Kiteworks

Last updated
Kiteworks
Company type Private
Industry Security software
Founded1999;25 years ago (1999) in Singapore
Headquarters San Mateo, California, United States
Key people
  • Jonathan Yaron (CEO)
  • Michael Lee (CFO)
  • Kurt Michael (CRO)
  • Tim Freestone (CMO)
  • Yaron Galant (CPO)
  • Frank Balonis (CISO)
Number of employees
400+ [1]
Website www.kiteworks.com

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

Contents

The Kiteworks Private Content Network consolidates file and email data communications onto a single platform, enabling organizations to reduce data privacy exposure risk and demonstrate conformance with a variety of regulations. [2] The Kiteworks hardened virtual appliance encrypts and encapsulates the Private Content Network with multiple security layers. [2]

In 2022, the company stated that its products were used by over 3,800 organizations worldwide. [3]

In late 2020, a zero-day exploit in Accellion’s legacy File Transfer Appliance (FTA) product led to data breaches of dozens of government and private organizations. [4] The vulnerabilities were confirmed only in the FTA and not in the Kiteworks platform, which has a separate codebase. Prior to the attacks, Accellion had advised customers to transition from the FTA, nearing end-of-life with support ending on April 30, 2021, to the Kiteworks system. [4] [5] [6] [7]

History

The company was founded as Accellion in Singapore in 1999 and was originally focused on distributed file storage. [8] The company moved to Palo Alto, California and shifted its focus on secure file transmission. [9] Accellion reached a total funding of about $35 million in 2011, and it was valued at $500 million in 2014. [8] The company's chief executive officer, Yorgen Edholm, credited aversion to "National Security Agency—style snooping" as a factor in their success. [10]

In January 2012, Accellion raised $12.2 million in funding from Riverwood Capital to continue their expansion. [11]

In 2016, Accellion started to focus on security and compliance and released features that included data security, governance, and compliance. They also began integrations with major cybersecurity independent software vendors (ISVs). [12]

In April 2020, the company received $120 million investment from Bregal Sagemount. [13]

In October 2020, Accellion was rebranded as Kiteworks. [14]

In January 2022, Kiteworks acquired totemo, an email encryption gateway provider based in Zurich, Switzerland. [15] It is integrated into the Kiteworks Private Content Networks and Kiteworks Email Protection Gateway. [16]

In November 2023, it was announced that Kiteworks had acquired German ownCloud and DRACOON which it intends to use as stepping stones into the European market, [17] [18] and Maytech, based in Tunbridge Wells, to bolster its UK market presence and secure data transfer capabilities. [19]

In October 2023, Kiteworks completed a SOC 2 Type II audit examination and received ISO/IEC 27001:2013, 27017:2015, and 27018:2019 certifications for its platform. [20]

In February 2024, Kiteworks introduced a feature called SafeEDIT, which is a digital rights management (DRM) technology that enables users to edit various file types natively and share files with third parties using video streaming. [21]

As of 2024, Kiteworks is used by 100 million users across over 3,800 organizations. [3] [22]

Software

Accellion was working on file transfer systems by late 2002. [23] The company released a file transfer appliance in 2005, a physical machine aiming to reduce server load when sending large files. [24]

In March 2011, the company released an online file collaboration product, emphasizing security. [25] [23] [26]

In 2012, the company launched a service allowing file sharing between mobile devices. [27] It included a synchronization feature called kitedrive. [28] [29] Early demand for the company's file transfer applications came from organizations that needed to transfer large files, including healthcare companies [30] and universities. [31] [32]

In January 2014, Accellion launched Kiteworks, a file sharing product allowing users to edit files and projects remotely, with interoperability with services like Google Drive and Dropbox. [8] [33] [34] That December, the company released a set of programming interfaces extending secure file access to mobile devices. [35]

In 2015, PCMag reviewer, Fahmida Y. Rashid, praised Kiteworks for its interface, support for mobile devices, and privacy tools. [36]

In June 2017, Kiteworks received FedRAMP Authorization for Moderate Level Impact of Controlled Unclassified Information (CUI). It has achieved FedRAMP certification every year since. [37]

In November 2018, Kiteworks released the CISO Dashboard. [38]

