A Twenty-Year-Old Product Becomes a Global Liability
Between December 2020 and February 2021, threat actors exploited four previously unknown zero-day vulnerabilities in Accellion's File Transfer Appliance (FTA), a product that had been in use for over two decades. The attacks compromised more than 100 organizations worldwide, resulting in massive data exfiltration, public extortion on the Cl0p ransomware leak site, and lasting reputational damage. For third-party risk management (TPRM) professionals, the Accellion FTA incident stands as one of the clearest demonstrations of the danger posed by legacy vendor software in enterprise supply chains.
The Attack: Four Zero-Days, One Web Shell
The attack was orchestrated by a financially motivated threat group tracked as FIN11, working in collaboration with the Cl0p ransomware gang. According to Mandiant (then FireEye), the attackers chained together four zero-day vulnerabilities to gain access to FTA appliances:
- CVE-2021-27101 — SQL injection via a crafted Host header, allowing initial access to the appliance.
- CVE-2021-27102 — OS command execution allowing the attacker to run commands on the underlying server.
- CVE-2021-27103 — Server-side request forgery (SSRF) enabling further exploitation.
- CVE-2021-27104 — Additional OS command execution via crafted POST requests.
Once inside, the attackers deployed a custom web shell dubbed DEWMODE by Mandiant. DEWMODE was designed to enumerate files stored on the FTA appliance and exfiltrate them over encrypted HTTPS connections. The attackers then used the stolen data for double extortion: victims who refused to pay were threatened with publication of their sensitive files on the Cl0p leak site.
The Victims: A Cross-Industry Impact
The breadth of organizations affected underscored how deeply embedded Accellion FTA was in enterprise file transfer workflows. Major victims included:
| Organization | Industry | Impact |
|---|---|---|
| Kroger | Retail / Pharmacy | Employee and pharmacy customer data exposed |
| Singtel | Telecommunications | Customer personal data of 129,000 individuals |
| Reserve Bank of New Zealand | Central Banking | Sensitive financial system files accessed |
| ASIC (Australian Securities and Investments Commission) | Financial Regulation | Credit application attachments compromised |
| Bombardier | Aerospace | Design data and employee information leaked |
In total, more than 100 organizations across healthcare, government, finance, telecommunications, and education were affected. In the healthcare sector, multiple providers disclosed breaches under HIPAA notification rules, with Kroger's subsidiary Kroger Health agreeing to an $8.1 million settlement related to the incident.
The Vendor Risk Failure
Accellion had announced end-of-life for the FTA product as early as April 2019, advising customers to migrate to its newer Kiteworks platform. Despite this, scores of organizations continued running FTA appliances well into 2021. This created a dangerous third-party risk scenario: a legacy product with known support limitations remained embedded in critical file transfer workflows, and many organizations lacked visibility into the risk this posed.
What This Means for Third-Party Risk Management
The Accellion FTA breach offers several critical insights for TPRM and GRC professionals:
- Legacy software is silent risk. Vendor risk assessments must account for the age and support status of products, not just the vendor's current reputation. A product approaching end-of-life should be flagged for elevated risk regardless of its prior track record.
- File transfer is a high-value target. Any vendor involved in moving sensitive data between organizations is a prime target for attackers. TPRM programs should classify file transfer vendors as critical and subject them to enhanced due diligence.
- Zero-day risk cannot be eliminated, but exposure can be reduced. While no organization can prevent a zero-day from being discovered, limiting the attack surface by retiring legacy products and enforcing vendor patching SLAs can dramatically reduce exposure windows.
- Extortion changes the calculus. The shift from traditional ransomware (encrypting systems) to data theft and extortion means that even organizations with strong backup strategies are vulnerable if a third-party vendor stores their sensitive data.
Quantifying the Risk with FAIR
Using the FAIR (Factor Analysis of Information Risk) framework, organizations can model the risk of legacy file transfer vendors by assessing the probability of exploit (high, given EOL status and known targeting) against the magnitude of loss (which in this case included regulatory penalties, settlement costs, and reputational harm). This quantified approach helps TPRM teams prioritize migration away from legacy products before an incident forces their hand.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- Accellion FTA Exploited for Data Theft and Extortion - Mandiant (FireEye)
- Accellion FTA Zero-Day Attacks Show Evolving Criminal Group - Bleeping Computer
- Kroger Settles Accellion Data Breach Lawsuit for $8.1 Million - HIPAA Journal
- Exploitation of Accellion File Transfer Appliance - CISA Joint Cybersecurity Advisory
- Reserve Bank Responding to Illegal Breach of Data System - Reserve Bank of New Zealand