For several weeks, organizations around the world have reported data breaches relating to zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance. The Accellion FTA device is a purpose-built application designed to allow an enterprise to securely transfer large files.
Starting in mid-December of last year, an uncategorized threat actor labeled as UNC2546 by Mandiant exploited multiple zero-day vulnerabilities in the appliance to install a newly discovered web shell dubbed “Dewmode”. The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs.
Then in late January, several of the impacted institutions began receiving extortion emails from actors claiming to be the CLOP Ransomware Team and threatening to publish their stolen data on the shaming website, “CL0P^_- LEAKS". Mandiant noted that some of the published victim data had been acquired using the shell and suggested that a second uncategorized group, labeled as UNC2582, is in charge of the extortion operations. Monitoring of the onion site has demonstrated that this group has followed through on their threats as several new victims have appeared on the site in recent weeks.
CYR3CON collected Russian language discussions of the details of the report on February 25th, prior to the report being issued on 1 March.
Despite tracking the exploitation and extortion activity in separate threat clusters, Mandiant observed at least one case where an actor interacted with a Dewmode web shell from a host that was used to send the extortion emails.
In previous instances, the financially motivated theft group FIN11, described as a TA505 spinoff, threatened to post stolen victim data on this same shaming site as an additional extortion pressure tactic after infecting targets with CLOP ransomware. However, in these latest incidents, no ransomware was deployed.
Key Overlaps with Previous FIN11 Ops
Nevertheless, overlaps with previous FIN11 operations and this latest activity have been observed. For example:
- Many of the organizations compromised by UNC2546 were previously targeted by FIN11.
- Also, an IP address that communicated with a DEWMODE web shell was in the “Fortunix Networks” netblock, a network frequently used by FIN11 to host and download a FRIENDSPEAK command and control (C2) domain
- On the post breach side of operations, some extortion emails observed last month were sent from IP addresses and email accounts used by FIN11 in multiple phishing campaigns between August and December 2020.
Using SQL injection to deploy Dewmode or acquiring access to the shell from a separate threat actor would represent a “significant shift” in FIN11 usual techniques, given the group has traditionally relied on phishing campaigns as its initial infection vector, and, so far, Mandiant hasn’t seen it using zero-day vulnerabilities.
According to Mandiant, “one of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks. We therefore have insufficient evidence to attribute the FTA exploitation, Dewmode, or data theft extortion activity to FIN11.”
Accellion identified two distinct groups of affected FTA customers. Out of approximately 300 FTA clients, fewer than 100 were victims of the attack. Within this group, fewer than 25 appear to have suffered significant data theft, according to the company’s statement.
This activity has impacted organizations in countries like Australia, New Zealand, Singapore, Canada, the UK, Netherlands, and the US.
Sectors impacted included Legal, Transportation, Telecomm, Government, Technology, Finance, Medical and Retail among others:
- University of Colorado
- Singapore’s Singtel telecom provider
- Auditor’s office of the State of Washington
- Supermarket giant Kroger
- QIMR Berghofer Medical Research Institute
- Reserve Bank of New Zealand
- Australian Securities and Investments Commission (ASIC)
- Technical services company ABS Group
- law firm Jones Day
- Fortune 500 science and technology corporation Danaher
- geo-data specialist Fugro
The company has been strongly recommending its customers migrate from their 20-year-old product nearing end of life to Kiteworks, their enterprise content firewall platform.
In the meantime, Accellion has patched all four known FTA vulnerabilities exploited by the threat actors and has added monitoring and alerting capabilities to flag anomalies associated with these attack vectors:
- CVE-2021-27101 – SQL injection via a crafted Host header
- CVE-2021-27102 – OS command execution via a local web service call
- CVE-2021-27103 – SSRF via a crafted POST request
- CVE-2021-27104 – OS command execution via a crafted POST request
CVE-2021-27101 is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Actors have exploited this vulnerability to deploy Dewmode on compromised systems.
If an Accellion FTA appears compromised, organizations can get an indication of the exfiltrated files by obtaining a list of file-last-accessed events for the target files of the symlinks located in the /home/seos/apps/1000/ folder over the period of malicious activity. This information is only indicative and may not be a comprehensive identifier of all exfiltrated files.
Temporarily isolate or block internet access to and from systems hosting the software.
Assess the system for evidence of malicious activity including the IOCs
If malicious activity is identified:
- Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes and reset user passwords.
- Reset any security tokens on the system
- Update Accellion FTA to version FTA_9_12_432 or later.
- Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing.
- Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021. Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.
Additional general best practices include:
- Deploying automated software update tools to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
- Only using up-to-date and trusted third-party components for the software developed by the organization.
- Adding additional security controls to prevent the access from unauthenticated sources.
Mitigations in detail and YARA Rules have been provided by Mandiant and CISA. Accellion FTA clients should also investigate the IOCs outlined in the published reports.
ATT&CK and Vulnerability Management Part 5: Disrupting Attack Sequences through Vulnerability Management
Docker/Kubernetes Part 6: Common Weakness Enumeration (CWE)
ATT&CK and Vulnerability Management Part 4: Using Intelligence to Generate Attack Sequences
ATT&CK and Vulnerability Management Part 3: Considerations in Aligning CVEs and ATT&CK Techniques