Shell, the multinational oil giant, disclosed in late March that the personal information of some of its stakeholders and business data from linked organizations have been compromised after a successful attack on its network.
It was disclosed by the company that a still-unknown malicious agent breached into the system, accessing files containing sensitive data belonging to Shell companies and their stakeholders.
Further investigation showed that the attack is connected to Accellion’s File Transfer Appliance (FTA), a legacy product that organizations use to transfer large files. This Accellion product, which has now been retired from the market, has a story of vulnerabilities and security issues that we will address in the following lines.
Shell’s Breach and Response
Shell’s disclosure on this security event, it was known that all affected stakeholders were already contacted. Law enforcement agencies and regulators were fully informed as well and already working with Shell and impacted parties. However, it was not disclosed how many individuals were directly affected by the issue.
Shell also shared that the route of access in the case of this incident was isolated from the central infrastructure, effectively controlling the damage.
The company made a commitment to improving the security of its IT systems and monitor the potential threats to its stakeholders more effectively.
Accellion’s Track Record
A central part of this breach is Accellion’s File Transfer Appliance (FTA), a legacy product that is used by organizations to transfer large files. Thousands of organizations are currently using the product. Shell used this enterprise software for this purpose and apparently it ended up creating an exploitable vulnerability for the threat actor.
Accellion’s FTA has been linked to a series of security issues at different points in time. The now-retired product contained a zero-day vulnerability that was quickly used by malicious agents before it was patched three days after the vendor was informed about it.
Back in December 2020, FireEye discovered that the Clop ransomware group was conducting a campaign to exploit vulnerabilities in Accellion software, profiting from unknown security issues in the legacy product. The assessment also led to identifying two new vulnerabilities, these ones being only accessible by authenticated users.
In early January, the Reserve Bank of New Zealand reported that it suffered an illegal breach of its systems. It was discovered shortly after that the threat agent used Accellion’s product to break into the network, stealing commercially and personally sensitive data.
Also in January, the Australian Securities and Investments Commission (ASIC) disclosed a server breach also related to the Accellion software in question.
In early February, Singapore Telecommunications Limited, commonly known as Singtel, reported that it had to suspend all use of Accellion software used for large-file sharing as a threat agent used to breach into the infrastructure and cause a leak of customer data.
Then in early March, the cybersecurity firm Qualys disclosed a new breach linked to Accellion’s FTA. In this case, the damage was very limited and had no real impact on operations nor customer data.