Hacker group FIN11, which may be associated with the CLOP ransomware gang, exploited four zero-day vulnerabilities in Accellion’s File Transfer Appliance (FTA) to exfiltrate data associated with nearly 100 organizations who use the FTA to share files via secure channels.
FireEye-owned cybersecurity firm Mandiant revealed that FIN11, a financially motivated group of cybercriminals, targeted a legacy file transfer product by Accellion, a California-based private cloud company specializing in secure file sharing and collaboration solutions. Dubbed UNC2546 and UNC2582 by Mandiant, the hacker group exploited zero-day vulnerabilities in Accellion’s 20-year-old File Transfer Appliance (FTA) to steal sensitive data associated with a large number of organizations.
“FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity,†explained Mandiant in a blog postOpens a new window published last year. True to its description, FIN11 launched a series of attacks against Accellion’s customers by exploiting multiple zero-day vulnerabilities and installing the DEWMODE web shell in FTA to exfiltrate data. As a result, around 100 out of 300 organizations that use FTA lost some of their data to the cyber attack.
Mandiant also noticed a sharp rise in the listing of many organizations on the “CL0P^_- LEAKS†website in February. The list named those organizations whose data was accessed via exploitation of zero-day vulnerabilities in FTA. The listing indicated the involvement of the CLOP ransomware gang in the attack campaign. However, Mandiant did not detect the use of the CLOP ransomware in the extortion attempts.
“The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the ‘CL0P^_- LEAKS’ .onion website,†the firm said in a blog postOpens a new window .
See Also: Russian Hackers Infected Centreon Software With Malware To Target Businesses Worldwide
The Growing List of Victims
Although this is not an outright ransomware attack, which involves hackers encrypting victims’ data and systems to extract a ransom, there is an element of ransom involved in exchange for the stolen data. The attackers initially sent an extortion email as follows:
Opens a new window
Source: BleepingComputer
Failure to respond to the email by the victim would result in a ‘last warning’ through yet another email.
Opens a new window
Source: BleepingComputer
The list of victims of the FTA hack is growing with each passing day, and with the investigation still ongoing, the scope of the attack may possibly be much larger than what is currently known.
Just the UNC numbers alone tell you how much intrusion activity this team is exposed to. Now understand not everything gets UNC’d…
— Andrew Thompson (@anthomsec) February 23, 2021Opens a new window
Presently, victims of the FTA hack include Singapore’s largest telecom company Singtel, Ohio-based retailer Kroger, Reserve Bank of New Zealand (the country’s central bank), Australian Securities and Investments Commission, law firms Jones Day, and Allens, The University of Colorado, The Washington State Auditor Office, among others.
See Also: ShinyHunters Leak 2.28M Dating Site Users’ Personal Info Online
Discovered Vulnerabilities
According to Mandiant’s investigation which involved penetration testing of Accellion’s FTA, FIN11 threat actors exploited four zero-day vulnerabilities to infiltrate systems, install the DEWMODE web shell and steal data:
| Vulnerability | CVSS Score | Severity | Description |
| CVE-2021-27101Opens a new window | 9.8 | Critical | SQL injection via a crafted Host header |
| CVE-2021-27102Opens a new window | 7.8 | High | OS command execution via a local web service call |
| CVE-2021-27103Opens a new window | 9.8 | Critical | SSRF via a crafted POST request |
| CVE-2021-27104Opens a new window | 9.8 | Critical | OS command execution via a crafted POST request |
Â
Hackers used the DEWMODE web shell to extract several files from a MySQL database on the FTA, which, along with corresponding metadata, file ID, path, filename, uploader, and recipient, are then listed on an HTML page. UNC2546 then uses this list to download files through the DEWMODE web shell.
All of the zero-day vulnerabilities were patched by Accellion. The company has also included new monitoring and alerting functionality to detect and label inconsistencies associated with these attack vectors. Besides these, no other vulnerabilities were discovered by Mandiant.
Even as Accellion issued fixes, the Palo Alto-headquartered cloud solutions company also decided to discontinue supportOpens a new window for the 20 year old FTA. Accellion has recommended users to adopt Kiteworks, its enterprise content firewall platform built on an entirely different code base to replace the legacy product. Kiteworks is FedRAMP authorized for Moderate CUI, and complies with several data privacy regulations and standards such as GDPR, HIPAA, NIST 800-171, FIPS, SOC2, ISO 27001, and others.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!