Company:Accellion
Type | Private |
---|---|
Industry | Security software |
Founded | 1999 |
Headquarters | Palo Alto, California, United States |
Key people | |
Number of employees | 180[1] |
Website | accellion.com |
Accellion, Inc. is an American technology company specializing in secure file sharing and collaboration, targeted towards businesses. The company was founded in 1999 in Singapore and is now based in Palo Alto, California . In 2020, the company stated that its products were used by over 3,000 organizations. Beginning in late 2020, a zero-day exploit on a legacy product led to data breaches of dozens of government and private organizations, in multiple countries.[2]
History
Accellion was founded in Singapore in 1999, originally focused on distributed file storage.[3] The company moved to Palo Alto, California , focusing on secure file transmission.[4] Accellion reached a total funding of about $35 million in 2011, and it was valued at $500 million in 2014.[3] The company's chief executive officer, Yorgen Edholm, credited aversion to "National Security Agency–style snooping" as a factor in their success.[5] In 2020, the company stated that it was used by 25 million users, across over 3,000 organizations.[6]
Software
Accellion was working on file transfer systems by late 2002.[7] The company released a file transfer appliance in 2005, a physical machine aiming to reduce server load when sending large files.[8] In March 2011, the company released an online file collaboration product, emphasizing security.[9][7][10] In 2012, the company launched a service allowing file sharing between mobile devices.[11] It included a synchronization feature called kitedrive.[12][13] Early demand for the company's file transfer applications came from organizations that needed to transfer large files, including healthcare companies[14] and universities.[15][16]
In January 2014, Accellion launched kiteworks, a file sharing product allowing users to edit files and projects remotely, with interoperability with services like Google Drive and Dropbox.[3][17][18] That December, the company released a set of programming interfaces extending secure file access to mobile devices.[19] PCMag reviewer Fahmida Y. Rashid gave kiteworks a 3.5 out of 5 stars, praising its interface, support for mobile devices, and privacy tools.[20]
2020–21 security breaches
In mid-December 2020, the company's File Transfer Appliance product—now a 20-year-old legacy system—was subject to a zero-day exploit,[21] which was patched on December 23.[22] Three additional vulnerabilities were discovered and patched over the next month.[23] The first vulnerability was a SQL injection, allowing an attacker to use a web shell to run arbitrary commands and extract data.[22] The four vulnerabilities were assigned Common Vulnerabilities and Exposures (CVE) codes 2021-27101 through 2021-27104 on February 16, 2021.[24]
The exploit has affected around 300 organizations worldwide,[25][26] including Kroger,[27] Shell Oil Company,[28][29] the University of California system,[30] the Australian Securities and Investments Commission,[31] the Reserve Bank of New Zealand,[32] and Singtel.[33] Data stolen includes Social Security numbers and other identification numbers, images of passports, financial information, and emails.[33][34] According to computer security firm FireEye, the attackers comprised two hacking groups: one with ties to "Clop", a ransomware group, and one connected to financial crime group "FIN11".[35] Many victims received extortion emails containing a .onion link to a website containing data dumps of multiple organizations.[35] Prior to the attacks, Accellion had maintained that the FTA was a legacy product nearing the end of its life, with support ending on April 30, 2021, asking customers to move to their kiteworks system.[2][27][36] David Kennedy, CEO of corporate incident response firm TrustedSec, said that "[t]he Accellion zero days were particularly damaging because actors were mass-exploiting this vulnerability quickly, and the severity of this wasn't being communicated from Accellion".[2]
References
- ↑ "Accellion Competitors, Revenue, Alternatives and Pricing". https://growjo.com/company/Accellion.
- ↑ 2.0 2.1 2.2 Newman, Lily Hay (8 March 2021). "The Accellion Breach Keeps Getting Worse—and More Expensive" (in en-us). Wired. https://www.wired.com/story/accellion-breach-victims-extortion/. Retrieved 2 April 2021.
