Friday, July 23, 2021

Cyber Criminals Exploit zero-day vulnerability in FTA servers for Data Theft and Extortion

Must Read

Facebook fined in South Korea for sharing Consumer Information without Permission

The US technology giant shared the private information of 3.3 million consumers without their approval, the South Korean authorities...

Amey suffers from a cyberattack

UK's prominent infrastructure management company Amey has been hit by the Mount Locker ransomware group in what the company...

Sophos Informs customers of Information exposure after database misconfiguration

The company states that just a tiny subset of clients was affected. UK-based cyber-security seller Sophos is presently advising clients...

Cybersecurity company FireEye said today cybercriminal gang known as FIN11 performed a zero-day attack on Accellion FTA servers that hit 100 companies worldwide in December 2020 and January 2021.

During the attack, hackers used four security bugs to attack FTA servers, including a web shell called DEWMODE, which the attackers used to download files stored on the victim’s FTA Appliances.

“Of the nearly 300 clients of the FTA, less than 100 have been victims of the attack,” Accellion said in a statement released to the media today. “Of this group, fewer than 25 appear to have suffered significant data theft.”

But FireEye said some of the 25 customers have now ransom demands after an attack on their FTA file-sharing servers.

The attackers reached out via email and demanded payment of Bitcoin otherwise, they will publish details of the victims in a “leak site” run by the Clop ransomware gang.

FireEye, which helped Accellion investigate the attack, said the attack was linked to two corporate groups such as UNC2546 (zero-day exploitation on FTA devices) and UNC2582 (emails sent to victims threatening to publish information on clop ransomware leak site ).

Cyber Criminals Exploit zero-day vulnerability in FTA servers for Data Theft and Extortion

Both groups have infrastructure overlaps with FIN11, a major cybercrime that FireEye discovered and recorded last year, which has its fingerprints on various forms of cybercrime.

The following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:

FireEye said that although FIN11 operators are now publishing information from clients of Accellion FTA on the Clop ransomware leak site, these companies haven’t had any part of their internal network encrypted but are rather victims of a classic name-and-shame extortion scheme.

The security podcast Risky Business detected Accellion FTA companies at the Clop ransomware leak last week, even before the FireEye report was published today. Companies whose details are listed on the Clop site:

Some companies that have reported network breach due to attacks on FTA servers but which have not been data listed on the Clop site :

Since the start of the attack, the company has released several updates to fix bugs that have been exploited in the attack but have also announced its intention to retire old FTA server software this year, on April 30, 2021.

The company is now urging its customers to review its new product Kiteworks, which replaced the old FTA server, a file-sharing tool developed in the early 2000s that allowed companies an easy way to share files with employees and customers, long before products like Dropbox or Google Drive became widely available.

Due to the amount of data uploaded to these servers, which was often done taking into account security features, FTA programs are now a major victim of attackers.

Accellion hopes that companies understand the risks they are facing now and choose to update their new product line instead, and avoid having sensitive files such as trade secrets, intellectual property, or personal, leaky data online.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This