Kiteworks

From Wikipedia, the free encyclopedia
  (Redirected from )
Kiteworks
TypePrivate
IndustrySecurity software
Founded1999; 23 years ago (1999) in Singapore
HeadquartersPalo Alto, California, United States
Key people
  • Jonathan Yaron (CEO)
  • Michael Lee (CFO)
  • Yaron Galant (CPO)
  • Frank Balonis (CISO)
Number of employees
200[1]
Websitewww.kiteworks.com

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in Palo Alto, California.

In 2022, the company stated that its products were used by over 3,800 organizations worldwide.[2] Beginning in late 2020, a zero-day exploit on a legacy product led to data breaches of dozens of government and private organizations, in multiple countries.[3] The code vulnerabilities were confirmed in the company's legacy File Transfer Appliance (FTA) product and not present in the Kiteworks platform that is built on a separate codebase.

History[]

The compay was founded as Accellion in Singapore in 1999 and was originally focused on distributed file storage.[4] The company moved to Palo Alto, California and shifted its focus on secure file transmission.[5] Accellion reached a total funding of about $35 million in 2011, and it was valued at $500 million in 2014.[4] The company's chief executive officer, Yorgen Edholm, credited aversion to "National Security Agency–style snooping" as a factor in their success.[6]

In January 2012, Accellion raised $12.2 million in funding from Riverwood Capital to continue their expansion.[7]

In 2016, Accellion started to focus on security and compliance and released features which included data security, governance, and compliance. They also began integrations with major cybersecurity independent software vendors (ISVs).[8]

In April 2020, the company received $120 million investment from Bregal Sagemount.[9]

In October 2020, Accellion was rebranded as Kiteworks.[10]

In January 2022, Kiteworks acquired totemo, an email encryption gateway provider based in Zurich, Switzerland.[11]

Kiteworks is being used by 35 million users, across over 3,800 organizations.[2]

Software[]

Accellion was working on file transfer systems by late 2002.[12] The company released a file transfer appliance in 2005, a physical machine aiming to reduce server load when sending large files.[13]

In March 2011, the company released an online file collaboration product, emphasizing security.[14][12][15]

In 2012, the company launched a service allowing file sharing between mobile devices.[16] It included a synchronization feature called kitedrive.[17][18] Early demand for the company's file transfer applications came from organizations that needed to transfer large files, including healthcare companies[19] and universities.[20][21]

In January 2014, Accellion launched Kiteworks, a file sharing product allowing users to edit files and projects remotely, with interoperability with services like Google Drive and Dropbox.[4][22][23] That December, the company released a set of programming interfaces extending secure file access to mobile devices.[24]

In 2015, PCMag reviewer, Fahmida Y. Rashid, praised Kiteworks for its interface, support for mobile devices, and privacy tools.[25]

In June 2017, Accellion received FedRAMP authorization for Moderate Controlled Unclassified Information (CUI).[26]

In November 2018, Accellion launched the CISO Dashboard.[27]

2020–21 security breaches[]

In mid-December 2020, the company's File Transfer Appliance product—now a 20-year-old legacy system—was subject to a zero-day exploit,[28] which was patched on December 23.[29] Three additional vulnerabilities were discovered and patched over the next month.[30] The first vulnerability was a SQL injection, allowing an attacker to use a web shell to run arbitrary commands and extract data.[29] The four vulnerabilities were assigned Common Vulnerabilities and Exposures (CVE) codes 2021-27101 through 2021-27104 on February 16, 2021.[31]

Out of approximately 300 total FTA clients, up to 25 appeared to have suffered significant data theft[32][33][34] including Kroger,[35] Shell Oil Company,[36][37] the University of California system,[38] the Australian Securities and Investments Commission,[39] the Reserve Bank of New Zealand,[40] and Singtel.[41] Data stolen includes Social Security numbers and other identification numbers, images of passports, financial information, driver's licence data,[42] and emails.[41][43] According to computer security firm FireEye, the attackers comprised two hacking groups: one with ties to "Clop", a ransomware group, and one connected to financial crime group "FIN11".[44] Many victims received extortion emails containing a .onion link to a website containing data dumps of multiple organizations.[44] Prior to the attacks, Accellion had maintained that the FTA was a legacy product nearing the end of its life, with support ending on April 30, 2021, asking customers to move to their kiteworks system.[3][35][45] David Kennedy, CEO of corporate incident response firm TrustedSec, said that "[t]he Accellion zero days were particularly damaging because actors were mass-exploiting this vulnerability quickly, and the severity of this wasn't being communicated from Accellion".[3] Mathew J. Schwartz summarized the exploits this way "Among the many lessons to be learned from the mess is this: Attackers will devote substantial resources to reverse-engineer hardware, software or a service if they see a financial upside."[46]