- ↑ 3.0 3.1 3.2 Deborah Gage (January 27, 2014). "Accellion Targets Box, Dropbox on Secure File Sharing". The Wall Street Journal. https://blogs.wsj.com/venturecapital/2014/01/27/accellion-targets-box-dropbox-on-secure-file-sharing/. Retrieved January 30, 2014.
- ↑ Hoffman, Thomas (14 March 2005). "Ogilvy Harnesses the Web for its File Transfer System". http://www.computerworld.com/action/article.do?command=viewArticleTOC&specialReportId=801&articleId=99961.
- ↑ Ramakrishnan, Sruthi (5 February 2014). "File-sharing company Accellion aims to go public in 2015" (in en). https://www.reuters.com/article/us-accellion-ipo/file-sharing-company-accellion-aims-to-go-public-in-2015-idINBREA141GE20140205.
- ↑ "About Accellion". https://www.accellion.com/company/.
- ↑ 7.0 7.1 "Ogilvy Harnesses the Web for Its File Transfer System". Computer World. 14 March 2005. http://www.computerworld.com/action/article.do?command=viewArticleTOC&specialReportId=801&articleId=99961.
- ↑ Solheim, Shelley (26 September 2005). "Device Keeps Large Files Moving". eWEEK. https://www.eweek.com/networking/device-keeps-large-files-moving/.
- ↑ Hulme, George V. (29 March 2011). "Accellion proffers secure cloud collaboration workspaces" (in en). https://www.csoonline.com/article/2127898/accellion-proffers-secure-cloud-collaboration-workspaces.html.
- ↑ "Accellion introduces new secure collaboration worktool". Engineering and Technology Magazine. 29 March 2011. http://eandt.theiet.org/news/2011/mar/accellion-secure.cfm.
- ↑ Drinkwater, Doug (12 March 2012). "Accellion strives for secure mobile file sharing with 'Dropbox for Enterprise'". TabTimes. http://tabtimes.com/news/ittech-cloud-services/2012/03/12/accellion-strives-secure-mobile-file-sharing-dropbox.
- ↑ Scott, Jennifer (13 March 2012). "Accellion launches kitedrive Sync its 'Dropbox for the enterprise'" (in en). Cloud Pro. http://www.cloudpro.co.uk/iaas/cloud-storage/3067/accellion-launches-kitedrive-sync-its-dropbox-enterprise.
- ↑ Sibley, Lisa (4 January 2012). "Accellion raises $12M for expansion plans". The Business Journals. https://www.bizjournals.com/sanjose/news/2012/01/04/accellion-raises-12m-for-expansion.html.
- ↑ Baker, M. L. (February 8, 2007). "Harvard CIO Herds Large File Transfers". eWeek. http://www.eweek.com/c/a/Health-Care-IT/Harvard-CIO-Herds-Large-File-Transfers/.
- ↑ "Solving the File Transfer Problem". Chronicle of Higher Education. January 28, 2008. http://chronicle.com/blogs/wiredcampus/solving-the-file-transfer-problem/3644.
- ↑ "Appliance Helps Researchers Share Large Files". Bio-IT World. April 19, 2006. http://www.bio-itworld.com/newsitems/2006/april/04-19-06-news-accellion.
- ↑ Ben Kepes (January 28, 2014). "Accellion Launches Kiteworks, But Are They Too Late To The Mobile File Sharing Party?". Forbes. https://www.forbes.com/sites/benkepes/2014/01/28/accellion-launches-kiteworks-but-are-they-too-late-to-the-mobile-file-sharing-party/. Retrieved January 30, 2014.
- ↑ Nathan Eddy (31 Jan 2014). "Accellion Kiteworks Helps Mobile Workers Boost Productivity". eWeek. http://www.eweek.com/small-business/accellion-kiteworks-helps-mobile-workers-boost-productivity.html/.
- ↑ Clancy, Heather (28 November 2014). "Accellion tackles secure mobile content updates" (in en). ZDNet. https://www.zdnet.com/article/accellion-tackles-secure-mobile-content-updates/.
