Morgan Stanley is a leading global financial services firm providing investment banking, securities, wealth and investment management services worldwide reported data breach after the attackers stole the data belonging to its customers. The reported breach happen Accellion FTA servers was targeted by the attackers.

Encrypted files along with decryption keys was stolen

Guidehouse, a third-party vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, notified the investment banking company in May 2021 that attackers hacked its Accellion FTA server to steal information belonging to Morgan Stanley stock plan participants.

The Guidehouse server was breached by exploiting an Accellion FTA vulnerability in January before the vendor patched it within five days of the fix becoming available.

Guidehouse discovered the breach in March and the impact to Morgan Stanley customers in May, when it notified the financial services company of the incident and that no evidence was found of the stolen data being disseminated online by the threat actors.

“There was no data security breach of any Morgan Stanley applications,” Morgan Stanley said in data breach notification letters sent to impacted individuals.

“The incident involves files which were in Guidehouse’s possession, including encrypted files from Morgan Stanley.”

However, even though the stolen files were stored in encrypted form on the compromised Guidehouse Accellion FTA server, the threat actors also obtained the decryption key during the attack.

Morgan Stanley says that the documents stolen during this incident contained:

  • Stock plan participants’ names
  • Addresses (last known address)
  • Dates of birth
  • Social security numbers
  • Corporate company names

The company added that the files stolen from Guidehouse’s FTA server did not contain passwords information or credentials that the threat actors could use to gain access to impacted Morgan Stanley customers’ financial accounts.

Clop gang and FIN11 behind series of Accellion hacks

While the attackers’ identity was not disclosed in Morgan Stanley’s data breach notification, a joint statement published by Accellion and Mandiant from February shed more light on the attacks, directly linking them to the FIN11 cybercrime group.

The Clop ransomware gang has also used an Accellion FTA zero-day vulnerability (disclosed in December 2020) to steal data from multiple companies.

Accellion has said that roughly 300 customers used the 20-year-old legacy FTA software, with less than 100 of them being breached in these attacks.

The following Accellion FTA vulnerabilities was likely exploited during the attack

CVE-2021-27101 – SQL injection via a crafted Host header

CVE-2021-27102 – OS command execution via a local web service call

CVE-2021-27103 – SSRF via a crafted POST request

CVE-2021-27104 – OS command execution via a crafted POST request

Indicators of Compromise Courtesy Mandiant

  1. Hashes
MD5SHA256
2798c0e836b907e8224520e7e6e4bb425fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b
bdfd11b1b092b7c61ce5f02ffc5ad55a2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7

2. IP Address:

  • 45.135.229.179
  • 79.141.162.82
  • 155.94.160.40
  • 192.154.253.120
  • 192.52.167.101
  • 194.88.104.24

Leave a Reply

Your email address will not be published. Required fields are marked *