Mandiant/FireEye researchers have tentatively linked the Accellion FTA zero-day attacks to FIN11, a cybercrime group leveraging CLOP ransomware to extort targeted organizations.
Accellion has also confirmed on Monday that “out of approximately 300 total FTA clients, fewer than 100 were victims of the attack.”
A little bit of background information
Starting in December 2020, unknown attackers began exploiting previously unknown vulnerabilities in Accellion FTA (File Transfer Appliance), an enterprise file-sharing solution for securely transfering large and sensitive files.
While Accellion has been pushing customers towards their newer and more secure platform for years, the legacy FTA solution was still used by too many organizations and some of those were hit in these attacks, including the the Australian Securities and Investments Commission, the Washington State Auditor Office, Singapore telecom Singtel, New Zealand’s central bank, the University of Colorado, Law firm Jones Day, and US retailer Kroger.
Accellion says that fewer than 25 of the 100 victims “have suffered significant data theft.”
The company has fixed the exploited vulnerabilities, but continues to advise enterprise users to migrate to kiteworks, its enterprise content firewall platform, which is “built on an entirely different code base, using state-of-the-art security architecture, and a segregated, secure devops process.”
The attackers’ TTPs
“The earliest identification of activity associated with this campaign occurred in mid-December 2020. At this time, Mandiant identified UNC2546 leveraging an SQL injection vulnerability in the Accellion FTA. This SQL injection served as the primary intrusion vector,” Mandiant researchers explained.
After gaining access, the attackers succeeded in writing a web shell (DEWMODE) to the system, which extracted a list of available files from an FTA MySQL database. The attackers used this list to download files through the DEWMODE web shell, and then initiated a cleanup routine.
This all happened quickly, sometimes withing hours of the installation of the web shell, but it took several weeks for the victims to start receiving extortion emails. These included a description of the stolen data and the threat that, if the victim doesn’t pay up, the attackers will publish the stolen data on the “CL0P^_- LEAKS” .onion shaming website.
According to the researchers, the attackers would follow a pattern of escalation to pressure victims into paying extortion demands – a pattern that would occasionally end with emails to partners of the victim organization that included links to the stolen data and negotiation chat.
It’s unknown whether some of the victims ended up paying the attackers.
“Monitoring of the CL0P^_- LEAKS shaming website has demonstrated that [the group] has followed through on threats to publish stolen data as several new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted,” the researchers shared.
Are these attackers the FIN11 cybercrime group?
Mandiant has noted several things that may link these attackers to the FIN11 attackers, including:
- The use of the CL0P^_- LEAKS shaming site
- Some extortion emails were sent from IP addresses and/or email accounts used by FIN11 in prior phishing campaigns
- An IP address that communicated with a DEWMODE web shell was in the “Fortunix Networks L.P.” netblock, a network frequently used by FIN11 to host download and C&C domains
Also, they note, many of the organizations that experienced FTA exploitation and DEWMODE installation were previously targeted by FIN11.
But what the overlaps are compelling, they say that they have insufficient evidence to attribute the Accellion FTA attacks (FTA exploitation, DEWMODE, data theft extortion activity) to FIN11.
“Using SQL injection to deploy DEWMODE or acquiring access to a DEWMODE shell from a separate threat actor would represent a significant shift in FIN11 TTPs, given the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities,” they concluded.
UPDATE (February 24, 2021, 01:55 a.m. PT):
According to DataBreaches.net, the CL0P^_- LEAKS shaming site has a few new entries:
- Canadian manufacturer of business jets Bombardier, which has confirmed that they’ve been compromised through “a vulnerability affecting a third-party file-transfer application” – most likely the Accellion FTA – and that “personal and other confidential information relating to employees, customers and suppliers was compromised.”
- American provider of water treatment solutions Pentair
- Canadian standards organization CSA Group
Transport for NSW, the leading transport and roads agency in New South Wales, Australia, has also confirmed that “it has been impacted by a cyber attack on a file transfer system owned by international company Accellion,” that some of its information was taken, but that the breach was limited to Accellion servers.
UPDATE (February 25, 2021, 03:20 a.m. PT):
The cybersecurity authorities of the U.S., Australia, New Zealand, Singapore, and the U.K. have released a joint cybersecurity advisory regarding the Accellion FTA attacks, with technical details, IoCs and mitigation advice.
A companion report details the web shell used by the attackers to exfiltrate data from compromised systems.
UPDATE (March 3, 2021, 01:10 a.m. PT):
Accellion has published a final report by FireEye/Mandiant regarding the attacks, which holds more details about how the attackers operated as well as IoCs.
The researchers have confirmed Accellion’s patches for the four vulnerabilities exploited in the attacks work as they should, and have found two additional ones (not exploited by attackers) in the Accellion FTA software. Those have been fixed, so companies that insist on using this legacy software are advised to upgrade to the latest version.
“Both the December Exploit and the January Exploit demonstrate a high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software, likely obtained through extensive reverse engineering of the software,” the researchers noted.
“Among the things the attacker had to know were how to call internal APIs to obtain keys to decrypt filenames; how to forge tokens for internal API calls, how to chain together the vulnerabilities involved to conduct unauthenticated remote code execution, how to navigate FTA’s internal database, requiring a detailed understanding of the database structure, and how to bypass FTA’s built-in anomaly detector (in the case of the January Exploit).”