Cybersecurity researchers spotted several attacks targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign organized by a cybercrime group called UNC2546.
The attacks that began in December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang.
But there wasn’t any ransomware actually deployed in any of the recent incidents that impacted organizations in the U.S., Singapore, Canada, and the Netherlands, and the threat actors resorted to extortion emails to threaten victims into paying bitcoin ransoms.
Some of the companies whose data have been listed on the site include Singapore’s telecom provider SingTel, the American Bureau of Shipping, law firm Jones Day, the Netherlands-based Fugro, and life sciences company Danaher.
Accellion has patched four FTA vulnerabilities that were known to be exploited by the threat actors. They also incorporated new monitoring and alerting capabilities to flag any suspicious behavior. The flaws are as follows –
- CVE-2021-27101 – SQL injection via a crafted Host header
- CVE-2021-27102 – OS command execution via a local web service call
- CVE-2021-27103 – SSRF via a crafted POST request
- CVE-2021-27104 – OS command execution via a crafted POST request
FireEye’s Mandiant threat intelligence team, which is leading the incident response efforts, is tracking the follow-on extortion scheme under a separate threat cluster it calls UNC2582. Most of the organizations compromised by UNC2546 were earlier targeted by FIN11.
Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020.
Once installed, the DEWMODE web shell was leveraged to download files from compromised FTA instances and the victims will receive extortion emails claiming to be from the “CLOP ransomware team” several weeks later.
If the victims do not reply, the gang would send additional emails to a larger group of recipients in the victim organization as well as its partners containing links to the stolen data.
Accellion urges its FTA customers to migrate to kiteworks and they state that less than 100 out of 300 total FTA clients were victims of the attack and that less than 25 appear to have suffered “significant” data theft.
The new development came after grocery chain Kroger disclosed last week that HR data, pharmacy records, and money services records belonging to some customers might have been compromised as a result of the Accellion incident.
Also, Transport for New South Wales (TfNSW) became the latest entity to confirm that it had been impacted by the Accellion data breach.
The Accellion system was widely used to share and store files by various organizations around the world.