Cybersecurity company FireEye said today cybercriminal gang known as FIN11 performed a zero-day attack on Accellion FTA servers that hit 100 companies worldwide in December 2020 and January 2021.
During the attack, hackers used four security bugs to attack FTA servers, including a web shell called DEWMODE, which the attackers used to download files stored on the victim’s FTA Appliances.
“Of the nearly 300 clients of the FTA, less than 100 have been victims of the attack,” Accellion said in a statement released to the media today. “Of this group, fewer than 25 appear to have suffered significant data theft.”
But FireEye said some of the 25 customers have now ransom demands after an attack on their FTA file-sharing servers.
The attackers reached out via email and demanded payment of Bitcoin otherwise, they will publish details of the victims in a “leak site” run by the Clop ransomware gang.
FireEye, which helped Accellion investigate the attack, said the attack was linked to two corporate groups such as UNC2546 (zero-day exploitation on FTA devices) and UNC2582 (emails sent to victims threatening to publish information on clop ransomware leak site ).
Both groups have infrastructure overlaps with FIN11, a major cybercrime that FireEye discovered and recorded last year, which has its fingerprints on various forms of cybercrime.
The following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:
- CVE-2021-27101 – SQL injection via a crafted Host header
- CVE-2021-27102 – OS command execution via a local web service call
- CVE-2021-27103 – SSRF via a crafted POST request
- CVE-2021-27104 – OS command execution via a crafted POST request
FireEye said that although FIN11 operators are now publishing information from clients of Accellion FTA on the Clop ransomware leak site, these companies haven’t had any part of their internal network encrypted but are rather victims of a classic name-and-shame extortion scheme.
The security podcast Risky Business detected Accellion FTA companies at the Clop ransomware leak last week, even before the FireEye report was published today. Companies whose details are listed on the Clop site:
Some companies that have reported network breach due to attacks on FTA servers but which have not been data listed on the Clop site :
- The Reserve Bank of New Zealand
- The Australian Securities and Investments Commission (ASIC)
- Law firm Allens
- The University of Colorado
- The Washington State Auditor Office
- QIMR Berghofer Medical Research Institute
- US retail store chain Kroger
Since the start of the attack, the company has released several updates to fix bugs that have been exploited in the attack but have also announced its intention to retire old FTA server software this year, on April 30, 2021.
The company is now urging its customers to review its new product Kiteworks, which replaced the old FTA server, a file-sharing tool developed in the early 2000s that allowed companies an easy way to share files with employees and customers, long before products like Dropbox or Google Drive became widely available.
Due to the amount of data uploaded to these servers, which was often done taking into account security features, FTA programs are now a major victim of attackers.
Accellion hopes that companies understand the risks they are facing now and choose to update their new product line instead, and avoid having sensitive files such as trade secrets, intellectual property, or personal, leaky data online.