IOTW: End-Of-Life Third Party Software Responsible For Singtel Hack

Hunt down the old stuff and remove it before it bites you is the message here…:

[…] On February 17, Singtel released a detailed statement about a successful zero-day hack that threatened the personal identification information (PII) of 129,000 customers, including name, date of birth, phone number, and address. Twenty-eight former employees had their bank account information stolen. The hackers also stole a few dozen credit card numbers belonging to staff members of a Singtel corporate customer and information from 23 related enterprises such as suppliers and partners. Singtel notes that the latter could be particularly damaging if leaked to their competitors.

Accellion’s FTA software that Singtel used for large data transfers within the organization is responsible for the breach–the same software that was leveraged in the Washington State breach, an 18-hour flight away, that we reported on at the beginning of the month. Singtel, however, had the resources and know-how to do everything right to prevent such a hack.

On December 24, Singtel installed an FTA patch after Accellion alerted them about a zero-day vulnerability just the day before. On December 27, they installed a second patch related to the issue and were told no further action was necessary.

On January 23, Accellion notifies Singtel of yet another vulnerability unrelated to the first one, rendering the patch useless. This time, Singtel takes the system offline. On January 30, another patch installation was attempted but failed after an “anomaly alert.” Singtel kept the system offline and began an official investigation. On February 9, Singtel confirms that the investigation revealed that the breach was successful and data was stolen.


Original article