Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/22/2021
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims

FireEye Mandiant says it discovered data stolen via flaw in Accellion FTA had landed on a Dark Web site associated with a known Russia-based threat group.

Several organizations that were impacted by the recently disclosed breach at enterprise firewall company Accellion had their data stolen and subsequently used as leverage in extortion attempts.

New analysis of the incident by Mandiant found that data belonging to multiple companies in the United States, Canada, the Netherlands, and Singapore has so far been released via a Dark Web site associated with a known Russia-based threat actor called FIN11 that has recently been observed operating a ransomware strain called CLOP. Victims include organizations in a wide range of sectors, Mandiant said.

Related Content:

Is the Web Supply Chain Next in Line for State-Sponsored Attacks?

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

Accellion on January 12 briefly disclosed that attackers had exploited a zero-day vulnerability in its File Transfer Appliance (FTA), a near-obsolete 20-year-old technology that enterprise organizations around the world have been using for years  to transfer large files. The vendor said it had learned of the breach in mid-December and issued a patch for it in less than 72-hours. A subsequent—and similarly brief—update on Feb 1, suggested that the attackers had exploited not one, but several vulnerabilities in FTA, all of which the company said it had closed. Accellion urged FTA customers to switch to the company's newer Kiteworks technology as soon as possible.

Accellion itself has downplayed the scope of the incident and initially had described the breach as impacting less than 50 customers worldwide. However, a quickly growing list of breach disclosures by customers of FTA around the world suggests the actual number of victims could be higher.

On Friday, Kroger Co., the world's second largest general retailer, became the latest victim. Kroger announced that an unknown intruder had used Accellion's vulnerable file-transfer service to access data belonging to a small group of customers. Among those impacted were customers associated with Kroger Health and Money Service, the retailer said. Others that have disclosed breaches related to Accellion's vulnerable FTA include well known law firm Jones Day, the State of Washington, the Reserve Bank of New Zealand, and Singapore Telecommunications (Singtel). Victims have reported customer data, credit information, and personal data such as birthdates and email addresses being stolen or compromised.

Multiple Threat Actors

Mandiant said an unknown attacker that it is tracking as UNC2546 exploited four zero-day vulnerabilities in Accellion's File Transfer Appliance (FTA) sometime in mid-December 2020. The four vulnerabilities, all of which are now patched, are: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104.

The adversary exploited the vulnerabilities to install a hitherto unseen Web shell named DEWMODE on the Accellion FTA app and used it to exfiltrate data from victim networks. Mandiant's telemetry shows that DEWMODE is designed to extract a list of available files and associated metadata from a MySQL database on Accellion's FTA and then download files from that list via the Web shell. Once the downloads are complete, the attackers then execute a clean-up routine to erase traces of their activity.

Mandiant has been unable to determine the threat actor UNC2546's primary motivation for the attacks. However, a few weeks after the data was stolen via DEWMODE, some victims reported receiving extortion emails from an adversary who claimed to be associated with the CLOP ransomware operation. The extortion campaign appeared associated with a separate group or activity cluster that Mandiant is currently tracking as UNC2582.

The security vendor says the attacker's pattern has been to steadily increase pressure on victim organization's—from initially sending emails to a small set of people from a single account to bombarding numerous recipients at the victim organization from hundreds of thousands of email addresses. Data posted on the FIN11-operated CLOP Dark Web site shows the threat group has carried out its threat in at least a few cases.

Charles Carmakal, senior vice president and CTO at FireEye Mandiant, says the company has identified overlaps between UNC2582, UNC2546, and prior FIN11 operations. "[But] we do not have enough data to track these clusters of activity as a single threat group," he says.

Carmakal says FIN11 maintained a high tempo of malicious activity through 2019 and 2020 but has been somewhat less so this year. "The threat group conducted widespread phishing campaigns targeting organizations in a broad range of sectors and geographic regions," he says. "We have not yet observed any FIN11 phishing campaigns in 2021—however, it is not unusual for the threat group to cease these operations for a month or two."

Mandiant does not have enough data at present to attribute UNC2546 and UNC2582 to any specific country or region, he notes. Neither is there any evidence tying the attack on Accellion to the one disclosed by SolarWinds last December where malware was hidden in legitimate updates of the company's network management software and distributed to thousands of customers worldwide. "We attribute the intrusions activity and campaigns to different threat actors," Carmakal said.

Similar in Some Ways to SolarWinds

Even so, the breach at Accellion has inevitably drawn some comparisons to the SolarWinds breach. Both are recent examples of attackers impacting a large number of organizations by targeting their software supply chain. Both SolarWinds and Accellion's technologies are widely deployed and both organizations are regarded as trusted partners by customers.

"Supply-chain attacks make threat actors' job easier," says Ivan Righi, cyber threat intelligence analyst at Digital Shadows. By exploiting a single vulnerability, an attacker can gain access to multiple victims.

"There is a lot of value for threat actors to focus on these types of attacks," he says. The apparent success of the SolarWinds and Accellion breaches could prompt more targeting of popular third-party software providers, he says.

Oliver Tavakoli, CTO at Vectra, says the attacks on companies via Accellion's FTA application is more similar in nature to the attacks via flaws in Pulse Secure VPN servers in 2020 than they are to SolarWinds-related attacks. Services like Accellion's FTA are deployed in the DMZ portion of enterprise networks and have always been popular targets for attackers. "The value of attacks through the DMZ is that they don't generally rely on phishing users and spending days or weeks progressing through the network from an end user's laptop to services of value," he says.

The lesson for security organizations is to pay closer attention to threats via the software supply chain, according to security experts. Though such threats can be hard to spot, especially when they involve software with trusted, privileged access on the network, organizations should take measures to minimize their exposure.

Mike Wilkes, CISO at SecurityScorecard, says it's possible that the use of Static Analysis Security Tools (SAST) and Dynamic Analysis Security Tools (DAST) can help organizations detect the presence of additional libraries and code in software from trusted partners. Another good measure is to have egress monitoring in place to detect data exfiltration and command-and-control communication.

"The SolarWinds hack laid low for two weeks before performing that outreach requests to the command-and-control servers," he says. "To be able to detect and block that traffic can mean the difference between being a victim or being protected."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24913
PUBLISHED: 2021-03-04
A SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request.
CVE-2020-24914
PUBLISHED: 2021-03-04
A PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable "strProfileData" and allows an unauthenticated attacker to execute code via a crafted POST request.
CVE-2020-24036
PUBLISHED: 2021-03-04
PHP object injection in the Ajax endpoint of the backend in ForkCMS below version 5.8.3 allows an authenticated remote user to execute malicious code.
CVE-2020-24912
PUBLISHED: 2021-03-04
A reflected cross-site scripting (XSS) vulnerability in qcubed (all versions including 3.1.1) in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users.
CVE-2019-18629
PUBLISHED: 2021-03-04
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a com...