- ↑ Rashid, Fahmida Y. (31 August 2015). "Accellion Kiteworks Business Review" (in en). PCMag. https://www.pcmag.com/reviews/accellion-kiteworks-business.
- ↑ Mathews, Lee (23 March 2021). "Oil Giant Shell Victimized In December 2020 Hack" (in en). Forbes. https://www.forbes.com/sites/leemathews/2021/03/23/oil-giant-shell-victimized-in-december-2020-hack/.
- ↑ 22.0 22.1 "Exploitation of Accellion File Transfer Appliance | CISA". https://us-cert.cisa.gov/ncas/alerts/aa21-055a.
- ↑ Fisher, Dennis (26 February 2021). "Attackers Continue to Target Accellion FTA Flaws" (in en). Decipher. https://duo.com/decipher/attackers-continue-to-target-accellion-fta-flaws.
- ↑ * "NVD - CVE-2021-27101". https://nvd.nist.gov/vuln/detail/CVE-2021-27101.
- ↑ Ropek, Lucas (11 February 2021). "The Accellion Data Breach Seems to Be Getting Bigger" (in en-us). Gizmodo. https://gizmodo.com/the-accellion-data-breach-seems-to-be-getting-bigger-1846250357.
- ↑ Jablon, Robert (3 April 2021). "University of California victim of nationwide hack attack" (in en). ABC News. https://abcnews.go.com/Technology/wireStory/university-california-victim-nationwide-hack-attack-76847800.
- ↑ 27.0 27.1 February 24, Jonathan Greig in Security on (24 February 2021). "Kroger data breach highlights urgent need to replace legacy, end-of-life tools" (in en). TechRepublic. https://www.techrepublic.com/article/kroger-data-breach-highlights-urgent-need-to-replace-legacy-end-of-life-tools/.
- ↑ Osborne, Charlie (23 March 2021). "Oil giant Shell discloses data breach linked to Accellion FTA vulnerability" (in en). ZDNet. https://www.zdnet.com/article/oil-giant-shell-discloses-data-breach-linked-to-accellion-fta-vulnerability/.
- ↑ Montalbano, Elizabeth (23 March 2021). "Energy Giant Shell Is Latest Victim of Accellion Attacks" (in en). Threat Post. https://threatpost.com/shell-victim-of-accellion-attacks/164973/.
- ↑ "UC Among Targets in Nationwide Cyberattack" (in en). 31 March 2021. https://www.ucdavis.edu/news/uc-among-targets-nationwide-cyberattack.
- ↑ Duckett, Chris (15 January 2021). "ASIC reports server breached via Accellion vulnerability" (in en). ZDNet. https://www.zdnet.com/article/asic-reports-server-breached-via-accellion-vulnerability/.
- ↑ Olenick, Doug (16 February 2021). "NZ Reserve Bank Issues Update on Accellion Breach" (in en). Bank Info Security. https://www.bankinfosecurity.com/nz-reserve-bank-issues-update-on-accellion-breach-a-16008.
- ↑ 33.0 33.1 Wong, Cara (17 February 2021). "Data of some 129,000 Singtel customers, including NRIC details, stolen in hack of third-party system" (in en). The Straits Times. https://www.straitstimes.com/singapore/data-on-some-129000-singtel-customers-stolen-in-hack-on-third-party-system.
- ↑ Wu, Daniel; Catania, Sam (1 April 2021). "Hackers leak Social Security numbers, student data in massive data breach". The Stanford Daily. https://www.stanforddaily.com/2021/04/01/hackers-leak-social-security-numbers-student-data-in-massive-data-breach/.
- ↑ 35.0 35.1 Seals, Tara (22 February 2021). "Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11" (in en). Threat Post. https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/.
- ↑ Cimpanu, Catalin (11 February 2021). "Accellion to retire product at the heart of recent hacks" (in en). https://www.zdnet.com/article/accellion-to-retire-product-at-the-heart-of-recent-hacks/.
External links