Company:Accellion

From HandWiki
Short description: American technology company
Accellion, Inc.
TypePrivate
IndustrySecurity software
Founded1999
HeadquartersPalo Alto, California, United States
Key people
  • Jonathan Yaron (CEO)
  • Glen Segal (CFO)
Number of employees
180[1]
Websiteaccellion.com

Accellion, Inc. is an American technology company specializing in secure file sharing and collaboration, targeted towards businesses. The company was founded in 1999 in Singapore and is now based in Palo Alto, California . In 2020, the company stated that its products were used by over 3,000 organizations. Beginning in late 2020, a zero-day exploit on a legacy product led to data breaches of dozens of government and private organizations, in multiple countries.[2]

History

Accellion was founded in Singapore in 1999, originally focused on distributed file storage.[3] The company moved to Palo Alto, California , focusing on secure file transmission.[4] Accellion reached a total funding of about $35 million in 2011, and it was valued at $500 million in 2014.[3] The company's chief executive officer, Yorgen Edholm, credited aversion to "National Security Agency–style snooping" as a factor in their success.[5] In 2020, the company stated that it was used by 25 million users, across over 3,000 organizations.[6]

Software

Accellion was working on file transfer systems by late 2002.[7] The company released a file transfer appliance in 2005, a physical machine aiming to reduce server load when sending large files.[8] In March 2011, the company released an online file collaboration product, emphasizing security.[9][7][10] In 2012, the company launched a service allowing file sharing between mobile devices.[11] It included a synchronization feature called kitedrive.[12][13] Early demand for the company's file transfer applications came from organizations that needed to transfer large files, including healthcare companies[14] and universities.[15][16]

In January 2014, Accellion launched kiteworks, a file sharing product allowing users to edit files and projects remotely, with interoperability with services like Google Drive and Dropbox.[3][17][18] That December, the company released a set of programming interfaces extending secure file access to mobile devices.[19] PCMag reviewer Fahmida Y. Rashid gave kiteworks a 3.5 out of 5 stars, praising its interface, support for mobile devices, and privacy tools.[20]

2020–21 security breaches

In mid-December 2020, the company's File Transfer Appliance product—now a 20-year-old legacy system—was subject to a zero-day exploit,[21] which was patched on December 23.[22] Three additional vulnerabilities were discovered and patched over the next month.[23] The first vulnerability was a SQL injection, allowing an attacker to use a web shell to run arbitrary commands and extract data.[22] The four vulnerabilities were assigned Common Vulnerabilities and Exposures (CVE) codes 2021-27101 through 2021-27104 on February 16, 2021.[24]

The exploit has affected around 300 organizations worldwide,[25][26] including Kroger,[27] Shell Oil Company,[28][29] the University of California system,[30] the Australian Securities and Investments Commission,[31] the Reserve Bank of New Zealand,[32] and Singtel.[33] Data stolen includes Social Security numbers and other identification numbers, images of passports, financial information, and emails.[33][34] According to computer security firm FireEye, the attackers comprised two hacking groups: one with ties to "Clop", a ransomware group, and one connected to financial crime group "FIN11".[35] Many victims received extortion emails containing a .onion link to a website containing data dumps of multiple organizations.[35] Prior to the attacks, Accellion had maintained that the FTA was a legacy product nearing the end of its life, with support ending on April 30, 2021, asking customers to move to their kiteworks system.[2][27][36] David Kennedy, CEO of corporate incident response firm TrustedSec, said that "[t]he Accellion zero days were particularly damaging because actors were mass-exploiting this vulnerability quickly, and the severity of this wasn't being communicated from Accellion".[2]

