Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims

  /     /     /  
Publicated : 23/11/2024   Category : security


Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims


FireEye Mandiant says it discovered data stolen via flaw in Accellion FTA had landed on a Dark Web site associated with a known Russia-based threat group.



Several organizations that were impacted by the recently disclosed breach at enterprise firewall company Accellion had their data stolen and subsequently used as leverage in extortion attempts.
New analysis of the incident by Mandiant found that data belonging to multiple companies in the United States, Canada, the Netherlands, and Singapore has so far been released via a Dark Web site associated with a known Russia-based threat actor called FIN11 that has recently been observed operating a ransomware strain called CLOP. Victims include organizations in a wide range of sectors, Mandiant said.
Accellion on January 12 briefly
disclosed
that attackers had exploited a zero-day vulnerability in its File Transfer Appliance (FTA), a near-obsolete 20-year-old technology that enterprise organizations around the world have been using for years  to transfer large files. The vendor said it had learned of the breach in mid-December and issued a patch for it in less than 72-hours. A subsequent—and similarly brief—
update
on Feb 1, suggested that the attackers had exploited not one, but several vulnerabilities in FTA, all of which the company said it had closed. Accellion urged FTA customers to switch to the companys newer Kiteworks technology as soon as possible.
Accellion itself has downplayed the scope of the incident and initially had described the breach as impacting less than 50 customers worldwide. However, a quickly growing list of breach disclosures by customers of FTA around the world suggests the actual number of victims could be higher.
On Friday, Kroger Co., the worlds second largest general retailer, became the latest victim. Kroger 
announced
that an unknown intruder had used Accellions vulnerable file-transfer service to access data belonging to a small group of customers. Among those impacted were customers associated with Kroger Health and Money Service, the retailer said. Others that have disclosed breaches related to Accellions vulnerable FTA include well known law firm
Jones Day
, the State of
Washington
, the
Reserve Bank of New Zealand
, and Singapore Telecommunications (
Singtel
). Victims have reported customer data, credit information, and personal data such as birthdates and email addresses being stolen or compromised.
Multiple Threat Actors
Mandiant
said an unknown attacker that it is tracking as UNC2546 exploited four zero-day vulnerabilities in Accellions File Transfer Appliance (FTA) sometime in mid-December 2020. The four vulnerabilities, all of which are now patched, are:
CVE-2021-27101
,
CVE-2021-27102
,
CVE-2021-27103
, and
CVE-2021-27104
.
The adversary exploited the vulnerabilities to install a hitherto unseen Web shell named DEWMODE on the Accellion FTA app and used it to exfiltrate data from victim networks. Mandiants telemetry shows that DEWMODE is designed to extract a list of available files and associated metadata from a MySQL database on Accellions FTA and then download files from that list via the Web shell. Once the downloads are complete, the attackers then execute a clean-up routine to erase traces of their activity.
Mandiant has been unable to determine the threat actor UNC2546s primary motivation for the attacks. However, a few weeks after the data was stolen via DEWMODE, some victims reported receiving extortion emails from an adversary who claimed to be associated with the CLOP ransomware operation. The extortion campaign appeared associated with a separate group or activity cluster that Mandiant is currently tracking as UNC2582.
The security vendor says the attackers pattern has been to steadily increase pressure on victim organizations—from initially sending emails to a small set of people from a single account to bombarding numerous recipients at the victim organization from hundreds of thousands of email addresses. Data posted on the FIN11-operated CLOP Dark Web site shows the threat group has carried out its threat in at least a few cases.
Charles Carmakal, senior vice president and CTO at FireEye Mandiant, says the company has identified overlaps between UNC2582, UNC2546, and prior FIN11 operations. [But] we do not have enough data to track these clusters of activity as a single threat group, he says.
Carmakal says FIN11 maintained a high tempo of malicious activity through 2019 and 2020 but has been somewhat less so this year. The threat group conducted widespread phishing campaigns targeting organizations in a broad range of sectors and geographic regions, he says. We have not yet observed any FIN11 phishing campaigns in 2021—however, it is not unusual for the threat group to cease these operations for a month or two.
Mandiant does not have enough data at present to attribute UNC2546 and UNC2582 to any specific country or region, he notes. Neither is there any evidence tying the attack on Accellion to the one disclosed by
SolarWinds
last December where malware was hidden in legitimate updates of the companys network management software and distributed to thousands of customers worldwide. We attribute the intrusions activity and campaigns to different threat actors, Carmakal said.
Similar in Some Ways to SolarWinds
Even so, the breach at Accellion has inevitably drawn some comparisons to the SolarWinds breach. Both are recent examples of attackers impacting a large number of organizations by targeting their software supply chain. Both SolarWinds and Accellions technologies are widely deployed and both organizations are regarded as trusted partners by customers.
Supply-chain attacks make threat actors job easier, says Ivan Righi, cyber threat intelligence analyst at Digital Shadows. By exploiting a single vulnerability, an attacker can gain access to multiple victims.
There is a lot of value for threat actors to focus on these types of attacks, he says. The apparent success of the SolarWinds and Accellion breaches could prompt more targeting of popular third-party software providers, he says.
Oliver Tavakoli, CTO at Vectra, says the attacks on companies via Accellions FTA application is more similar in nature to the attacks via flaws in
Pulse Secure VPN servers
in 2020 than they are to SolarWinds-related attacks. Services like Accellions FTA are deployed in the DMZ portion of enterprise networks and have always been popular targets for attackers. The value of attacks through the DMZ is that they dont generally rely on phishing users and spending days or weeks progressing through the network from an end users laptop to services of value, he says.
The lesson for security organizations is to pay closer attention to threats via the software supply chain, according to security experts. Though such threats can be hard to spot, especially when they involve software with trusted, privileged access on the network, organizations should take measures to minimize their exposure.
Mike Wilkes, CISO at SecurityScorecard, says its possible that the use of Static Analysis Security Tools (SAST) and Dynamic Analysis Security Tools (DAST) can help organizations detect the presence of additional libraries and code in software from trusted partners. Another good measure is to have egress monitoring in place to detect data exfiltration and command-and-control communication.
The SolarWinds hack laid low for two weeks before performing that outreach requests to the command-and-control servers, he says. To be able to detect and block that traffic can mean the difference between being a victim or being protected.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims