Sunday, October 17, 2021

Cyber Criminals Exploit zero-day vulnerability in FTA servers for Data Theft and Extortion

Must Read

Trump respond to Russian cyberattacks Says ‘Under Control’

This week, American businesses and government institutions reported that Russian hackers had infiltrated sensitive networks throughout their systems and...

Data Of 10 Million Digital Payments Transactions Leaked On Dark web In Juspay data breach

Sensitive information of over 100 million debit and credit cardholders have been leaked on the dark web, a security...

A new Breed of card skimming Grelos malware is on the loose

Magecart Version has Shifted and You Ought to be Attentive, warns RiskIQA new offshoot of this Grelos card-skimming malware...

Cybersecurity company FireEye said today cybercriminal gang known as FIN11 performed a zero-day attack on Accellion FTA servers that hit 100 companies worldwide in December 2020 and January 2021.

During the attack, hackers used four security bugs to attack FTA servers, including a web shell called DEWMODE, which the attackers used to download files stored on the victim’s FTA Appliances.

“Of the nearly 300 clients of the FTA, less than 100 have been victims of the attack,” Accellion said in a statement released to the media today. “Of this group, fewer than 25 appear to have suffered significant data theft.”

But FireEye said some of the 25 customers have now ransom demands after an attack on their FTA file-sharing servers.

The attackers reached out via email and demanded payment of Bitcoin otherwise, they will publish details of the victims in a “leak site” run by the Clop ransomware gang.

FireEye, which helped Accellion investigate the attack, said the attack was linked to two corporate groups such as UNC2546 (zero-day exploitation on FTA devices) and UNC2582 (emails sent to victims threatening to publish information on clop ransomware leak site ).

Cyber Criminals Exploit zero-day vulnerability in FTA servers for Data Theft and Extortion
Image:Fireye

Both groups have infrastructure overlaps with FIN11, a major cybercrime that FireEye discovered and recorded last year, which has its fingerprints on various forms of cybercrime.

The following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:

FireEye said that although FIN11 operators are now publishing information from clients of Accellion FTA on the Clop ransomware leak site, these companies haven’t had any part of their internal network encrypted but are rather victims of a classic name-and-shame extortion scheme.

The security podcast Risky Business detected Accellion FTA companies at the Clop ransomware leak last week, even before the FireEye report was published today. Companies whose details are listed on the Clop site:

Some companies that have reported network breach due to attacks on FTA servers but which have not been data listed on the Clop site :

Since the start of the attack, the company has released several updates to fix bugs that have been exploited in the attack but have also announced its intention to retire old FTA server software this year, on April 30, 2021.

The company is now urging its customers to review its new product Kiteworks, which replaced the old FTA server, a file-sharing tool developed in the early 2000s that allowed companies an easy way to share files with employees and customers, long before products like Dropbox or Google Drive became widely available.

Due to the amount of data uploaded to these servers, which was often done taking into account security features, FTA programs are now a major victim of attackers.

Accellion hopes that companies understand the risks they are facing now and choose to update their new product line instead, and avoid having sensitive files such as trade secrets, intellectual property, or personal, leaky data online.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This