minute read
Share this article:
The Tier 1 telecom giant was caught up in a coordinated, wide-ranging attack using unpatched security bugs in the Accellion legacy file-transfer platform.
Singtel, Tier 1 telecom carrier throughout Asia and owner of Australian telco Optus, has been impacted by a software security hole in a third-party file transfer appliance targeted by attackers. Singtel is one of multiple organizations affected by the bug, including an Australian medical research institution.
The point of entry for the attack was software company Accellion, maker of (among other things) a legacy large file transfer product called File Transfer Appliance, or FTA. FTA is a 20-year-old product that was targeted by a “sophisticated cyberattack” on Dec. 23, according to a company notice in early February.
BankInfoSecurity
May 5, 2021
Compliance
Compliance Twitter Get Permission
PayPal has patched a cross-site scripting - or XSS - vulnerability in its currency conversion endpoint that, if exploited, could enable malicious JavaScript injection.
The PayPal vulnerability was discovered in February 2020 by a security researcher who goes by the name Cr33pb0y, who was paid $2,900 as part of HackerOne s bug bounty program.
Responding in the HackerOne forum, PayPal notes the vulnerability resulted in its currency conversion URL improperly handling user input. An attacker exploiting the vulnerability could perform JavaScript injection or add other malicious code to the URL to access the document object model on the victim s browser. By loading a malicious payload into a victim s browser, hackers could steal data or take control of a device.
Singtel is among the latest victims of a breach tied to Accellion s File Transfer Appliance.
Two more breaches have been tied to the vulnerable 20-year-old Accellion File Transfer Appliance. The latest victims are Singapore telecom company Singtel and Australian medical research institute QIMR Berghofer.
Singtel reports that it s working closely with the Cyber Security Agency of Singapore after a breach of its Accellion FTA system, which it uses to share information internally and externally.
In a blog post on Thursday, Singtel said it was informed by Accellion that FTA had been attacked by unidentified hackers. We are currently conducting an impact assessment with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed. Customer information may have been compromised, Singtel says.
GovInfoSecurity Twitter Get Permission
New Zealand s Reserve Bank is one victim of a breach involving Accellion s FTA product. (Source: Wikimedia Commons)
Several data breaches stemming from unpatched vulnerabilities in Accellion s File Transfer Appliance have been revealed. What went wrong? Where does the fault lie? And what can organizations do about it?
It’s not a straightforward story, and it points to problems around balancing use of an aging software product with risk, a reluctance to move onto a newer platform and internal patching hiccups.
It’s prudent for those still using Accellion s FTA to wean themselves off of it if possible.
Data Breach Exposes 1.6 Million Jobless Claims Filed in the Washington State
The Office of the Washington State Auditor (SAO) on Monday said it s investigating a security incident that resulted in the compromise of personal information of more than 1.6 million people who filed for unemployment claims in the state in 2020.
The SAO blamed the breach on a software vulnerability in Accellion s File Transfer Appliance (FTA) service, which allows organizations to share sensitive documents with users outside their organization securely. During the week of January 25, 2021, Accellion confirmed that an unauthorized person gained access to SAO files by exploiting a vulnerability in Accellion s file transfer service, the SAO said in a statement.