Full Report
Kroger is the latest addition to a growing list of victims impacted by the cyber attack against the file transfer solution, Accellion.
Analysis Summary
# Incident Report: Accellion File Transfer Appliance (FTA) Breach Impacting Kroger
## Executive Summary
Kroger was impacted as a victim of a widespread cyberattack targeting their third-party vendor, Accellion, specifically exploiting vulnerabilities in the legacy File Transfer Appliance (FTA) solution. The compromise occurred when attackers breached Accellion in mid-December 2020, leading to sensitive data exposure for several of Kroger's customers and associates connected to Kroger Health and Money Services. Kroger was notified on January 23, 2021, and immediately terminated its relationship with Accellion.
## Incident Details
- **Discovery Date:** January 23, 2021 (Kroger notified by Accellion)
- **Incident Date:** Mid-December 2020 (Initial breach at Accellion)
- **Affected Organization:** Kroger Co. (and its associates/customers)
- **Sector:** Grocery and Pharmacy Retail
- **Geography:** United States (Cincinnati-based company)
## Timeline of Events
### Initial Access
- **Date/Time:** Mid-December 2020
- **Vector:** Exploitation of unpatched vulnerabilities within Accellion's legacy File Transfer Appliance (FTA) infrastructure.
- **Details:** Attackers exploited several flaws in the Accellion FTA, including SQL Injection (SQLi), Cross-Site Scripting (XSS), and Command Injection flaws in both the main interface and the admin interface.
### Lateral Movement
* **Details:** The report focuses primarily on the initial breach at Accellion's environment, which housed data belonging to multiple downstream clients like Kroger. Specific lateral movement within Kroger's environment is not detailed, suggesting the compromise was initiated via the vendor's platform containing Kroger data.
### Data Exfiltration/Impact
- **Details:** Data belonging to a limited number of Kroger customers (less than 1%) associated with Kroger Health and Money Services was impacted. The compromised data included files transferred via the platform. **Crucially, no credit/debit card information or customer account passwords were affected.**
### Detection & Response
- **How it was discovered:** Accellion notified Kroger of the security incident on January 23, 2021.
- **Response actions taken:** Kroger announced the incident and immediately terminated its vendor relationship with Accellion.
## Attack Methodology
- **Initial Access:** Exploitation of known, unpatched vulnerabilities in Accellion's legacy FTA (including SQLi, XSS, and Command Injection).
- **Persistence:** Not specified in relation to Kroger, but implied via maintained access to the Accellion environment by the threat actor.
- **Privilege Escalation:** Not specified, but system-level access likely required to exploit command injection flaws.
- **Defense Evasion:** Not specified, though reliance on old, unpatched software provided an inherent evasion path against standard security practices.
- **Credential Access:** Not explicitly mentioned, but necessary for accessing sensitive files.
- **Discovery:** Not specified, but attackers likely mapped the sensitive file repositories hosted on the FTA.
- **Lateral Movement:** Primarily occurred within the Accellion infrastructure to access client data repositories.
- **Collection:** Gathering data files associated with Kroger Health and Money Services customers.
- **Exfiltration:** Data theft from the compromised Accellion server instance.
- **Impact:** Data disclosure related to a subset of Kroger customers and associates.
## Impact Assessment
- **Financial:** Not quantified, but the cost would include necessary security assessments and vendor replacement costs.
- **Data Breach:** Sensitive customer and associate data from Kroger Health and Money Services (less than 1% of total customers). **No financial credentials were taken.**
- **Operational:** Required immediate turnover of a critical vendor relationship (Accellion).
- **Reputational:** Negative publicity associated with being linked to a major third-party vendor breach.
## Indicators of Compromise
* **Network indicators (Defanged):** N/A (Specific IOCs for the Accellion attack were not detailed in the article summary).
* **File indicators:** N/A
* **Behavioral indicators:** Unauthorized file access and exfiltration via the Accellion FTA platform.
## Response Actions
- **Containment measures:** Immediate termination of the vendor relationship with Accellion on notification.
- **Eradication steps:** Not detailed, assumed to involve securing any data accessed via the vendor platform.
- **Recovery actions:** Communicating with impacted customers and associates.
## Lessons Learned
- The primary lesson identified by the analysis is the significant danger posed by **liberal adoption of insecure legacy solutions** (Accellion FTA should have been decommissioned).
- **Poor vendor security practices** are a critical risk vector, as seen by the multitude of known, unpatched vulnerabilities exploiting the FTA.
## Recommendations
- Organizations must aggressively evaluate the security posture of all internal solutions, prioritizing the decommissioning of outdated and unsupported software like the Accellion FTA.
- Scrutinize the defense efforts and vulnerability management practices of all critical third-party vendors that handle sensitive data.