The hacker group behind the latest cyber-attack targeting the FTA file transfer service of Accellion seems to be related to a threat actor known as FIN11, as reported by security analysts with the Mandiant division of FireEye.
The attacks on FTA, a soon-to-be-retired operation, began in mid-December 2020 and culminated in several Accellion customers being infected with info. The adversaries exploited several file transfer service vulnerabilities as part of the assault.
The food and drug retailer Kroger, the Australian Securities and Investments Commission (ASIC), the U.S.-based law firm Jones Day, the Washington State Auditor’s Office (SAO), the New Zealand Reserve Bank, and the Singapore telecoms firm Singtel are some of the impacted Accellion clients.
In order to gain access to and exfiltrate files, the attackers exploited multiple vulnerabilities in FTA, namely CVE-2021-27101 (SQL injection), CVE-2021-27102 (OS command execution), CVE-2021-27103 (SSRF), and CVE-2021-271044 (OS command execution).
Accellion claims that all these flaws had already been resolved and that out of “300 total FTA customers, less than 100 were victims of the attack,” with “significant data theft” experiencing less than 25.
Accellion highly advises that FTA customers move to Kiteworks, Accellion’s firewall platform for enterprise content. These vulnerabilities refer solely to customers of Accellion FTA: neither the company’s kiteworks nor Accellion is subject to these assaults, said Accellion on Monday.
FireEye’s Mandiant security researchers have monitored both the activities involving the exploitation of the zero-day vulnerabilities of the Accellion FTA and the data theft resulting from the cyber-attack, and claim they have found a connection between the assaults, the stolen data-related extorting attempts, and the FIN11 community.
FIN11 was previously described as a TA505 spin-off, a financially driven threat actor, engaged in ransomware and extortion operations that usually began with phishing emails. The use of the FlawedAmmyy and the CLOP ransomware has previously been identified with the attackers.
Tracked as UNC2546, the opponent targeting FTA abused the initial access SQL injection flaw, allowing them to extract a key used in combination with a request to a particular file, followed by running the built-in Accellion admin.pl tool and installing a web shell.
Dubbed DEWMODE, the web shell allowed the attackers to extract from the MySQL database a list of available files and corresponding metadata (file ID, filename, route, receiver, and uploader) and to download the files themselves.
The security researchers detected extortion attempts linked to the data weeks after the data theft happened. On the “CL0P^ – LEAKS” .onion website, which Mandiant has affiliated with another actor, monitored as UNC2582, the extort emails obtained by the victims threatened to make the details public.
“We have observed at least one case where an actor interacted with a DEWMODE web shell from a host that was used to send UNC2582-attributed extort email, despite tracking the exploitation and extortion activity in separate threat clusters,” Mandiant states.
The UNC2582 threat actor initially sends ransom emails to a limited number of addresses inside the target organisation, the researchers clarify. The messages are sent to several other addresses if no reply is received in a timely manner.
In addition, the adversary seems to be going up on the attacks on the CL0P^-LEAKS shaming page, releasing victim info. Data stolen from at least two organisations targeted by the FTA cyber-attack has recently been posted to the web.
Any overlaps between the UNC2582 and FIN11 infrastructure were also noticed by Mandiant, as some of the email messages were sent from IP addresses and/or email domains that were already used by FIN11 in various phishing attacks.
While FIN11 is known to suspend operations over the winter holidays, the latest hiatus overlaps with the data theft extortion campaign of UNC2582. In addition, links provided to their victims by the extortionists were directed to websites previously used in FIN11-attributed ransomware and data theft extortion campaigns.
The researchers have found overlaps between the actions of UNC2546 and FIN11, such as targeting the same organisations and using an IP address (to connect with a web shell of DEWMODE) that was commonly used by FIN11 in a network for a piece of malware called FRIENDSPEAK.
The overlaps between FIN11, UNC2546, and UNC2582 are convincing, but while evaluating the essence of their relationships, we continue to track these clusters separately. One of the particular problems is that the magnitude of the FIN11 overlaps is limited to the later phases of the life cycle of the attack, concludes Mandiant.
