Weekly CyberTip: Where do you keep your incident response plan?
Be sure to store a secure copy of your incident response plan separate from your infrastructure. In the event that you are faced with a cyberattack that encrypts your data or otherwise makes your systems unavailable, you will want to have access to your IR plan in a location fully isolated from the incident.
Morgan Stanley becomes latest known victim of Accellion FTA related hacks
Financial services giant Morgan Stanley has disclosed that they were affected by the series of Accellion FTA hacks that took place back in January 2021. In a letter obtained by Bleeping Computer, Morgan Stanley discloses to the Attorney General of New Hampshire that a third-party service provider had suffered a cyber attack that disclosed Morgan Stanley client data in the process.
The January data breach affected Guidehouse LLP, a consulting company used by Morgan Stanley to find current contact information for customers of Morgan Stanley’s “StockPlan Connect” business, when those customers’ accounts were found to be inactive for extended periods of time.
The complex timeline and reasons for the notification delay are laid out in the letter: “Morgan Stanley has reviewed Guidehouse’s remediation of the incident. According to Guidehouse, the Accellion FTA vulnerability that led to this incident was patched in January 2021, within 5 days of the patch becoming available. Although the data was obtained by the unauthorized individual around that time, the vendor did not discover the attack until March of 2021, and did not discover the impact to Morgan Stanley until May 2021, due to the difficulty in retroactively determining which files were stored in the Accellion FTA appliance when the appliance was vulnerable.”
The files disclosed by Guidehouse reportedly include investor name, last known address, date of birth, Social Security number, and corporate company name. Morgan Stanley advised that the compromised files were stored in encrypted for security purposes; however, during the breach, the attackers not only stole the data, but managed to gain access to a decryption key that gave them access to the data store. Guidehouse has informed Morgan Stanley that, to date, dark web monitoring has found no evidence that the stolen client data has been distributed by the hackers.
The total number of customers affected by the breach was not disclosed, but the letter indicated that 108 residents of New Hampshire were affected by the incident.
At least four separate vulnerabilities and exposures were discovered in Accellion’s FTA product between December 2020 and January 2021. In January, the FTA product became the target of a series of advanced attacks, widely believed to have been coordinated by the FIN11 and Clop ransomware gangs, who exploited these vulnerabilities to launch ransomware campaigns around the world.
Accellion had been working for over three years to discontinue FTA – a 20-year-old legacy file sharing service product – and migrate its customers to a new platform at the time of the attacks. In the wake of the global breaches, Accellion announced on February 25 that FTA would be permanently shut down by April 30, 2021.
Morgan Stanley now joins an international roster of direct or indirect victims of the FTA-related hacks. The first case was reported by the Reserve Bank of New Zealand in early January 2021; the victim count is now thought to approach 300, and includes Singtel, Singapore’s largest telco; the Australian Securities and Investments Commission (ASIC); Australian law firm Allens; the QIMR Berghofer Medical Research Institute in Queensland, Australia; the University of Colorado; the University of California; the Office of the Washington State Auditor, Shell, American grocery chain Kroger, American multi-national law firm Jones Day; and Canadian aviation company Bombardier, among others.
Iran’s transportation information infrastructure targeted by cyber attackers
Two ministries in the Iranian government were targeted by unidentified cyber attackers in the last few days. On July 9, the computer systems managing the display boards at Iranian train stations were breached. According to state broadcaster IRIB, there was “unprecedented chaos at railway stations across the country” among passengers as hackers tampered with arrival and departure messages. According to semi-official news agency Fars, fake messages were posted on digital signage including: bogus warnings of train cancellations and “long delays due to cyberattack,” as well as encouragement to inconvenienced passengers to contact a phone number that turned out to be in the office of Supreme Leader Ayatollah Ali Khamenei. Early reports suggested that actual train service was disrupted, though the Raja Passenger Train Company (the company that manages the passenger rail system) and government sources were quick to dispel these rumours.
No sooner had the confusion died down around this breach when the website of Iran’s Ministry of Roads & Urban Development (MRUD) was taken down early on July 10 by what state television described as a “cyber disruption”. Again, the attackers were not identified and ransom demands, if any, were not disclosed. Government departments have been directed to stay in close contact with MAHER – Iran’s national Computer Emergency Response Team (CERT) – if they receive any ransom messages from the hackers.
The MRUD site remained down late July 11.
Kaseya VSA Update
Kaseya has announced the release of software patches for its VSA software in a package of release notes for its SaaS and On-Premises customers. Kaseya customers are urged to follow the instructions closely to ensure that their systems are free of compromise before being restarted. The patches contain fixes for the three vulnerabilities that were exploited in the attacks that started on July 2.
The latest status reports on all Kaseya VSA products and services were posted late on July 11. Of particular note is the news that Kaseya has begun the process of restarting its own SaaS services, which have been down since July 2. This process is expected to be complete early on Monday, July 12, but check the “Informational” section of their website for the latest details as there are frequent updates and revisions appearing online.
Kaseya has also provided its own version of the chronology of the incident, in which they now acknowledge the number of directly affected customers is approaching 60, while the number of indirectly compromised organizations remains around 1500, as was estimated in the early days of the incident.