IOTW: University of California Schools Hit with Ransomware Attack

In March, the University of California (UC) announced it was the victim of a ransomware attack that targeted vulnerabilities in Accellion's legacy File Transfer Appliance (FTA). The stolen data included the personal information of faculty and students including their email addresses to which messages were said stating, "Your personal data has been stolen and will be published." 

As soon as the UC became aware of the breach, it took measures to contain it and began an investigation. The UC also alerted federal law enforcement. In the meantime, the UC advised potential victims to either forward the email to the local information security office or delete it. It also provided victims with recommendations about how to protect themselves, including activating credit freezes and refraining from opening suspicious emails. 

Particularly troubling is the fact that Social Security numbers and bank information may have been compromised. The UC is offering victims a year's worth of credit monitoring and ID theft protection as well as notifying the individuals who have been affected.

The Facts

On January 12, 2021, Accellion issued a statement stating it had been aware of a P0 vulnerability in its legacy FTA software since mid-December. The company released a patch for the 20-year-old product within 72 hours to the less than 50 customers that had been affected. In early February, Accellion stated it had notified all affected FTA customers by December 23, 2020. However, that was before the January exploit hit.

Accellion hired forensic cybersecurity firm FireEye Mandiant to investigate the December 2020 and January 2021 cyberattacks. Mandiant identified threat actor UNC2546 as the attacker.

A total of six vulnerabilities have been discovered and patched. The latter two were discovered by Mandiant. They include:

• CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier)
• CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier)
• CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier)
• CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)
• CVE-2021-27730 – Argument injection via a crafted POST request to admin endpoint
• CVE-2021-27731 – Stored XSS via a crafted POST request to a user endpoint

In March, the U.S. Federal Bureau of Investigation (FBI) stated it had noticed a recent increase in PYSA ransomware targeting higher education, K-12 and seminaries in 12 US states and the U.K.

Meanwhile, Accellion developed a tool that allows clients to check for indications of attack activity. The tool also allows customers to identify any files that were downloaded from an exploited system. Accellion also established a "Trust Center" page with an FAQ and timeline of the attacks as well as other relevant security information and updates. 

Accellion has been encouraging its customers to abandon FTA which reaches its end of life on April 30 and switch to the Accellion Kiteworks content firewall which was not affected by the cyberattack. 

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), bad actors have exploited the FTA vulnerabilities worldwide to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors. 

Lessons Learned

• Even "secure" software or firmware can be compromised.
• Third-party software should be monitored continuously for signs of potential vulnerabilities.
• Legacy products should be assessed in TCO terms including the cost of potentially increasing cybersecurity risks.
• Patch ASAP, always.
• Every incident response plan should include ransomware scenario planning.

Quick Tips

The FBI recommends organizations take the following actions:

• Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. 
• Implement network segmentation. 
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud). 
• Install updates/patch operating systems, software, and firmware as soon as they are released. 
• Use multifactor authentication where possible. 
• Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes. 
• Disable unused remote access/RDP ports and monitor remote access/RDP logs. 
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind. 
• Install and regularly update anti-virus and anti-malware software on all hosts. 
• Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN. 
• Consider adding an email banner to messages coming from outside your organizations. 
• Disable hyperlinks in received emails. 
• Focus on cybersecurity awareness and training.