Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/22/2021
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims

FireEye Mandiant says it discovered data stolen via flaw in Accellion FTA had landed on a Dark Web site associated with a known Russia-based threat group.

Several organizations that were impacted by the recently disclosed breach at enterprise firewall company Accellion had their data stolen and subsequently used as leverage in extortion attempts.

New analysis of the incident by Mandiant found that data belonging to multiple companies in the United States, Canada, the Netherlands, and Singapore has so far been released via a Dark Web site associated with a known Russia-based threat actor called FIN11 that has recently been observed operating a ransomware strain called CLOP. Victims include organizations in a wide range of sectors, Mandiant said.

Related Content:

Is the Web Supply Chain Next in Line for State-Sponsored Attacks?

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

Accellion on January 12 briefly disclosed that attackers had exploited a zero-day vulnerability in its File Transfer Appliance (FTA), a near-obsolete 20-year-old technology that enterprise organizations around the world have been using for years  to transfer large files. The vendor said it had learned of the breach in mid-December and issued a patch for it in less than 72-hours. A subsequent—and similarly brief—update on Feb 1, suggested that the attackers had exploited not one, but several vulnerabilities in FTA, all of which the company said it had closed. Accellion urged FTA customers to switch to the company's newer Kiteworks technology as soon as possible.

Accellion itself has downplayed the scope of the incident and initially had described the breach as impacting less than 50 customers worldwide. However, a quickly growing list of breach disclosures by customers of FTA around the world suggests the actual number of victims could be higher.

On Friday, Kroger Co., the world's second largest general retailer, became the latest victim. Kroger announced that an unknown intruder had used Accellion's vulnerable file-transfer service to access data belonging to a small group of customers. Among those impacted were customers associated with Kroger Health and Money Service, the retailer said. Others that have disclosed breaches related to Accellion's vulnerable FTA include well known law firm Jones Day, the State of Washington, the Reserve Bank of New Zealand, and Singapore Telecommunications (Singtel). Victims have reported customer data, credit information, and personal data such as birthdates and email addresses being stolen or compromised.

Multiple Threat Actors

Mandiant said an unknown attacker that it is tracking as UNC2546 exploited four zero-day vulnerabilities in Accellion's File Transfer Appliance (FTA) sometime in mid-December 2020. The four vulnerabilities, all of which are now patched, are: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104.

The adversary exploited the vulnerabilities to install a hitherto unseen Web shell named DEWMODE on the Accellion FTA app and used it to exfiltrate data from victim networks. Mandiant's telemetry shows that DEWMODE is designed to extract a list of available files and associated metadata from a MySQL database on Accellion's FTA and then download files from that list via the Web shell. Once the downloads are complete, the attackers then execute a clean-up routine to erase traces of their activity.

Mandiant has been unable to determine the threat actor UNC2546's primary motivation for the attacks. However, a few weeks after the data was stolen via DEWMODE, some victims reported receiving extortion emails from an adversary who claimed to be associated with the CLOP ransomware operation. The extortion campaign appeared associated with a separate group or activity cluster that Mandiant is currently tracking as UNC2582.

The security vendor says the attacker's pattern has been to steadily increase pressure on victim organization's—from initially sending emails to a small set of people from a single account to bombarding numerous recipients at the victim organization from hundreds of thousands of email addresses. Data posted on the FIN11-operated CLOP Dark Web site shows the threat group has carried out its threat in at least a few cases.

Charles Carmakal, senior vice president and CTO at FireEye Mandiant, says the company has identified overlaps between UNC2582, UNC2546, and prior FIN11 operations. "[But] we do not have enough data to track these clusters of activity as a single threat group," he says.

Carmakal says FIN11 maintained a high tempo of malicious activity through 2019 and 2020 but has been somewhat less so this year. "The threat group conducted widespread phishing campaigns targeting organizations in a broad range of sectors and geographic regions," he says. "We have not yet observed any FIN11 phishing campaigns in 2021—however, it is not unusual for the threat group to cease these operations for a month or two."

Mandiant does not have enough data at present to attribute UNC2546 and UNC2582 to any specific country or region, he notes. Neither is there any evidence tying the attack on Accellion to the one disclosed by SolarWinds last December where malware was hidden in legitimate updates of the company's network management software and distributed to thousands of customers worldwide. "We attribute the intrusions activity and campaigns to different threat actors," Carmakal said.

Similar in Some Ways to SolarWinds

Even so, the breach at Accellion has inevitably drawn some comparisons to the SolarWinds breach. Both are recent examples of attackers impacting a large number of organizations by targeting their software supply chain. Both SolarWinds and Accellion's technologies are widely deployed and both organizations are regarded as trusted partners by customers.

"Supply-chain attacks make threat actors' job easier," says Ivan Righi, cyber threat intelligence analyst at Digital Shadows. By exploiting a single vulnerability, an attacker can gain access to multiple victims.

"There is a lot of value for threat actors to focus on these types of attacks," he says. The apparent success of the SolarWinds and Accellion breaches could prompt more targeting of popular third-party software providers, he says.

Oliver Tavakoli, CTO at Vectra, says the attacks on companies via Accellion's FTA application is more similar in nature to the attacks via flaws in Pulse Secure VPN servers in 2020 than they are to SolarWinds-related attacks. Services like Accellion's FTA are deployed in the DMZ portion of enterprise networks and have always been popular targets for attackers. "The value of attacks through the DMZ is that they don't generally rely on phishing users and spending days or weeks progressing through the network from an end user's laptop to services of value," he says.

The lesson for security organizations is to pay closer attention to threats via the software supply chain, according to security experts. Though such threats can be hard to spot, especially when they involve software with trusted, privileged access on the network, organizations should take measures to minimize their exposure.

Mike Wilkes, CISO at SecurityScorecard, says it's possible that the use of Static Analysis Security Tools (SAST) and Dynamic Analysis Security Tools (DAST) can help organizations detect the presence of additional libraries and code in software from trusted partners. Another good measure is to have egress monitoring in place to detect data exfiltration and command-and-control communication.

"The SolarWinds hack laid low for two weeks before performing that outreach requests to the command-and-control servers," he says. "To be able to detect and block that traffic can mean the difference between being a victim or being protected."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12527
PUBLISHED: 2021-03-02
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged in user to interact with devices in the account he should not have access to.
CVE-2020-12528
PUBLISHED: 2021-03-02
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged in user to kill web2go sessions in the account he should not have access to.
CVE-2020-12529
PUBLISHED: 2021-03-02
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2 There is a SSRF in the LDAP access check, allowing an attacker to scan for open ports.
CVE-2020-12530
PUBLISHED: 2021-03-02
An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. There is an XSS issue in the redirect.php allowing an attacker to inject code via a get parameter.
CVE-2021-21255
PUBLISHED: 2021-03-02
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.