References

  1. "Accellion Competitors, Revenue, Alternatives and Pricing". https://growjo.com/company/Accellion. 
  2. 2.0 2.1 2.2 Newman, Lily Hay (8 March 2021). "The Accellion Breach Keeps Getting Worse—and More Expensive" (in en-us). Wired. https://www.wired.com/story/accellion-breach-victims-extortion/. Retrieved 2 April 2021. 
  3. 3.0 3.1 3.2 Deborah Gage (January 27, 2014). "Accellion Targets Box, Dropbox on Secure File Sharing". The Wall Street Journal. https://blogs.wsj.com/venturecapital/2014/01/27/accellion-targets-box-dropbox-on-secure-file-sharing/. Retrieved January 30, 2014. 
  4. Hoffman, Thomas (14 March 2005). "Ogilvy Harnesses the Web for its File Transfer System". http://www.computerworld.com/action/article.do?command=viewArticleTOC&specialReportId=801&articleId=99961. 
  5. Ramakrishnan, Sruthi (5 February 2014). "File-sharing company Accellion aims to go public in 2015" (in en). https://www.reuters.com/article/us-accellion-ipo/file-sharing-company-accellion-aims-to-go-public-in-2015-idINBREA141GE20140205. 
  6. "About Accellion". https://www.accellion.com/company/. 
  7. 7.0 7.1 "Ogilvy Harnesses the Web for Its File Transfer System". Computer World. 14 March 2005. http://www.computerworld.com/action/article.do?command=viewArticleTOC&specialReportId=801&articleId=99961. 
  8. Solheim, Shelley (26 September 2005). "Device Keeps Large Files Moving". eWEEK. https://www.eweek.com/networking/device-keeps-large-files-moving/. 
  9. Hulme, George V. (29 March 2011). "Accellion proffers secure cloud collaboration workspaces" (in en). https://www.csoonline.com/article/2127898/accellion-proffers-secure-cloud-collaboration-workspaces.html. 
  10. "Accellion introduces new secure collaboration worktool". Engineering and Technology Magazine. 29 March 2011. http://eandt.theiet.org/news/2011/mar/accellion-secure.cfm. 
  11. Drinkwater, Doug (12 March 2012). "Accellion strives for secure mobile file sharing with 'Dropbox for Enterprise'". TabTimes. http://tabtimes.com/news/ittech-cloud-services/2012/03/12/accellion-strives-secure-mobile-file-sharing-dropbox. 
  12. Scott, Jennifer (13 March 2012). "Accellion launches kitedrive Sync its 'Dropbox for the enterprise'" (in en). Cloud Pro. http://www.cloudpro.co.uk/iaas/cloud-storage/3067/accellion-launches-kitedrive-sync-its-dropbox-enterprise. 
  13. Sibley, Lisa (4 January 2012). "Accellion raises $12M for expansion plans". The Business Journals. https://www.bizjournals.com/sanjose/news/2012/01/04/accellion-raises-12m-for-expansion.html. 
  14. Baker, M. L. (February 8, 2007). "Harvard CIO Herds Large File Transfers". eWeek. http://www.eweek.com/c/a/Health-Care-IT/Harvard-CIO-Herds-Large-File-Transfers/. 
  15. "Solving the File Transfer Problem". Chronicle of Higher Education. January 28, 2008. http://chronicle.com/blogs/wiredcampus/solving-the-file-transfer-problem/3644. 
  16. "Appliance Helps Researchers Share Large Files". Bio-IT World. April 19, 2006. http://www.bio-itworld.com/newsitems/2006/april/04-19-06-news-accellion. 
  17. Ben Kepes (January 28, 2014). "Accellion Launches Kiteworks, But Are They Too Late To The Mobile File Sharing Party?". Forbes. https://www.forbes.com/sites/benkepes/2014/01/28/accellion-launches-kiteworks-but-are-they-too-late-to-the-mobile-file-sharing-party/. Retrieved January 30, 2014. 
  18. Nathan Eddy (31 Jan 2014). "Accellion Kiteworks Helps Mobile Workers Boost Productivity". eWeek. http://www.eweek.com/small-business/accellion-kiteworks-helps-mobile-workers-boost-productivity.html/. 
