Five Eyes members warn of Accellion FTA extortion attacks

Image: bmoxey

Four members of Five Eyes, in collaboration with Singapore as an active contributor, have issued a joint security advisory about ongoing attacks and extortion attempts targeting organizations using the Accellion File Transfer Appliance (FTA).

Five Eyes (aka FVEY) is an intelligence-sharing alliance that allows its members, the US, the UK, Canada, Australia, and New Zealand, to share signals intelligence (SIGINT), geospatial intelligence (GEOINT), and human intelligence (HUMINT).

"Cyber actors worldwide have exploited vulnerabilities in Accellion File Transfer Appliance to attack multiple federal, and state, local, tribal, and territorial government organizations as well as private industry organizations in the medical, legal, telecommunications, finance, and energy fields," CISA said today.

"This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States."

Besides providing indicators of compromise (IOCs) and mitigation measures for those who still use the vulnerable Accellion FTA software, the alliance members also warned of attackers extorting breached orgs under the threat of leaking sensitive information stolen from the Accellion appliance.

"In some instances, the attacker extorted money from victim organizations to prevent public release of information exfiltrated from a compromised Accellion appliance," the joint advisory reads.

The attackers behind this ongoing extortion campaign have leveraged four vulnerabilities affecting the Accellion FTA software to target the company's customers.

During one of the attacks against an SLTT organization, the threat actors have potentially gained access to "confidential organizational data."

The Five Eyes members advise Accellion FTA customers to implement the following mitigation measures to prevent attacks:

  • Temporarily isolate or block internet access to and from systems hosting the software.
  • Assess the system for evidence of malicious activity including the IOCs, and obtain a snapshot or forensic disk image of the system for subsequent investigation.
  • If malicious activity is identified, obtain a snapshot or forensic disk image of the system for subsequent investigation, then:
    • Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes, and consider resetting user passwords.
    • Reset any security tokens on the system, including the “W1” encryption token, which may have been exposed through SQL injection.
  • Update Accellion FTA to version FTA_9_12_432 or later.
  • Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing.
    • Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021. Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.

Up to 100 organizations breached

In mid-December 2020, Accellion disclosed an actively exploited zero-day vulnerability affecting the FTA secure file-transfer service.

Threat actors exploited this security flaw to steal data from companies that used Accellion's service to communicate with partners and customers securely.

Among companies impacted by ongoing attacks targeting Accellion FTA vulnerabilities, BleepingComputer has reported incidents affecting the supermarket giant Kroger, Singtel, QIMR Berghofer Medical Research Institute, Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), and the Office of the Washington State Auditor ("SAO").

A coordinated announcement published by Accellion and Mandiant on Monday shed further light on how the attacks took place.

Accellion said there were 300 customers using the 20-year-old legacy FTA software, with less than 100 of them being breached by the Clop ransomware gang and FIN11 (the cybercrime groups behind these attacks). Under 25 victims appeared "to have suffered significant data theft" per Accellion.

The two groups worked together before, with FIN11 joining the ransomware business last year and starting to encrypt their victims' networks using Clop.

CISA also issued a Malware Analysis Report (MAR) today with info on the malicious Hypertext Preprocessor (PHP) webshell deployed on compromised Accellion FTA servers to exfiltrate documents of interest.

Mandiant has been tracking the recent exploitation of Accellion FTA using multiple zero-days as UNC2546. The following vulnerabilities have been discovered:

  • CVE-2021-27101: SQL injection via a crafted Host header
  • CVE-2021-27102: OS command execution via a local web service call
  • CVE-2021-27103: SSRF via a crafted POST request
  • CVE-2021-27104: OS command execution via a crafted POST request

While Mandiant is tracking this activity as UNC2582, separately from the extortion campaign, they also found overlaps between the two and previous operations attributed to the FIN11 cybercrime group.

Mandiant described the link between FIN11 and UNC2546 in the Accellion breaches as "compelling," but also says that the relationship is still under evaluation.

Related Articles:

CISA warns of Windows bug exploited in ransomware attacks

CISA warns of criminals impersonating its employees in phone calls

CISA urges software devs to weed out path traversal vulnerabilities

Juniper releases out-of-cycle fix for max severity auth bypass flaw

Critical GitLab bug lets attackers run pipelines as any user