IOTW: End-Of-Life Third Party Software Responsible For Singtel Hack

The PII of 129,000 Singtel customers hangs in the balance after a ransomware attack on the largest mobile network in Singapore.

The Facts

On February 17, Singtel released a detailed statement about a successful zero-day hack that threatened the personal identification information (PII) of 129,000 customers, including name, date of birth, phone number, and address. Twenty-eight former employees had their bank account information stolen. The hackers also stole a few dozen credit card numbers belonging to staff members of a Singtel corporate customer and information from 23 related enterprises such as suppliers and partners. Singtel notes that the latter could be particularly damaging if leaked to their competitors.

Accellion’s FTA software that Singtel used for large data transfers within the organization is responsible for the breach–the same software that was leveraged in the Washington State breach, an 18-hour flight away, that we reported on at the beginning of the month. Singtel, however, had the resources and know-how to do everything right to prevent such a hack.

On December 24, Singtel installed an FTA patch after Accellion alerted them about a zero-day vulnerability just the day before. On December 27, they installed a second patch related to the issue and were told no further action was necessary.

Related: Stopping Data Exfiltration Prior to Export

On January 23, Accellion notifies Singtel of yet another vulnerability unrelated to the first one, rendering the patch useless. This time, Singtel takes the system offline. On January 30, another patch installation was attempted but failed after an “anomaly alert.” Singtel kept the system offline and began an official investigation. On February 9, Singtel confirms that the investigation revealed that the breach was successful and data was stolen.

The Straights Times reported on Wednesday that the Singtel hack may have been part of a larger coordinated ransomware attack by the Clop group, a hacking conglomerate that withholds stolen data from the Dark Web in exchange for payment. Singtel has yet to name a suspect.

Singtel is responding to its customers with transparency and detail. They are providing data monitoring at no cost to their affected customers. In a media statement after the breach was first made public, chief executive Yuen Kuan Moon was apologetic. “I’m very sorry this has happened to our customers and apologize unreservedly to everyone impacted. Data privacy is paramount. We have disappointed our stakeholders and not met the standards we have set for ourselves.”

Related: Hacking Exposed: Learning from the Adversaries- An Interactive Session

For its part, Frank Balonis, Accellion’s CISO, insists that all FTA customers were encouraged to switch to kiteworks over the past three years. FTA is a 20-year-old legacy system whose end-of-life date is April 30, 2021.

Lesson Learned

Singtel did their best to do everything right. They had a strong security team in place, installed patches as soon as they were released, and took vulnerable systems offline at the first sign of trouble—all the things cyber security experts constantly preach about. Even after the event, their transparency and dedication to the investigation is admirable. Still, they got hacked. Could they have done anything to prevent this?

Experts say yes. Singtel could have and debatably should have migrated to kiteworks at the first sign of trouble on December 23. In fact, all enterprises should track third-party software and audit them regularly. Pertinent questions include the age of the software, whether or not it has an end-of-life date and when that date is, and if the third-party vendor has a modern counterpart. Enterprises are advised to migrate to the newer, more secure software as soon as it makes sense, acting proactively instead of reactively. Singtel had to learn the hard way. They closed at S$2.40 the day after the announcement—a drop of 83%.

Read More: Incident Of The Week

Leave a Reply