[BreachExchange] Oil giant Shell discloses data breach linked to Accellion FTA vulnerability

[Destry Winant]

https://www.zdnet.com/article/oil-giant-shell-discloses-data-breach-linked-to-accellion-fta-vulnerability/

Shell has disclosed a data breach involving stakeholders that exposed
personal information records.

The oil and gas company said an unknown threat actor managed to gain access
to "various files" during the time of intrusion which included personal
data and information "from Shell companies and some of their stakeholders."

Shell has not disclosed how many individuals are involved in the security
incident beyond saying that impacted parties have been contacted, alongside
law enforcement agencies and regulators.

The firm added that it does not appear core IT systems have been
compromised, as the route of access was isolated from the rest of Shell's
central infrastructure.

However, the data breach has been connected to Accellion's File Transfer
Appliance (FTA), enterprise software used to transfer large files -- and a
solution linked to a string of security incidents in December 2020 and
January 2021.

Accellion FTA, a legacy product that has now been formally retired,
contained a zero-day vulnerability that was patched within three days of
the vendor being made aware of active attacks utilizing the security flaw.

However, thousands of organizations worldwide rely on the appliance,
leading to a string of attacks against high-profile corporations and
government entities.

The first case was reported by the Reserve Bank of New Zealand.
Organizations including the Australian Securities and Investments
Commission (ASIC), Singtel, and Qualys soon followed.

FireEye's Mandiant team was pulled in to conduct an assessment of the
Accellion FTA vulnerability, finding two further vulnerabilities -- albeit
accessible only by authenticated FTA users -- and all bugs, as of now, have
been resolved in FTA. If systems remain unpatched, however, they also
remain vulnerable to exploit.

The companies said in February that threat group FIN11 has been connected
to the FTA zero-day exploit activity.

"Out of approximately 300 total FTA clients, fewer than 100 were victims of
the attack," Accellion said. "Within this group, fewer than 25 appear to
have suffered significant data theft."

CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104 have now
been reserved to track associated vulnerabilities.

Users of Accellion FTA are recommended to switch to Kiteworks.

"We will continue to monitor our IT systems and improve our security,"
Shell says. "We regret the concern and inconvenience this may cause the
affected parties."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210324/c86f1a2a/attachment.html>