  19. Clancy, Heather (28 November 2014). "Accellion tackles secure mobile content updates" (in en). ZDNet. https://www.zdnet.com/article/accellion-tackles-secure-mobile-content-updates/. 
  20. Rashid, Fahmida Y. (31 August 2015). "Accellion Kiteworks Business Review" (in en). PCMag. https://www.pcmag.com/reviews/accellion-kiteworks-business. 
  21. Mathews, Lee (23 March 2021). "Oil Giant Shell Victimized In December 2020 Hack" (in en). Forbes. https://www.forbes.com/sites/leemathews/2021/03/23/oil-giant-shell-victimized-in-december-2020-hack/. 
  22. 22.0 22.1 "Exploitation of Accellion File Transfer Appliance | CISA". https://us-cert.cisa.gov/ncas/alerts/aa21-055a. 
  23. Fisher, Dennis (26 February 2021). "Attackers Continue to Target Accellion FTA Flaws" (in en). Decipher. https://duo.com/decipher/attackers-continue-to-target-accellion-fta-flaws. 
  24. * "NVD - CVE-2021-27101". https://nvd.nist.gov/vuln/detail/CVE-2021-27101. 
  25. Ropek, Lucas (11 February 2021). "The Accellion Data Breach Seems to Be Getting Bigger" (in en-us). Gizmodo. https://gizmodo.com/the-accellion-data-breach-seems-to-be-getting-bigger-1846250357. 
  26. Jablon, Robert (3 April 2021). "University of California victim of nationwide hack attack" (in en). ABC News. https://abcnews.go.com/Technology/wireStory/university-california-victim-nationwide-hack-attack-76847800. 
  27. 27.0 27.1 February 24, Jonathan Greig in Security on (24 February 2021). "Kroger data breach highlights urgent need to replace legacy, end-of-life tools" (in en). TechRepublic. https://www.techrepublic.com/article/kroger-data-breach-highlights-urgent-need-to-replace-legacy-end-of-life-tools/. 
  28. Osborne, Charlie (23 March 2021). "Oil giant Shell discloses data breach linked to Accellion FTA vulnerability" (in en). ZDNet. https://www.zdnet.com/article/oil-giant-shell-discloses-data-breach-linked-to-accellion-fta-vulnerability/. 
  29. Montalbano, Elizabeth (23 March 2021). "Energy Giant Shell Is Latest Victim of Accellion Attacks" (in en). Threat Post. https://threatpost.com/shell-victim-of-accellion-attacks/164973/. 
  30. "UC Among Targets in Nationwide Cyberattack" (in en). 31 March 2021. https://www.ucdavis.edu/news/uc-among-targets-nationwide-cyberattack. 
  31. Duckett, Chris (15 January 2021). "ASIC reports server breached via Accellion vulnerability" (in en). ZDNet. https://www.zdnet.com/article/asic-reports-server-breached-via-accellion-vulnerability/. 
  32. Olenick, Doug (16 February 2021). "NZ Reserve Bank Issues Update on Accellion Breach" (in en). Bank Info Security. https://www.bankinfosecurity.com/nz-reserve-bank-issues-update-on-accellion-breach-a-16008. 
  33. 33.0 33.1 Wong, Cara (17 February 2021). "Data of some 129,000 Singtel customers, including NRIC details, stolen in hack of third-party system" (in en). The Straits Times. https://www.straitstimes.com/singapore/data-on-some-129000-singtel-customers-stolen-in-hack-on-third-party-system. 
  34. Wu, Daniel; Catania, Sam (1 April 2021). "Hackers leak Social Security numbers, student data in massive data breach". The Stanford Daily. https://www.stanforddaily.com/2021/04/01/hackers-leak-social-security-numbers-student-data-in-massive-data-breach/. 
  35. 35.0 35.1 Seals, Tara (22 February 2021). "Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11" (in en). Threat Post. https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/. 
  36. Cimpanu, Catalin (11 February 2021). "Accellion to retire product at the heart of recent hacks" (in en). https://www.zdnet.com/article/accellion-to-retire-product-at-the-heart-of-recent-hacks/. 

External links