Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook

gang worldwide ransomware data accellion clop linked breaches

BjydaWorldwide Accellion data breaches linked to Clop ransomware gang
Threat actors associated with financially-motivated hacker groups combined multiple zero-day vulnerabilities and a new web shell to breach up to 100 companies using Accellion's legacy File Transfer Appliance and steal data.

The attacks occurred in mid-December 2020 and were part of attacks that involve the Clop ransomware gang and the FIN11 threat group. The file-encrypting malware was not deployed in the recent incidents, though.

It appears that the actors opted for an extortion campaign. After stealing the data, they threatened victims over email with making stolen information publicly available on the Clop leak site unless a ransom was paid.

BleepingComputer has been tracking these Accellion-related breaches and discovered almost a dozen victims. Among them are Singtel (Clop claims to have 73GB of data), QIMR Berghofer Medical Research Institute, Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), and the Office of the Washington State Auditor ("SAO").

Additional victims include:

- supermarket giant Kroger

- technical services company ABS Group

- law firm Jones Day

- Fortune 500 science and technology corporation Danaher

- geo-data specialist Fugro

- the University of Colorado

A press release from Accellion today says that of about 300 customers using its legacy, 20-years old File Transfer Appliance (FTA), less than 100 were victims of these attacks from Clop and FIN11, and that less “than 25 appear to have suffered significant data theft.

Accellion patched the vulnerabilities and continues its mitigations efforts. The company “strongly recommends that FTA customers migrate to Kiteworks” - an enterprise content firewall platform that has a different code base, features a security architecture, and includes a segregated, secure devops process.

Incident responders at FireEye Mandiant investigated these attacks for some of their customers and highlighted the collaboration between Clop ransomware and the FIN11 gang in this campaign.

Both groups have worked together before. Last year, FIN11 joined the ransomware business and started to encrypt the networks of their victims using Clop.

Mandiant has been tracking the recent exploitation of Accellion FTA using multiple zero-days as UNC2546. The following vulnerabilities have been discovered:

- CVE-2021-27101 - SQL injection via a crafted Host header

- CVE-2021-27102 - OS command execution via a local web service call

- CVE-2021-27103 - SSRF via a crafted POST request

- CVE-2021-27104 - OS command execution via a crafted POST request

The researchers distinguish this activity from the extortion campaign, which they track as UNC2582. However, they did notice overlaps between the two and previous operations attributed to FIN11.

New DEWMODE webshell planted on Accellion devices
While investigating the incidents, the researchers observed that the intruders used a previously undocumented webshell that they called DEWMODE.

“Mandiant determined that a common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546's activities”

The researchers reconstructed the compromise of Accellion FTAs using system logs from the breached devices, trailing the initial entry, the deployment of DEWMODE, and the follow-up interaction.

The attacker used the SQL injection vulnerability to gain access and then followed with requests to additional resources. Once they obtained the necessary access level, the hackers wrote the DEWMODE web shell to the system.

The role of the webshell was to extract a list of available files from a MySQL database on the FTA and to list them on an HTML page along with the accompanying metadata (file ID, path, filename, uploader, and recipient).

A blog post from Mandiant today explains all the technical aspects regarding the use of the web shell and how the hackers gained access to their targets.


Possibly Related Threads…
Thread Author Replies Views Last Post
  Refunds Offered to Victims of Ziggy Ransomware Gang Bjyda 0 127 03-31-2021 , 07:55 PM
Last Post: Bjyda
  Hades Ransomware Linked to Hafnium and Exchange Attacks Bjyda 0 105 03-31-2021 , 12:16 PM
Last Post: Bjyda
  Retailer Fat Face Pays $2 Million Ransom to Conti Gang Bjyda 0 125 03-27-2021 , 11:13 PM
Last Post: Bjyda
  Flagstar Bank customer data breached through Accellion hack Bjyda 0 268 03-08-2021 , 11:11 PM
Last Post: Bjyda
  FireEye finds new malware likely linked to SolarWinds hackers Bjyda 0 257 03-04-2021 , 07:15 PM
Last Post: Bjyda

Forum Jump:

Users browsing this thread: 1 Guest(s)