14 with 11 posters participating
Morgan Stanley suffered a data breach that exposed sensitive customer data, and it became the latest known casualty of hackers exploiting a series of now-patched vulnerabilities in Accellion FTA, a widely used third-party file-transfer service.
The data obtained included names, addresses dates of birth, social security numbers, and affiliated corporate company names, Morgan Stanley said in a letter first reported by Bleeping Computer. A third-party service called Guidehouse, which provides account maintenance services to the financial services company, was in possession of the data at the time. Unknown hackers obtained the data by exploiting a series of hacks that came to light in December and January.
What took so long?
Morgan Stanley stated:
According to Guidehouse, the Accellion FTA vulnerability that led to this incident was patched in January 2021, within 5 days of the patch becoming available. Although the data was obtained by the unauthorized individual around that time, the vendor did not discover the attack until March of 2021, and did not discover the impact to Morgan Stanley until May 2021, due to the difficulty in retroactively determining which files were stored in the Accellion FTA appliance when the appliance was vulnerable. Guidehouse has informed Morgan Stanley that it found no evidence that Morgan Stanley’s data had been distributed beyond the threat actor.
Guidehouse representatives didn’t immediately respond to an email asking why it took so long for the company to discover the breach, notify customers, and discover if other Guidehouse customers were also compromised. This post will be updated if a reply comes after publication.
Accellion customers use the File Transfer Appliance as a secure alternative to email for sending large data files. Instead of receiving an attachment, email recipients get links to files hosted on the FTA, which can then be downloaded. Although the product is almost 20 years old and Accellion has been transitioning customers to a newer product, the legacy FTA is still used by hundreds of organizations in the finance, government, and insurance sectors.
According to research Accellion commissioned from security firm Mandiant, unknown hackers exploited the vulnerabilities to install a web shell that gave them a text-based interface to install malware and issue other commands on compromised networks. Mandiant also said that many of the hacked organizations later received extortion demands that threatened to publish stolen data on a dark web site affiliated with the Cl0p ransomware group unless they paid a ransom.
arrested six suspected Cl0p affiliates. A week later, the dark web site used to publish data stolen through Cl0p ransomware posted new tranches, demonstrating that a core group of members remained active.
No advanced warning
In-the-wild exploits of the FTA vulnerabilities were first detected in late December. The company initially said that it had notified all affected customers and fixed the zero-day vulnerabilities that enabled the attack within 72 hours of learning of them. Later, Mandiant discovered two additional zero-days.
Some customers have complained in the past that Accellion was slow to provide notifications of the vulnerabilities under attack.
“We were over reliant on Accellion—the supplier of the file transfer application (FTA)—to alert us to any vulnerabilities in their system,” officials with New Zealand’s Reserve Bank said in May. “In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning.”
In a statement, Morgan Stanley representatives wrote: “The protection of client data is of the utmost importance and is something we take very seriously. We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”