In March 2022, Kiteworks was recognized by the Information Security Registered Assessors Program (IRAP) after being evaluated for up to the Protected data classification level. [39]

In August 2022, Kiteworks introduced the Kiteworks Private Content Network, a zero-trust protection and compliance platform for unstructured data communications. [40]

In April 2023, Kiteworks announced that it had achieved Cyber Essentials and Cyber Essentials Plus accreditation, the highest standard for IT security in the United Kingdom. [41] Also, in the same month, it announced that the Kiteworks Private Content Network supports the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which allows users to better manage content-based risks. [42]

2020–21 security breaches

In mid-December 2020, the company's File Transfer Appliance product—now a 20-year-old legacy system—was subject to a zero-day exploit, [43] which was patched on December 23. [44] Three additional vulnerabilities were discovered and patched over the next month. [45] The first vulnerability was a SQL injection, allowing an attacker to use a web shell to run arbitrary commands and extract data. [44] The four vulnerabilities were assigned Common Vulnerabilities and Exposures (CVE) codes 2021-27101 through 2021-27104 on February 16, 2021. [46]

Out of approximately 300 total FTA clients, up to 25 appeared to have suffered significant data theft [47] [48] [49] including Kroger, [5] Shell Oil Company, [50] [51] the University of California system, [52] the Australian Securities and Investments Commission, [53] the Reserve Bank of New Zealand, [54] and Singtel. [55] Data stolen included Social Security numbers and other identification numbers, images of passports, financial information, driver's license data, [56] and emails. [55] [57] According to computer security firm FireEye, the attackers comprised two hacking groups: one with ties to "Clop", a ransomware group, and one connected to financial crime group "FIN11". [58] Many victims received extortion emails containing a .onion link to a website containing data dumps of multiple organizations. [58] Prior to the attacks, Accellion had maintained that the FTA was a legacy product nearing the end of its life, with support ending on April 30, 2021, asking customers to move to their Kiteworks system. [4] [5] [6] [7]

In January 2022, Accellion proposed that it would pay an $8.1m settlement in relation to these breaches. The proposed settlement will settle all legal actions against Accellion only. These do not take into account legal actions against clients impacted by the data breach.[ citation needed ]

Related Research Articles

Cisco PIX was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the system, with funding from the US National Cyber Security Division of the US Department of Homeland Security. The system was officially launched for the public in September 1999.

<span class="mw-page-title-main">KWallet</span> Password manager

KDE Wallet Manager (KWallet) is free and open-source password management software written in C++ for UNIX-style operating systems. KDE Wallet Manager runs on a Linux-based OS and Its main feature is storing encrypted passwords in KDE Wallets. The main feature of KDE wallet manager (KWallet) is to collect user's credentials such as passwords or IDs and encrypt them through Blowfish symmetric block cipher algorithm or GNU Privacy Guard encryption.

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. NVD supports the Information Security Automation Program (ISAP). NVD is managed by the U.S. government agency the National Institute of Standards and Technology (NIST).

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

<span class="mw-page-title-main">Goatse Security</span> Hacker group

Goatse Security (GoatSec) was a loose-knit, nine-person grey hat hacker group that specialized in uncovering security flaws. It was a division of the anti-blogging Internet trolling organization known as the Gay Nigger Association of America (GNAA). The group derives its name from the Goatse.cx shock site, and it chose "Gaping Holes Exposed" as its slogan. The website has been abandoned without an update since May 2014.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

<span class="mw-page-title-main">ImmuniWeb</span> Swiss application security company

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops machine learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

MOVEit is a managed file transfer software product produced by Ipswitch, Inc.. MOVEit encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options. The software has been used in the healthcare industry by companies such as Rochester Hospital and Medibank, as well as thousands of IT departments in high technology, government, and financial service companies like Zellis.

BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows. It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE-2017-14315. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017. According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

Simjacker is a cellular software exploit for SIM Cards discovered by AdaptiveMobile Security. 29 countries are vulnerable according to ZDNet. The vulnerability has been exploited primarily in Mexico, but also Colombia and Peru, according to the Wall Street Journal, where it was used to track the location of mobile phone users without their knowledge.

