The hacking group behind the recent cyber-attack targeting Accellion’s FTA file transfer service appears to be linked to a threat actor known as FIN11, security researchers with FireEye’s Mandiant division reveal.
The attacks on FTA, a soon-to-be-retired service, started in mid-December 2020 and resulted in the compromise of data pertaining to multiple Accellion customers. As part of the attack, the adversaries targeted multiple vulnerabilities in the file transfer service.
Some of the affected Accellion customers include grocery and pharmacy chain Kroger, Australian Securities and Investments Commission (ASIC), U.S.-based law firm Jones Day, the Office of the Washington State Auditor (SAO), the Reserve Bank of New Zealand, and Singapore telecoms firm Singtel.
The attackers abused multiple vulnerabilities in FTA to gain access to and exfiltrate data, namely CVE-2021-27101 (SQL injection), CVE-2021-27102 (OS command execution), CVE-2021-27103 (SSRF), and CVE-2021-27104 (OS command execution).
Accellion says that all of these vulnerabilities have already been addressed and that, out of “300 total FTA clients, fewer than 100 were victims of the attack,” with fewer than 25 suffering “significant data theft.”
“Accellion strongly recommends that FTA customers migrate to kiteworks, Accellion’s enterprise content firewall platform. These exploits apply exclusively to Accellion FTA clients: neither kiteworks nor Accellion the company were subject to these attacks,” Accellion said on Monday.
FireEye’s Mandiant security researchers have been tracking both the activity surrounding the exploitation of the Accellion FTA zero-day vulnerabilities and the data theft that resulted from the cyber-attack, and say they have discovered a connection between the attacks, extortion attempts related to the stolen data, and the FIN11 group.
A financially-motivated threat actor, FIN11 was previously described as a TA505 spin-off, engaging in ransomware and extortion activities that typically start with phishing emails. Previously, the attackers were associated with the use of the FlawedAmmyy and the CLOP ransomware.
Tracked as UNC2546, the adversary that targeted FTA exploited the SQL injection vulnerability for initial access, which allowed them to retrieve a key used in conjunction with a request to a specific file, followed by the execution of the built-in Accellion utility admin.pl and the deployment of a web shell.
Dubbed DEWMODE, the web shell allowed the attackers to fetch a list of available files and corresponding metadata (file ID, filename, path, recipient, and uploader) from a MySQL database, as well as to download the files themselves.
Weeks after the data theft occurred, the security researchers observed extortion attempts related to the data. The extortion emails received by the victims threatened to make the information public on the “CL0P^_- LEAKS” .onion website, which Mandiant has associated with a different actor, tracked as UNC2582.
“Despite tracking the exploitation and extortion activity in separate threat clusters we have observed at least one case where an actor interacted with a DEWMODE web shell from a host that was used to send UNC2582-attributed extortion email,” Mandiant says.
The UNC2582 threat actor, the researchers explain, initially sends extortion emails to a small number of addresses within the target organization. If no reply is received in a timely manner, the messages are sent to multiple other addresses.
Furthermore, the adversary appears to be following through with the threats, publishing victim data on the CL0P^_- LEAKS shaming website. Recently, information stolen from at least two organizations affected by the FTA cyber-attack was published on the site.
Mandiant also discovered some overlaps between the UNC2582 and FIN11 infrastructure, as some of the email messages were sent from IP addresses and/or email accounts that FIN11 previously used in various phishing attacks.
While FIN11 is known to be pausing activities during the winter holidays, the recent hiatus overlaps with UNC2582’s data theft extortion activity. Furthermore, links that the extortionists sent to their victims were directed to websites that were previously used in ransomware and data theft extortion campaigns attributed to FIN11.
The researchers also identified overlaps between UNC2546 and FIN11 activities, such as the targeting of the same organizations, and the use of an IP address (to communicate with a DEWMODE web shell) that was in a network frequently used by FIN11 for a piece of malware named FRIENDSPEAK.
“The overlaps between FIN11, UNC2546, and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships. One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle,” Mandiant concludes.
Related: Double Extortion: Ransomware’s New Normal Combining Encryption with Data Theft