Singtel’s Zero-Day Cyberattack – Anticipate OR Re-Act to Attacks?

What Can We Learn from Singtel’s Zero-Day Cyberattack?

Singapore’s telecom giant, Singtel, has fallen victim to a zero-day cyberattack which stemmed from security bugs in a third-party software – the Accellion legacy file-transfer platform. Until recently, Singtel had adopted this system for the transfer of large files during business operations. The attack resulted in a data breach of an estimated 129,000 users, who had their personal information stolen. The attackers managed to procure the NRIC, names, date of birth, mobile numbers, and addresses of Singtel customers; bank account details of 28 former employees; credit card details of 45 staff members from a corporate customer; and some data from 23 enterprises. Singtel’s Group CEO, Yuen Kuan Moon, stated that the data theft was committed by unknown parties, and apologized to everyone impacted. “We are conducting a thorough review of our systems and processes to strengthen them”, he assured. However, does a reactive security measure really make for a sufficient defense against zero-day vulnerabilities? Before addressing this question, we will firstly discuss details of the attack. 

Accellion: The Entry Point

Accellion is a software company which made a legacy large file transfer product, known as File Transfer Appliance (FTA). Accellion became aware of a zero-day security vulnerability in FTA in mid-December and scrambled to quickly patch it. However, this vulnerability was just one of many zero-days in the system, in which the company had only discovered after coming under attack. The attack on Accellion was sophisticated, coordinated, and covered a wide-range. While Accellion did identify more exploits in the ensuing weeks, it was a constant battle against their attackers. The development and release of patches had to be rapidly done to close each vulnerability. Amidst the scramble of discovery, attacks and patching, companies like Singtel have been caught in the crossfire. 

The FTA was used “to share information internally as well as with external stakeholders”, Singtel released in an online statement. The file sharing system is a 20-year-old product nearing its end-of-life that is used not only by Singtel, but many organizations from various sectors. This is despite Accellion’s offering of newer and more secure file-sharing solutions. “That’s problematic – it’s the kind of decision that puts companies at sharply increased risk”, said Chloé Messdaghi, Accellion’s chief strategist. Singtel has commented that it was unfortunate that the attack occurred while they were conducting a review to upgrade or replace the product, and that the patches still failed despite their prompt updating of these patches. Nonetheless, Singtel makes up only one of the multiple organizations affected by the bugs in the Accellion file transfer platform, which even includes an Australian medical research institution.

From an Unpatched Vulnerability to The Attack on Singtel

The initial vulnerability was discovered by Accellion on 23rd December 2020 and disclosed to Singtel in a timely fashion. A series of patches were provided by Accellion to plug the vulnerability. Singtel applied the first patch the next day, and the second and last patch on 27th December. Accellion issued another advisory on 23rd January 2021 which cited a new vulnerability that the previous patch was ineffective against. At this point, Singtel immediately took the system offline. While another patch was released on 30th January, it triggered an anomaly alert when the attempt was made to apply it. Singtel was informed that a breach could have occurred in their system on 20th January. The system was kept offline while cybercrime investigations went on, which verified on 9th February that the files had been stolen.

Singtel has since established that this is an isolated incident which involves a standalone third-party system, and that their core operations remain unaffected. They have undertaken an ‘impact assessment’ to uncover the extent and nature of the data that was potentially accessed. (Instead of an impact assessment, why not perform a pre-emptive risk assessment to protect your organization from these cyber risks? We can help!) The telco currently has both consumer- and business-focused operations in Singapore, throughout Australia via its subsidiary Optus; across India, South Asia and Africa via Bharti Airtel; in Indonesia via Telkomsel; in the Philippines via Globe Telecom; and in Thailand via Advanced Info Service. Given that the adoption of their network is widespread, the scope of the damage is estimated to be hefty. In bid to remedy the situation, Singtel has provided their assurance to the affected parties: “Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks. We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed.”

Accellion and Singtel have both taken prompt measures to combat the cyber breach, and the crisis may be absolved for now. Still, it should not be forgotten that this attack progressed rapidly from its initiation to escalation. The main reason is that the security bugs uncovered by Accellion (albeit a little too late) were zero-day vulnerabilities. What makes a zero-day vulnerability so impactful? The fact that it is newly discovered. This means that an official patch or update to fix the vulnerability has not been released, as the developer only just uncovered the security flaw. In essence, the term “zero-day” comes about from the idea that the developers have “zero days” to fix the vulnerability that has just been exposed, and possibly already exploited by hackers. A prime example is the case of Singtel. Once the initial vulnerability had become publicly known, Accellion had to work quickly to fix the issue and protect its users. However, as they failed to release the patch before the attackers managed to exploit these security holes, Singtel (and other businesses and consumers alike) were compromised. This is known as a zero-day attack.

The Danger of Zero-Day Vulnerabilities
While there are several types of vulnerabilities that provide opportunities for attack, one of the most difficult security flaws to protect against are zero-day vulnerabilities. A typical scenario is that a vulnerability is firstly discovered by the developer or security researcher (internal or public), who then report it to the developer to performs an analysis to create a patch that will remediate the issue. However, this process requires time. When the vulnerability becomes publicly known before the developers find a fix, hackers worldwide can attempt to exploit it. At this point, both the developer and attacker are in the race against time. It is now the question of who can get to the vulnerability first.

Zero-day vulnerabilities are essentially security flaws that have been just discovered in which a patch does not exist. It does not help that these vulnerabilities are simply manifested as any broader type of software vulnerability. For example, missing data encryption, SQL injection, buffer overflows, missing authorizations, broken algorithms, URL redirects, bugs, or weak password security, could also be zero-day vulnerabilities. Because zero-days can take almost any form, it makes them difficult to proactively find. Almost any type of vulnerability can be exploited as a zero-day without a patch produced in time. While hackers will not have an easy time locating these vulnerabilities, it is also difficult to effectively safeguard against them. The nature of a zero-day attack is such that the victim does not have the necessary defenses in place, which contributes to a high probability of success. These attacks, when successful, can carry hefty costs in terms of data theft, system downtime, and a damaged reputation. Unfortunately, complete threat protection is an impossible feat. But this does not mean that we should not try! Businesses should always be on their guard against zero-day attacks as the alternative is an unfavorable and costly option. The frequency of zero-day attacks is increasing with the prevalence of technology and the amount of code created. Experts predict that these numbers will increase from 1 zero-day attack per week in 2015 to reach a new attack daily by 2021. Is your organization ready to be a part of this statistic, just like all the others affected in the Accellion attack? If your response is ‘no’, do not fret! The risk of suffering the unpleasant aftermath from a successful zero-day attack can be mitigated by implementing the strategies provided below.

How to Protect Your Organization Against Zero-Day Attacks
Accellion and Singtel’s response to the zero-day attack exemplifies a reactive security measure. But does a purely reactive security measure make for a sufficient defense against zero-day vulnerabilities? The simple answer is No. A reactive security strategy relies on propping up your defenses before cybercriminals can exploit a new vulnerability or responding to a breach in your network. This traditional approach is still utilized by majority of organizations in the implementation and maintenance of their security posture. The reactive strategy works well when faced with threats that are already on the blacklist (i.e. previously encountered threats which act in a predictable way). However, an over-reliance on this strategy can leave your organization exposed when dealing with zero-day vulnerabilities.

A preventive strategy, on the other hand, will better equip your response to previously undetected malware, expanding threat vectors, emerging attack strategies, and sophisticated cybercriminal communities. As the age-old saying goes, “Prevention is better than cure.” Prevention truly is the best form of protection. Shifting from a reactive strategy toward a more proactive one can greatly benefit your organization when dealing with advanced threats in our cyber environment. The main difference with this strategy is that the attacks are anticipated, rather than reacted to. Any ‘hazardous conditions’ that may give rise to potential vulnerabilities are proactively identified and mitigated. This can be done by leveraging real-time threat intelligence, deploying behavioral analytics tools, and implementing a cohesive security fabric.

Applying these best practices will benefit your organization in the prevention of zero-day attacks:

Implement Security Protocols
All personnel should be trained on security best practices to fully-prepare an organization to act on a zero-day vulnerability. A sequence of security measures should be developed and implemented, where the workforce is trained on how and when to enact these measures.
Manual Log Review for Pro-Active Malicious Activity Detection
The existing infrastructure setup may not be efficient to prevent the impact from the discovery of zero-day vulnerabilities and may cause a potential breach from the hackers. To prevent these types of attacks, the company can perform manual log review to their assets regularly, which help to detect a compromise faster than the actual discovery of the zero-day vulnerabilities.
Conduct Constant Attack Simulation Exercise
Other than assessing the security risk for the IT Assets (Web, network, etc), the company is advised to conduct constant Attack Simulation Exercise (Red Teaming) by assessing and enhancing its resilience against the sophisticated and complex attacks. The effective way of conduct Red Teaming is to design and create various attack scenarios by identifying the most likely adversaries and attack vectors through threat modelling.
Limit the Services Exposed to Public
Whenever the services are required exposing to public, the company is advised to implement an additional layer of security control such as IPSec which helps to encrypt and authenticate all your network traffic, which allows a system to quickly identify and isolate non-network traffic and suspicious activity. The company may conduct a security design review and threat modelling to detect such flaws in the network design.

It is imperative to have a strong security posture as it your first line of defense against these cyberattacks. Are you interested to improve your organization’s security? Or curious about your levels of cyber risk? SoftScheck is a CREST-certified cybersecurity service firm with a deep expertise in offensive security. Our agile team of engineers are effectively trained to perform security services such as risk assessments, audits, VAPT, source code reviews, and even red-team exercises. In choosing us as your cybersecurity service provider, you can be confident of receiving first-rate results. Stay secure with softScheck! Please email any feedback or inquiries to sales@softscheck.sg and our team will gladly be of assistance.