At the end of last year, enterprise firewall company Accellion was the victim of a two-phase SQL injection attack that resulted in significant sensitive data breaches over the last number of months. This attack is important for several reasons. It underscores the rise in frequency of incidents leading to public breaches, and highlights SQL injections as an increasingly popular way for attackers to cause major damage. Imperva Research Labs are consistently seeing SQL injection as a preferred attack method. More importantly (and frankly, what should scare the pants off everyone), the analysis of this breach confirms that attackers and their methods are becoming more creative and sophisticated. To stop them, organizations need to put greater effort into analyzing and monitoring the data layer. When organizations combine data-centric threat mitigation with protecting all paths to their data, they have a far better posture to stop sophisticated breaches like this in their tracks.
Learning from the timeline of events
Let’s take a closer look at the details of this attack and explain why understanding how it happened is critical to stopping similar attacks in the future.
In December 2020, attackers exploited a single zero-day vulnerability in enterprise firewall company Accellion’s File Transfer Appliance (FTA) technology to steal customer data, credit information, and personal data such as birthdates and email addresses subsequently to use as leverage in ongoing extortion attempts.
A post-breach analysis of the attack revealed that the attacker(s) chained together the following vulnerabilities in their content firewall: SQL Injection (CVE-2021-27101) and OS Command Execution (CVE-2021-27104). The attacker leveraged the SQL Injection vulnerability against the file document_root.html to retrieve “W” keys from the Accellion FTA database. Accellion issued a patch to mitigate the vulnerabilities less than 72 hours after discovery.
After the December 20, 2020 release of Accellion’s patch, which remediated the vulnerabilities associated with the December exploit, the attacker changed their entry point and employed a new technique involving ServerSide Request Forgery (SSRF) (CVE-2021-27103) and OS Command Execution (CVE-2021-27102). The attacker’s strategy was clear: a two-phase approach with the first targeting vulnerabilities in the content firewall and the second targeting the database where the customer data was held.
Attack techniques used in the Accellion breach are likely to continue
Today’s cyber attacks are becoming ever more creative, sophisticated and well-funded, in many cases by nation states. As a result, the attackers now have the resources to learn how the software of a target organization works. They have the resources to stay abreast of trends and vulnerabilities, increasing their capacity to make more sophisticated attacks. To get the highest return on their investment, attackers and their sponsors choose organizations whose applications and appliances are widely used and trusted by thousands of customers, like Accellion’s FTA.
As in the 2020 SolarWinds breach, the attackers didn’t just exploit vulnerabilities to compromise a target system, they were knowledgeable enough to run a clean-up routine to erase evidence of the activity. In the Accellion case, the attackers took the time to reverse-engineer their target’s software and figure out the best way to breach their content firewall. When Accellion shut down that path, they already had a plan to attack the database itself. Attacking a company like Accellion that facilitates secure file transfers is particularly brazen. Irony notwithstanding, it makes sense. Accellion enterprise customers using secure file transfers are very likely to be moving around the exact data that an attacker wants to steal. In the end, the attackers were also able to weaponize the data and use it for global extortion attempts that are likely to continue for many months.
An optimal data security posture thwarts these new breeds of attacks
The Accellion breach started with a SQL injection attack. Just using SQL injection, the attackers managed to complete a successful attack. This illustrates very clearly the absolute need to do analytics and threat detection at the data layer. The lowest common denominator in all applications is the data repository layer - all apps and all systems store data somewhere. Most applications use a database although in today’s modern architecture landscape many things can and should be classified as a database even if technically they are not a DBMS. At the end of the day, you can discover almost any attack just by looking at the data layer because every application has a data component.
Going back to the Imperva Research Lab’s data and seeing the chronic and persistent frequency with which SQL injection results in attacks, it seems that organizations still are not paying enough attention to securing the data layer. In the SolarWinds case, as well as this Accellion breach, monitoring at the data level with machine learning model-driven behavior analytics and automated detection of non-compliant, risky, or malicious data access behavior would have brought up-front attention to these attacks.
The other thing we learn from the Accellion breach is that one must protect all paths to the data. When the content firewall protection fails, you must have internal protection in place to stop attacks. In the Accellion case, they only fixed a part of the problem after the first breach. They mitigated the first vulnerability - but most of the attack itself stayed the same when the attacker launched the second phase of the breach. The attackers changed only the entry point until they gained the ability to run an OS command. From there, the rest of the attack followed the pattern of the first, they only had to find a different first step. This highlights the critical importance for organizations to secure all access points as a matter of course. Imperva is dedicated not only to securing data, but securing all paths to the data. Imperva helps organizations take a holistic approach to security and execute both application monitoring and database monitoring.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.