In January 2022, Accellion proposed that it would pay a $8.1m settlement in relation to these breaches. The proposed settlement will settle all legal actions Accellion only. They do no take into account legal actions against clients impacted by the data breach.[47]

References[]

  1. ^ https://www.bizjournals.com/profile/company/org_ch_dc161c72aab4531c394ad98e68861f9c
  2. ^ a b "About Kiteworks".
  3. ^ a b c Newman, Lily Hay (March 8, 2021). "The Accellion Breach Keeps Getting Worse—and More Expensive". Wired. Retrieved April 2, 2021.
  4. ^ a b c Deborah Gage (January 27, 2014). "Accellion Targets Box, Dropbox on Secure File Sharing". The Wall Street Journal. Retrieved January 30, 2014.
  5. ^ Hoffman, Thomas (March 14, 2005). "Ogilvy Harnesses the Web for its File Transfer System". Archived from the original on June 27, 2013.
  6. ^ Ramakrishnan, Sruthi (February 5, 2014). "File-sharing company Accellion aims to go public in 2015". Reuters. Retrieved April 2, 2021.
  7. ^ https://www.bizjournals.com/sanjose/news/2012/01/04/accellion-raises-12m-for-expansion.html
  8. ^ "Accellion and FireEye Collaborate to Prevent Cyber Attacks From Crippling Critical Business Operations". finance.yahoo.com.
  9. ^ https://www.bizjournals.com/sanjose/news/2020/04/07/accellion-content-firewall-funding-valuation.html
  10. ^ "Accellion's Brand Name is Now Kiteworks". October 12, 2021.
  11. ^ Bei, Jerome (January 7, 2022). "Kiteworks Acquisition of Leading Email Encryption Gateway Company totemo Bolsters Kiteworks Content Communications Protection, Compliance, and Governance".
  12. ^ a b "Ogilvy Harnesses the Web for Its File Transfer System". Computer World. March 14, 2005. Archived from the original on June 27, 2013.
  13. ^ Solheim, Shelley (September 26, 2005). "Device Keeps Large Files Moving". eWEEK. Retrieved April 2, 2021.
  14. ^ Hulme, George V. (March 29, 2011). "Accellion proffers secure cloud collaboration workspaces". CSO Online. Retrieved April 2, 2021.
  15. ^ "Accellion introduces new secure collaboration worktool". Engineering and Technology Magazine. March 29, 2011. Archived from the original on September 7, 2011. Retrieved April 2, 2021.
  16. ^ Drinkwater, Doug (March 12, 2012). "Accellion strives for secure mobile file sharing with 'Dropbox for Enterprise'". TabTimes. Archived from the original on May 16, 2012. Retrieved April 2, 2021.
  17. ^ Scott, Jennifer (March 13, 2012). "Accellion launches kitedrive Sync its 'Dropbox for the enterprise'". Cloud Pro. Retrieved April 2, 2021.
  18. ^ Sibley, Lisa (January 4, 2012). "Accellion raises $12M for expansion plans". The Business Journals. Retrieved April 2, 2021.
  19. ^ Baker, M. L. (February 8, 2007). "Harvard CIO Herds Large File Transfers". eWeek.
  20. ^ "Solving the File Transfer Problem". Chronicle of Higher Education. January 28, 2008. Retrieved October 14, 2015.
  21. ^ "Appliance Helps Researchers Share Large Files". Bio-IT World. April 19, 2006. Archived from the original on April 2, 2012. Retrieved September 20, 2011.
  22. ^ Ben Kepes (January 28, 2014). "Accellion Launches Kiteworks, But Are They Too Late To The Mobile File Sharing Party?". Forbes. Retrieved January 30, 2014.
  23. ^ Nathan Eddy (January 31, 2014). "Accellion Kiteworks Helps Mobile Workers Boost Productivity". eWeek.
