Singtel Supply Chain Breach Traced to Unpatched Bug
One of APAC’s biggest telecoms companies has admitted that a supply chain attack may have led to the compromise of customer data.
Singtel released a statement on Thursday revealing that it was running Accellion’s legacy file sharing system FTA to share information internally and with external stakeholders.
Cyber-criminals appear to have exploited potentially multiple FTA vulnerabilities in attacks against various customers.
Although Singtel said its core operations “remain unaffected and sound,” it admitted there may be an impact on customers.
“We are currently conducting an impact assessment with the utmost urgency to ascertain the nature and extent of data that has been potentially accessed. Customer information may have been compromised,” it explained.
“Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks. We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed.”
Accellion said in an update at the start of February that it was the target of a “sophisticated cyber-attack” which all FTA customers were informed of on December 23. As of February 1 it said it had “patched all known FTA vulnerabilities exploited by the attackers and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.”
Singtel corroborated this in its own version of events, stating that the supplier had made two patches available to fix the bug, which it applied on December 24 and 27 2020. However, there was a further issue the following month.
“On January 23, Accellion issued another advisory citing a new vulnerability which the December 27 patch was not effective against and we immediately took the system offline. On January 30, Accellion provided another patch for the new vulnerability which triggered an anomaly alert when we tried to apply it,” it continued.
“Accellion informed thereafter that our system could have been breached and this had likely occurred on January 20. We continued to keep the system offline and activated cyber and criminal investigations which has confirmed the January 20 date. Given the complexity of the investigations, it was only confirmed on February 9 that files were taken.”
Other customers known to have been hit by the same attacks are the New Zealand central bank, which issued a statement on January 10 and so is likely to have been caught out by an exploit of the vulnerability patched in December.
Saryu Nayyar, CEO of Gurucul, argued that the incidents highlight the risks associated with running legacy software. FTA is thought to be over 20-years-old.
“Patch cycles in enterprise environments can be complicated, especially for mature organizations with a robust change management system, but the malicious actors do not wait,” she added.
“They know there is usually a limited time between an exploit being released and a defense going in place, so they tend to move quickly. That means cybersecurity needs to move at least as quickly.”