Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/22/2021
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims

FireEye Mandiant says it discovered data stolen via flaw in Accellion FTA had landed on a Dark Web site associated with a known Russia-based threat group.

Several organizations that were impacted by the recently disclosed breach at enterprise firewall company Accellion had their data stolen and subsequently used as leverage in extortion attempts.

New analysis of the incident by Mandiant found that data belonging to multiple companies in the United States, Canada, the Netherlands, and Singapore has so far been released via a Dark Web site associated with a known Russia-based threat actor called FIN11 that has recently been observed operating a ransomware strain called CLOP. Victims include organizations in a wide range of sectors, Mandiant said.

Related Content:

Is the Web Supply Chain Next in Line for State-Sponsored Attacks?

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

Accellion on January 12 briefly disclosed that attackers had exploited a zero-day vulnerability in its File Transfer Appliance (FTA), a near-obsolete 20-year-old technology that enterprise organizations around the world have been using for years  to transfer large files. The vendor said it had learned of the breach in mid-December and issued a patch for it in less than 72-hours. A subsequent—and similarly brief—update on Feb 1, suggested that the attackers had exploited not one, but several vulnerabilities in FTA, all of which the company said it had closed. Accellion urged FTA customers to switch to the company's newer Kiteworks technology as soon as possible.

Accellion itself has downplayed the scope of the incident and initially had described the breach as impacting less than 50 customers worldwide. However, a quickly growing list of breach disclosures by customers of FTA around the world suggests the actual number of victims could be higher.

On Friday, Kroger Co., the world's second largest general retailer, became the latest victim. Kroger announced that an unknown intruder had used Accellion's vulnerable file-transfer service to access data belonging to a small group of customers. Among those impacted were customers associated with Kroger Health and Money Service, the retailer said. Others that have disclosed breaches related to Accellion's vulnerable FTA include well known law firm Jones Day, the State of Washington, the Reserve Bank of New Zealand, and Singapore Telecommunications (Singtel). Victims have reported customer data, credit information, and personal data such as birthdates and email addresses being stolen or compromised.

Multiple Threat Actors

Mandiant said an unknown attacker that it is tracking as UNC2546 exploited four zero-day vulnerabilities in Accellion's File Transfer Appliance (FTA) sometime in mid-December 2020. The four vulnerabilities, all of which are now patched, are: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104.

The adversary exploited the vulnerabilities to install a hitherto unseen Web shell named DEWMODE on the Accellion FTA app and used it to exfiltrate data from victim networks. Mandiant's telemetry shows that DEWMODE is designed to extract a list of available files and associated metadata from a MySQL database on Accellion's FTA and then download files from that list via the Web shell. Once the downloads are complete, the attackers then execute a clean-up routine to erase traces of their activity.

Mandiant has been unable to determine the threat actor UNC2546's primary motivation for the attacks. However, a few weeks after the data was stolen via DEWMODE, some victims reported receiving extortion emails from an adversary who claimed to be associated with the CLOP ransomware operation. The extortion campaign appeared associated with a separate group or activity cluster that Mandiant is currently tracking as UNC2582.

The security vendor says the attacker's pattern has been to steadily increase pressure on victim organization's—from initially sending emails to a small set of people from a single account to bombarding numerous recipients at the victim organization from hundreds of thousands of email addresses. Data posted on the FIN11-operated CLOP Dark Web site shows the threat group has carried out its threat in at least a few cases.

Charles Carmakal, senior vice president and CTO at FireEye Mandiant, says the company has identified overlaps between UNC2582, UNC2546, and prior FIN11 operations. "[But] we do not have enough data to track these clusters of activity as a single threat group," he says.

Carmakal says FIN11 maintained a high tempo of malicious activity through 2019 and 2020 but has been somewhat less so this year. "The threat group conducted widespread phishing campaigns targeting organizations in a broad range of sectors and geographic regions," he says. "We have not yet observed any FIN11 phishing campaigns in 2021—however, it is not unusual for the threat group to cease these operations for a month or two."

Mandiant does not have enough data at present to attribute UNC2546 and UNC2582 to any specific country or region, he notes. Neither is there any evidence tying the attack on Accellion to the one disclosed by SolarWinds last December where malware was hidden in legitimate updates of the company's network management software and distributed to thousands of customers worldwide. "We attribute the intrusions activity and campaigns to different threat actors," Carmakal said.

Similar in Some Ways to SolarWinds

Even so, the breach at Accellion has inevitably drawn some comparisons to the SolarWinds breach. Both are recent examples of attackers impacting a large number of organizations by targeting their software supply chain. Both SolarWinds and Accellion's technologies are widely deployed and both organizations are regarded as trusted partners by customers.

"Supply-chain attacks make threat actors' job easier," says Ivan Righi, cyber threat intelligence analyst at Digital Shadows. By exploiting a single vulnerability, an attacker can gain access to multiple victims.

"There is a lot of value for threat actors to focus on these types of attacks," he says. The apparent success of the SolarWinds and Accellion breaches could prompt more targeting of popular third-party software providers, he says.

Oliver Tavakoli, CTO at Vectra, says the attacks on companies via Accellion's FTA application is more similar in nature to the attacks via flaws in Pulse Secure VPN servers in 2020 than they are to SolarWinds-related attacks. Services like Accellion's FTA are deployed in the DMZ portion of enterprise networks and have always been popular targets for attackers. "The value of attacks through the DMZ is that they don't generally rely on phishing users and spending days or weeks progressing through the network from an end user's laptop to services of value," he says.

The lesson for security organizations is to pay closer attention to threats via the software supply chain, according to security experts. Though such threats can be hard to spot, especially when they involve software with trusted, privileged access on the network, organizations should take measures to minimize their exposure.

Mike Wilkes, CISO at SecurityScorecard, says it's possible that the use of Static Analysis Security Tools (SAST) and Dynamic Analysis Security Tools (DAST) can help organizations detect the presence of additional libraries and code in software from trusted partners. Another good measure is to have egress monitoring in place to detect data exfiltration and command-and-control communication.

"The SolarWinds hack laid low for two weeks before performing that outreach requests to the command-and-control servers," he says. "To be able to detect and block that traffic can mean the difference between being a victim or being protected."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32089
PUBLISHED: 2021-05-11
** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on Zebra (formerly Motorola Solutions) Fixed RFID Reader FX9500 devices. An unauthenticated attacker can upload arbitrary files to the filesystem that can then be accessed through the web interface. This can lead to information disclosure and c...
CVE-2020-24586
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted us...
CVE-2020-24587
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and...
CVE-2020-24588
PUBLISHED: 2021-05-11
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802....
CVE-2020-26139
PUBLISHED: 2021-05-11
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and...