  24. ^ Clancy, Heather (November 28, 2014). "Accellion tackles secure mobile content updates". ZDNet. Retrieved April 2, 2021.
  25. ^ Rashid, Fahmida Y. (August 31, 2015). "Accellion Kiteworks Business Review". PCMag. Retrieved April 2, 2021.
  26. ^ "Federal and Central Government Solutions".
  27. ^ Announcements2018-11-15T10:45:00+00:00, G. R. C. "Accellion CISO Dashboard provides visible, traceable record of sensitive content". Compliance Week.
  28. ^ Mathews, Lee (March 23, 2021). "Oil Giant Shell Victimized In December 2020 Hack". Forbes. Retrieved April 2, 2021.
  29. ^ a b United States Department of Homeland Security. "Exploitation of Accellion File Transfer Appliance | CISA". Cybersecurity and Infrastructure Security Agency.
  30. ^ Fisher, Dennis (February 26, 2021). "Attackers Continue to Target Accellion FTA Flaws". Decipher. Retrieved April 2, 2021.
  31. ^ * National Institute of Science and Technology (NIST). "NVD - CVE-2021-27101". National Vulnerability Database (NVD). Retrieved April 2, 2021.
  32. ^ "Shell Says Personal, Corporate Data Stolen in Accellion Security Incident". SecurityWeek.
  33. ^ Ropek, Lucas (February 11, 2021). "The Accellion Data Breach Seems to Be Getting Bigger". Gizmodo. Retrieved April 3, 2021.
  34. ^ Jablon, Robert (April 3, 2021). "University of California victim of nationwide hack attack". ABC News. Retrieved April 3, 2021.
  35. ^ a b February 24, Jonathan Greig in Security on (February 24, 2021). "Kroger data breach highlights urgent need to replace legacy, end-of-life tools". TechRepublic. Retrieved April 2, 2021.
  36. ^ Osborne, Charlie (March 23, 2021). "Oil giant Shell discloses data breach linked to Accellion FTA vulnerability". ZDNet. Retrieved April 2, 2021.
  37. ^ Montalbano, Elizabeth (March 23, 2021). "Energy Giant Shell Is Latest Victim of Accellion Attacks". Threat Post. Retrieved April 2, 2021.
  38. ^ "UC Among Targets in Nationwide Cyberattack". UC Davis. March 31, 2021. Retrieved April 2, 2021.
  39. ^ Duckett, Chris (January 15, 2021). "ASIC reports server breached via Accellion vulnerability". ZDNet. Retrieved April 2, 2021.
  40. ^ Olenick, Doug (February 16, 2021). "NZ Reserve Bank Issues Update on Accellion Breach". Bank Info Security. Retrieved April 3, 2021.
  41. ^ a b Wong, Cara (February 17, 2021). "Data of some 129,000 Singtel customers, including NRIC details, stolen in hack of third-party system". The Straits Times. Retrieved April 2, 2021.
  42. ^ "NSW driver's licence data stolen in Accellion breach". iTnews. Retrieved February 26, 2022.
  43. ^ Wu, Daniel; Catania, Sam (April 1, 2021). "Hackers leak Social Security numbers, student data in massive data breach". The Stanford Daily. Retrieved April 2, 2021.
  44. ^ a b Seals, Tara (February 22, 2021). "Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11". Threat Post. Retrieved April 2, 2021.
  45. ^ Cimpanu, Catalin (February 11, 2021). "Accellion to retire product at the heart of recent hacks". ZDNet. Retrieved April 2, 2021.
  46. ^ "Accellion Attack Involved Extensive Reverse Engineering". www.bankinfosecurity.com.
  47. ^ "Accellion Proposes $8.1 Million Settlement to Resolve Class Action FTA Data Breach Lawsuit". HIPAA Journal. January 17, 2022. Retrieved January 19, 2022.

External links[]

Retrieved from ""