
attack involving the file-sharing system.

The vendor said it was "made aware of a zero-day vulnerability" in
mid-December, which then was the "beginning of a concerted
cyberattack" that continued into January 2021, with further exploits
identified. It said it had released a fix for the initial exploit
within 72 hours and continued to release patches to close each
vulnerability discovered in the following weeks.

Fewer than 50 customers were affected by the incident, Accellion said,
noting that it had added monitoring and alerting tools to identify
anomalies associated with these attack vectors.

It said the vulnerabilities were limited to the FTA software and did
not impact its enterprise content firewall product, Kiteworks, on
which most of Accellion's customers operated. Kiteworks was developed
on a different code base and security architecture, the vendor said.

PATCHES ROLLED OUT DID NOT EFFECTIVELY PLUG HOLES

ZDNet sent several questions to Singtel including when it was first
notified of the breach and why it still was using a 20-year
file-sharing product that was nearing the end of its lifecycle. A
spokesperson did not directly address the questions, but confirmed
Accellion first notified Singtel of the vulnerability on December 23
and, following which, provided a series of patches.

The telco said the first fix was deployed on December 24, while the
second and final patch was applied on December 27. Singtel said no
further fixes were released since.

Accellion on January 23 pushed out another advisory citing a new
vulnerability, against which the patch rolled out on December 27 was
ineffective, according to Singtel. The telco then "immediately" took
the FTA system offline.

A subsequent patch was provided on January 30 to plug a new
vulnerability, which Singtel said had triggered an anomaly alert when
efforts were made to deploy it.

"Accellion informed thereafter that our system could have been
breached and this had likely occurred on January 20 January," the
Singtel spokesperson told ZDNet in an email. "We continued to keep the
system offline and activated cyber and criminal investigations that
confirmed the January 20 date. Given the complexity of the
investigations, it was only confirmed on February 9 that files were
taken."

Commenting on the potential data breach, Acronis' co-founder and
technology president Stas Protassov noted that the information would
be useful to Singtel's competitors if leaked, since the FTA system was
used mostly amongst employees and likely would touch on internal
information, such as current business plans.

He further noted that the software was a 20-year-old legacy system and
would pose significant security risks. "Singtel and others should
consider migrating to supported modern systems," Protassov said,
adding that Singtel could have started addressing the issue sooner
since Accellion was aware of the compromise since December 23.

Accellion points out that FTA is over 20 years old – it seems this
legacy system did not get as much attention from developers and
security teams as it should have. Singtel now suspended the use of the
system, which is good. However, Accellion says, the first signs of
compromise appeared 23 December 2020, so Singtel could have started
the process much earlier.

He noted that Acronis was monitoring the dark web for potential data
leak from the FTA breach, but had yet to see any signs of data being
dumped.