<span class="mw-page-title-main">Sakura Samurai (group)</span> Hacker group

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.

<span class="mw-page-title-main">John Jackson (hacker)</span> Security researcher

John Jackson also known as Mr. Hacking, is an American security researcher and founder of the white-hat hacking group Sakura Samurai.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

References

  1. "Kiteworks Company Overview". Kiteworks. May 20, 2024. Retrieved May 22, 2024.
  2. 1 2 "Private Content Network: Secure File Sharing & Secure File Transfer Platform".
  3. 1 2 "About Kiteworks".
  4. 1 2 3 Newman, Lily Hay (March 8, 2021). "The Accellion Breach Keeps Getting Worse—and More Expensive". Wired. Retrieved April 2, 2021.
  5. 1 2 3 February 24, Jonathan Greig in Security on (February 24, 2021). "Kroger data breach highlights urgent need to replace legacy, end-of-life tools". TechRepublic. Retrieved April 2, 2021.{{cite news}}: CS1 maint: numeric names: authors list (link)
  6. 1 2 Cimpanu, Catalin (February 11, 2021). "Accellion to retire product at the heart of recent hacks". ZDNet. Retrieved April 2, 2021.
  7. 1 2 "Accellion Attack Involved Extensive Reverse Engineering". www.bankinfosecurity.com.
  8. 1 2 3 Deborah Gage (January 27, 2014). "Accellion Targets Box, Dropbox on Secure File Sharing". The Wall Street Journal. Retrieved January 30, 2014.
  9. Hoffman, Thomas (March 14, 2005). "Ogilvy Harnesses the Web for its File Transfer System". Archived from the original on June 27, 2013.
  10. Ramakrishnan, Sruthi (February 5, 2014). "File-sharing company Accellion aims to go public in 2015". Reuters. Retrieved April 2, 2021.
  11. Accellion raised $12.2 million for expansion bizjournals.com January 4, 2012
  12. "Accellion and FireEye Collaborate to Prevent Cyber Attacks From Crippling Critical Business Operations". finance.yahoo.com.
  13. Accellion content firewall funding valuation bizjournals.com April 7, 2020
  14. "Accellion's Brand Name is Now Kiteworks". October 12, 2021.
  15. Bei, Jerome (January 7, 2022). "Kiteworks Acquisition of Leading Email Encryption Gateway Company totemo Bolsters Kiteworks Content Communications Protection, Compliance, and Governance".
  16. "Email Protection Gateway".
  17. "ownCloud becomes part of Kiteworks". owncloud.com. November 21, 2023. Retrieved December 1, 2023.
  18. "Kiteworks Makes Bold Moves Joining Forces With Two German Leaders in Its Space". kiteworks.com. November 21, 2023. Retrieved December 1, 2023.
  19. "Kiteworks acquires Maytech, bolstering UK market presence and secure data transfer capabilities". Fintech Global. November 24, 2023. Retrieved December 3, 2023.
  20. "Kiteworks Achieves SOC 2 Type II Certification for Sixth Consecutive Year and ISO 27001, 27017, and 27018 Certifications for Second Year".
  21. "Kiteworks releases new digital rights management technology". February 16, 2024.
  22. "Kiteworks and Climb Channel".
  23. 1 2 "Ogilvy Harnesses the Web for Its File Transfer System". Computer World. March 14, 2005. Archived from the original on June 27, 2013.
  24. Solheim, Shelley (September 26, 2005). "Device Keeps Large Files Moving". eWEEK. Retrieved April 2, 2021.
  25. Hulme, George V. (March 29, 2011). "Accellion proffers secure cloud collaboration workspaces". CSO Online. Retrieved April 2, 2021.
  26. "Accellion introduces new secure collaboration worktool". Engineering and Technology Magazine. March 29, 2011. Archived from the original on September 7, 2011. Retrieved April 2, 2021.
  27. Drinkwater, Doug (March 12, 2012). "Accellion strives for secure mobile file sharing with 'Dropbox for Enterprise'". TabTimes. Archived from the original on May 16, 2012. Retrieved April 2, 2021.
