Highly sophisticated cyberattack.
Threat actors associated with financially motivated hacker groups combined multiple zero-day vulnerabilities and a new web shell to breach up to 100 companies using Accellion’s legacy File Transfer Appliance and steal sensitive files.
The attacks occurred in mid-December 2020 and involved the Clop ransomware gang and the FIN11 threat group.
One attack vector, plenty of victims
Accellion, in two separate releases, the first on Jan. 12 and the second on Feb. 1, disclosed that attackers had exploited multiple zero-day vulnerabilities in its FTA server. The Accellion FTA server is a 20-year-old, near-obsolete technology that many enterprises continue to use, however, to transfer large files. The technology is typically deployed on the DMZ of enterprise networks.
A subsequent FireEye Mandiant investigation of the Accellion breach showed that the attackers had used the vulnerabilities to install an unknown Web shell named DEWMODE on the FTA server. The malware allowed the attackers to exfiltrate data from the networks of enterprise organizations using the Accellion technology to transfer data, FireEye Mandiant reported.
It appears that the actors opted for an extortion campaign. After stealing the data, they threatened victims over email with making stolen information publicly available on the Clop leak site unless a ransom was paid.
Among them are supermarket giant Kroger, Singtel, QIMR Berghofer Medical Research Institute, Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), and the Office of the Washington State Auditor (“SAO“).
Mandiant has been unable to determine the threat actor UNC2546‘s primary motivation for the attacks. However, the extortion campaign appeared associated with a separate group or activity cluster that Mandiant is currently tracking as UNC2582.
Mandiant does not have enough data at present to attribute UNC2546 and UNC2582 to any specific country or region.