Stanford Medical School, University of California system, University of Miami, and Colorado University all hacked.

SAN RAFAEL, CALIFORNIA – Hackers connected to two cyber crime groups, FIN11 and Clop, went on a hacking spree that has impacted multiple American universities, including Stanford, the UC system, University of Miami, and Colorado University. Leaked data includes social security numbers, medical information, transcripts, and sensitive financial documents.

Accellion’s File Transfer Appliance is a service used by many companies, government entities, and universities to transfer sensitive files. The breach stems from four vulnerabilities in the service, which created a perfect storm for hackers.

Per Jake Williams, founder of cybersecurity firm Rendition Infosec, “These vulnerabilities are particularly damaging, because in a normal case, an attacker has to hunt to find your sensitive files, and it’s a bit of a guessing game, but in this case the work is already done. By definition, everything sent through Accellion FTA was pre-identified as sensitive by the user.”

The motive? Financial gain.

One of the crime groups behind the breach, Clop, is known primarily as a ransomware group, but this is not a case of ransomware, just simple extortion. In ransomware attacks, hackers install malware onto a network, and encrypt files in order to demand a ransom payment.

In this case, hackers gained access to the universities’ sensitive data directly from Accellion, exfiltrated it, and sent threatening emails to impacted parties demanding a ransom in exchange for hackers agreeing not to leak all of the stolen data.

From the the University of California’s s official statement:

We believe the person(s) behind this attack are sending threatening mass emails to members of the UC community in an attempt to scare people into giving them money. Anyone receiving this message should either forward it to your local information security office or simply delete it.”

A Note on Legacy Systems

Accellion has consistently preached that FTA (which has been around for more than 20 years) is at the end of its life cycle. They planned to end support for FTA on April 30th, and had discontinued support for its operating system, Centos 6, on November 30th of 2020. The company has been working to transition customers away from FTA and onto its new platform, Kiteworks.

Legacy systems are old, out-dated systems or pieces of software that can still be used, but no longer receive security updates or patches for vulnerabilities. Hackers love to target legacy systems because of the lack of security, and also because organizations who use them are often behind the curve in other areas of IT and cyber security.

3rd party breaches… here to stay.

The Accellion breach highlight the dangers of 3rd party breaches. No matter how strong your organization’s cyber security, you cannot control the risk associated with external partners and their security.

It’s a strong argument for choosing a cyber insurance program that offers substantial 3rd party coverage.

Related: Texas School District Falls Victim to $2.3M Email Scam