  28. Scott, Jennifer (March 13, 2012). "Accellion launches kitedrive Sync its 'Dropbox for the enterprise'". Cloud Pro. Retrieved April 2, 2021.
  29. Sibley, Lisa (January 4, 2012). "Accellion raises $12M for expansion plans". The Business Journals. Retrieved April 2, 2021.
  30. Baker, M. L. (February 8, 2007). "Harvard CIO Herds Large File Transfers". eWeek.
  31. "Solving the File Transfer Problem". Chronicle of Higher Education. January 28, 2008. Retrieved October 14, 2015.
  32. "Appliance Helps Researchers Share Large Files". Bio-IT World. April 19, 2006. Archived from the original on April 2, 2012. Retrieved September 20, 2011.
  33. Ben Kepes (January 28, 2014). "Accellion Launches Kiteworks, But Are They Too Late To The Mobile File Sharing Party?". Forbes. Retrieved January 30, 2014.
  34. Nathan Eddy (January 31, 2014). "Accellion Kiteworks Helps Mobile Workers Boost Productivity". eWeek.
  35. Clancy, Heather (November 28, 2014). "Accellion tackles secure mobile content updates". ZDNet. Retrieved April 2, 2021.
  36. Rashid, Fahmida Y. (August 31, 2015). "Accellion Kiteworks Business Review". PCMag. Retrieved April 2, 2021.
  37. "Protect Confidential Content Shared Between Agencies".
  38. "Accellion CISO Dashboard provides visible, traceable record of sensitive content". Compliance Week.
  39. "Kiteworks achieves IRAP certification". www.govtechreview.com.au.
  40. "Kiteworks Launches the Private Content Network".
  41. "Kiteworks Awarded Cyber Essentials and Cyber Essentials Plus Certification".
  42. "Kiteworks Announces Industry's First File and Email Data Communications Platform Built on the NIST CSF".
  43. Mathews, Lee (March 23, 2021). "Oil Giant Shell Victimized In December 2020 Hack". Forbes. Retrieved April 2, 2021.
  44. 1 2 United States Department of Homeland Security (June 17, 2021). "Exploitation of Accellion File Transfer Appliance | CISA". Cybersecurity and Infrastructure Security Agency.
  45. Fisher, Dennis (February 26, 2021). "Attackers Continue to Target Accellion FTA Flaws". Decipher. Retrieved April 2, 2021.
  46. "Shell Says Personal, Corporate Data Stolen in Accellion Security Incident". SecurityWeek. March 22, 2021.
  47. Ropek, Lucas (February 11, 2021). "The Accellion Data Breach Seems to Be Getting Bigger". Gizmodo. Retrieved April 3, 2021.
  48. Jablon, Robert (April 3, 2021). "University of California victim of nationwide hack attack". ABC News. Retrieved April 3, 2021.
  49. Osborne, Charlie (March 23, 2021). "Oil giant Shell discloses data breach linked to Accellion FTA vulnerability". ZDNet. Retrieved April 2, 2021.
  50. Montalbano, Elizabeth (March 23, 2021). "Energy Giant Shell Is Latest Victim of Accellion Attacks". Threat Post. Retrieved April 2, 2021.
  51. "UC Among Targets in Nationwide Cyberattack". UC Davis. March 31, 2021. Retrieved April 2, 2021.
  52. Duckett, Chris (January 15, 2021). "ASIC reports server breached via Accellion vulnerability". ZDNet. Retrieved April 2, 2021.
  53. Olenick, Doug (February 16, 2021). "NZ Reserve Bank Issues Update on Accellion Breach". Bank Info Security. Retrieved April 3, 2021.
  54. 1 2 Wong, Cara (February 17, 2021). "Data of some 129,000 Singtel customers, including NRIC details, stolen in hack of third-party system". The Straits Times. Retrieved April 2, 2021.
  55. "NSW driver's licence data stolen in Accellion breach". iTnews. Retrieved February 26, 2022.
  56. Wu, Daniel; Catania, Sam (April 1, 2021). "Hackers leak Social Security numbers, student data in massive data breach". The Stanford Daily. Retrieved April 2, 2021.
  57. 1 2 Seals, Tara (February 22, 2021). "Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11". Threat Post. Retrieved April 2, 2021.