Accellion: How Attackers Stole Data and Ransomed CompaniesAccellion and Mandiant Say Four Vulnerabilities Have Now Been Patched
Software company Accellion has released preliminary findings around the security incident that has stung some customers that used its 20-year-old File Transfer Appliance.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The company says that fewer than 100 customers have been attacked as the result of four now-patched vulnerabilities in the FTA, and that fewer than 25 "appear to have suffered significant data theft," according to a news release on Monday.
Accellion's CMO, Joel York, tells ISMG that after the attackers found one vulnerability in the FTA in December, they kept looking and found others in January. (see: The Accellion Mess: What Went Wrong?).
Some Accellion customers have been hit with a one-two punch: First, their data was stolen. Then they received emails from a criminal group called Clop asking for a ransom in exchange for not publishing the data online. Singtel, Singapore's largest telco, and the law firm Jones Day have seen their data released, presumably because they didn't give in to the ransom.
Since December, other Accellion FTA victims that have made public announcements include the Reserve Bank of New Zealand; ASIC, Australia's financial regulator; the Office of the Washington State Auditor; the University of Colorado; the QIMR Berghofer Medical Research Institute in Australia and in the past few days, U.S. grocery chain Kroger.
FireEye's Mandiant forensics unit, which has been retained by Accellion, says it has done penetration tests and code reviews of the FTA, and no other critical vulnerabilities have been found.
Due to the attack, Accellion accelerated its timeline to retire the product, which is now scheduled for April. For years, Accellion has been encouraging its FTA customers to move to a new product, Kiteworks, that it says is more secure.
Accellion also published brief details on the four vulnerabilities. Accellion had shared the details privately with its clients. CVE-2021-27101 is a SQL injection vulnerability that ranks a 9.8 on NIST's CVSS metric. CVE-2021-27102 ranks a 7.8 and is an OS command injection vulnerability.
The other two, CVE-2021-27103 and CVE-2021-27104 are a server-side request forgery bug and another OS command injection bug. Both rank a 9.8.
How Attackers Got In
Mandiant has published a blog post describing what it has observed about the attacks. Accellion says that Mandiant's full report will be released in the coming weeks.
Mandiant calls the group that attacked Accellion "UNC2546." UNC stands for "uncategorized," which is how Mandiant classifies threat actors that don't fall clearly into the realm of a known group.
In mid-December, UNC2546 began exploiting a SQL injection vulnerability in Accellion's FTA, Mandiant writes. The group leveraged that vulnerability to install a newly discovered web shell that Mandiant calls DEWMODE.
It's not quite clear how the attackers managed to write DEWMODE to disk. But DEWMODE extracts a list of files and the metadata of those files from FTA's MySQL database.
When attackers steal data, those download requests turn up in the FTA's logs. But parts of those requests are encrypted and can be tricky to decrypt, Mandiant says.
The attackers didn't wait long to harvest data. Mandiant says that in some cases, within just hours, data was downloaded from the targeted systems.
The Follow-Up: Extortion
Unfortunately, that was just part one. A few weeks later, some organizations were targeted by a second group that Mandiant calls UNC2582. They received this ransom note:
Clop launched a website in March 2020, which since has been used to publish data from victims who refused to pay. There seems to be some overlap between Clop, UNC2582 and another group that Mandiant calls FIN11, which specializes in phishing campaigns. Deutsche Telekom's Thomas Barabosch also recently published a deep dive into the relationship between FIN11, also known as TA505, and Clop.
UNC2582 has followed through on threats to publish data, which then has shown up on the Clop website, Mandiant says. It also says that some of the extortion emails sent by UNC2582 came from either IP addresses or email accounts that had been used by FIN11 before.
But it's hard to draw definitive conclusions, Mandiant says.
"The overlaps between FIN11, UNC2546 and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships."