Several organizations that were impacted by the recently disclosed breach at enterprise firewall company Accellion had their data stolen and subsequently used as leverage in extortion attempts.
New analysis of the incident by Mandiant found that data belonging to multiple companies in the United States, Canada, the Netherlands, and Singapore has so far been released via a Dark Web site associated with a known Russia-based threat actor called FIN11 that has recently been observed operating a ransomware strain called CLOP. Victims include organizations in a wide range of sectors, Mandiant said.
Accellion on January 12 briefly disclosed that attackers had exploited a zero-day vulnerability in its File Transfer Appliance (FTA), a near-obsolete 20-year-old technology that enterprise organizations around the world have been using for years to transfer large files. The vendor said it had learned of the breach in mid-December and issued a patch for it in less than 72-hours. A subsequent—and similarly brief—update on Feb 1, suggested that the attackers had exploited not one, but several vulnerabilities in FTA, all of which the company said it had closed. Accellion urged FTA customers to switch to the company's newer Kiteworks technology as soon as possible.
Accellion itself has downplayed the scope of the incident and initially had described the breach as impacting less than 50 customers worldwide. However, a quickly growing list of breach disclosures by customers of FTA around the world suggests the actual number of victims could be higher.
On Friday, Kroger Co., the world's second largest general retailer, became the latest victim. Kroger announced that an unknown intruder had used Accellion's vulnerable file-transfer service to access data belonging to a small group of customers. Among those impacted were customers associated with Kroger Health and Money Service, the retailer said. Others that have disclosed breaches related to Accellion's vulnerable FTA include well known law firm Jones Day, the State of Washington, the Reserve Bank of New Zealand, and Singapore Telecommunications (Singtel). Victims have reported customer data, credit information, and personal data such as birthdates and email addresses being stolen or compromised.
Multiple Threat Actors
Mandiant said an unknown attacker that it is tracking as UNC2546 exploited four zero-day vulnerabilities in Accellion's File Transfer Appliance (FTA) sometime in mid-December 2020. The four vulnerabilities, all of which are now patched, are: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104.
The adversary exploited the vulnerabilities to install a hitherto unseen Web shell named DEWMODE on the Accellion FTA app and used it to exfiltrate data from victim networks. Mandiant's telemetry shows that DEWMODE is designed to extract a list of available files and associated metadata from a MySQL database on Accellion's FTA and then download files from that list via the Web shell. Once the downloads are complete, the attackers then execute a clean-up routine to erase traces of their activity.
Mandiant has been unable to determine the threat actor UNC2546's primary motivation for the attacks. However, a few weeks after the data was stolen via DEWMODE, some victims reported receiving extortion emails from an adversary who claimed to be associated with the CLOP ransomware operation. The extortion campaign appeared associated with a separate group or activity cluster that Mandiant is currently tracking as UNC2582.
The security vendor says the attacker's pattern has been to steadily increase pressure on victim organization's—from initially sending emails to a small set of people from a single account to bombarding numerous recipients at the victim organization from hundreds of thousands of email addresses. Data posted on the FIN11-operated CLOP Dark Web site shows the threat group has carried out its threat in at least a few cases.
Charles Carmakal, senior vice president and CTO at FireEye Mandiant, says the company has identified overlaps between UNC2582, UNC2546, and prior FIN11 operations. "[But] we do not have enough data to track these clusters of activity as a single threat group," he says.
Carmakal says FIN11 maintained a high tempo of malicious activity through 2019 and 2020 but has been somewhat less so this year. "The threat group conducted widespread phishing campaigns targeting organizations in a broad range of sectors and geographic regions," he says. "We have not yet observed any FIN11 phishing campaigns in 2021—however, it is not unusual for the threat group to cease these operations for a month or two."
Mandiant does not have enough data at present to attribute UNC2546 and UNC2582 to any specific country or region, he notes. Neither is there any evidence tying the attack on Accellion to the one disclosed by SolarWinds last December where malware was hidden in legitimate updates of the company's network management software and distributed to thousands of customers worldwide. "We attribute the intrusions activity and campaigns to different threat actors," Carmakal said.
Similar in Some Ways to SolarWinds
Even so, the breach at Accellion has inevitably drawn some comparisons to the SolarWinds breach. Both are recent examples of attackers impacting a large number of organizations by targeting their software supply chain. Both SolarWinds and Accellion's technologies are widely deployed and both organizations are regarded as trusted partners by customers.
"Supply-chain attacks make threat actors' job easier," says Ivan Righi, cyber threat intelligence analyst at Digital Shadows. By exploiting a single vulnerability, an attacker can gain access to multiple victims.
"There is a lot of value for threat actors to focus on these types of attacks," he says. The apparent success of the SolarWinds and Accellion breaches could prompt more targeting of popular third-party software providers, he says.
Oliver Tavakoli, CTO at Vectra, says the attacks on companies via Accellion's FTA application is more similar in nature to the attacks via flaws in Pulse Secure VPN servers in 2020 than they are to SolarWinds-related attacks. Services like Accellion's FTA are deployed in the DMZ portion of enterprise networks and have always been popular targets for attackers. "The value of attacks through the DMZ is that they don't generally rely on phishing users and spending days or weeks progressing through the network from an end user's laptop to services of value," he says.
The lesson for security organizations is to pay closer attention to threats via the software supply chain, according to security experts. Though such threats can be hard to spot, especially when they involve software with trusted, privileged access on the network, organizations should take measures to minimize their exposure.
Mike Wilkes, CISO at SecurityScorecard, says it's possible that the use of Static Analysis Security Tools (SAST) and Dynamic Analysis Security Tools (DAST) can help organizations detect the presence of additional libraries and code in software from trusted partners. Another good measure is to have egress monitoring in place to detect data exfiltration and command-and-control communication.
"The SolarWinds hack laid low for two weeks before performing that outreach requests to the command-and-control servers," he says. "To be able to detect and block that traffic can mean the difference between being a victim or being protected."