The software stack used by enterprises can be an excessive one, comprised of legacy software, commercial enterprise software, open-source software and a mixture of on-premise and cloud deployments. What is common to all these types of software is the necessity to maintain them and keep them up to date. Failing to do so can cause operational problems (such as malfunctions), but more importantly, poorly maintained software can expose the organization to severe security risks.
‘End of Life’ should mean what it says: vendors mark software in a specific way that tells organizations not only that it’s no longer supported but also that it should no longer be deployed. But in almost any medium to large-sized organization, EOL software can be found, and sometimes even abound, across the enterprise, exposing the entire business to risk. Why do so many enterprises fail to heed the vendors’ warnings, and what are the dangers of doing so?
Accellion FTA (File Transfer Appliance) was the attack vector used in several recent high profile attacks, including: Singaporean telecom company Singtel, Australian medical research institute QIMR Berghofer, the Washington state auditor, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, and the University of Colorado.
All these entities were using Accellion’s FTA, an old software application used to store and share large files. If you’re not familiar with it, think Box, Dropbox or Google Drive, but much, much older, dating back to the early 2000s. Enterprises would buy an FTA license, install the software on their own servers, and use it to enable the storing and sharing of large files with customers and employees. A typical use case for such software back then would be transferring files too large to be sent over email, a service that nowadays is so common that most businesses already have other solutions.
Accellion is an old software product that has already been replaced by the vendor with Accellion Kiteworks, but it seems that many organizations kept using the old version, perhaps never realizing it was still installed on some forgotten sever.
As often happens with products that have been on the market for a long time, people eventually find undiscovered vulnerabilities. In this case, it was an SQL injection vulnerability that enabled attackers to upload and install a webshell, giving them the ability to download files stored on the Accellion FTA server (and clean up after the deed).
News of the attacks caught Accellion in the midst of transferring clients to their newer platforms. They have since released an emergency patch, urged their existing users to switch to the new products and issued an end-of-life announcement for FTA effective April 30, 2021.
It is unclear if Accellion meant to retire the product at that time anyway or chose to do so now because of the recent vulnerabilities. In any case, we can estimate that the official retirement of this product will not result in the end of subsequent exploitations.
You tried it, you bought it, and it still works all these years later. What’s not to like about software that lasts? Alas, the problems with using older software products are numerous.
First, many of these products were released when testing methodologies were different and before bug bounty programs became popular. This means that they likely did not undergo the kind of rigorous testing (especially when it comes to automated load testing) and fuzzing that modern vulnerability testers (and threat actors) use. If someone were to test these old software products with contemporary tools, they might well detect new vulnerabilities that the vendor missed back then.
Second, vendors rarely bother to issue security updates for discontinued products. Why would they? They want you to buy their latest offering, and “end of life” and “unsupported” means what it says. Thus, even if new vulnerabilities are found, affected products are unlikely to receive appropriate patches.
Older software products might also suffer from operational issues such as lack of compatibility with newer products or protocols, poor reliability and higher maintenance costs when, for example, that software itself has either hardware, OS or other software dependencies.
Despite all this, a global PC Trends Report found that 55% of all programs worldwide were out of date, and many operating systems in current use were out of date, too. Why is it, then, that enterprises continue with legacy software?
There is no single answer, but it is often one or more of several factors, such as budget saving, lack of awareness and sometimes pure institutional inertia: if the organization is not seeing (or aware of) operational issues, there’s likely to be little incentive to “fix what ain’t broken”. No pain, no change.
It’s also often easier to continue using the same, familiar technology stack across users, administrators and clients where there are long-standing workflows that no one wants to disrupt.
Another factor: the perceived (if false) economy that replacing something that “still works” is an unnecessary and unwanted expense.
Put any one or more of those together with an organization that is either unaware of the dangers or the existence of legacy software still in use and you have a recipe for increased enterprise risk: an exploitation waiting to happen.
As noted, out of date software is a security risk. Attackers know this and seek to exploit it. The most famous example was the WannaCry attack of 2017. After NSA hacking tools were leaked online, notably EternalBlue, they were quickly leveraged to deploy new, wormable ransomware. The vulnerability had become known nearly three months prior to WannaCry, and at the time Microsoft had released a patch to all relevant OSs two months prior to the attack. Alas, thousands of organizations failed to install the patch and were hit as a result.
More recent incidents (in addition to Accellion FTA) include the attack in early February 2021 on a Florida water treatment plant that used the obsolete 32-bit version of Windows 7, and even the famous incident of Texas attorney Rod Ponton’s “feline” appearance before court was due to the fact he was using a 10-year-old laptop installed with avatar-augmenting software, likely Live! Cam Avatar or Crazy Talk 4, which he was unaware of (until catlike features appeared on his face).
Given how poorly organizations have dealt with replacing older products in the past, it is very unlikely that many will do much better in the future, and for every one that doesn’t, history teaches that a breach is a real possibility. Organizations should recognize this is a significant security risk and treat it as such. Mitigating this risk involves awareness, preparation, and if needed, response.
A proper inventory of all IT assets and the software versions installed on them is the first step. Follow that up by identifying which products are obsolete, and which are about to reach end of life, then decide if and how to replace these. Such products can include the now retired Acrobat Reader, Acrobat Flash and older Windows versions of Windows 10 Windows 7. Be aware that, on May 11, 2021, the Home, Pro, Pro Education, Pro for Workstations editions of Windows 10 version 1909 and all editions of Windows Server, version 1909 will reach end of service.
Using tools like SentinelOne Ranger can assist in mapping the existing assets and associated software versions.
Organizations are also advised to adhere to vendor updates and patches, especially in the case of security products (some of which can have hidden critical security flaws for years). A next-gen security platform is a prerequisite for securing the organization if an attacker does find a way inside by leveraging vulnerabilities in older products.
SentinelOne provides one platform to prevent, detect, respond, and hunt threats across all enterprise assets. See what has never been seen before. Control the unknown. All at machine speed.