Accellion FTA attacks, extortion attempts might be the work of FIN11

By | 5:13 AM Leave a Comment

Mandiant/FireEye researchers have tentatively linked the Accellion FTA zero-day attacks to FIN11, a cybercrime group leveraging CLOP ransomware to extort targeted organizations.

Accellion has also confirmed on Monday that “out of approximately 300 total FTA clients, fewer than 100 were victims of the attack.”

A little bit of background information

Starting in December 2020, unknown attackers began exploiting previously unknown vulnerabilities in Accellion FTA (File Transfer Appliance), an enterprise file-sharing solution for securely transfering large and sensitive files.

While Accellion has been pushing customers towards their newer and more secure platform for years, the legacy FTA solution was still used by too many organizations and some of those were hit in these attacks, including the the Australian Securities and Investments Commission, the Washington State Auditor Office, Singapore telecom Singtel, New Zealand’s central bank, the University of Colorado, Law firm Jones Day, and US retailer Kroger.

Accellion says that fewer than 25 of the 100 victims “have suffered significant data theft.”

The company has fixed the exploited vulnerabilities, but continues to advise enterprise users to migrate to kiteworks, its enterprise content firewall platform, which is “built on an entirely different code base, using state-of-the-art security architecture, and a segregated, secure devops process.”

The attackers’ TTPs

“The earliest identification of activity associated with this campaign occurred in mid-December 2020. At this time, Mandiant identified UNC2546 leveraging an SQL injection vulnerability in the Accellion FTA. This SQL injection served as the primary intrusion vector,” Mandiant researchers explained.

After gaining access, the attackers succeeded in writing a web shell (DEWMODE) to the system, which extracted a list of available files from an FTA MySQL database. The attackers used this list to download files through the DEWMODE web shell, and then initiated a cleanup routine.

This all happened quickly, sometimes withing hours of the installation of the web shell, but it took several weeks for the victims to start receiving extortion emails. These included a description of the stolen data and the threat that, if the victim doesn’t pay up, the attackers will publish the stolen data on the “CL0P^_- LEAKS” .onion shaming website.

Accellion FTA attacks FIN11

According to the researchers, the attackers would follow a pattern of escalation to pressure victims into paying extortion demands – a pattern that would occasionally end with emails to partners of the victim organization that included links to the stolen data and negotiation chat.

It’s unknown whether some of the victims ended up paying the attackers.

“Monitoring of the CL0P^_- LEAKS shaming website has demonstrated that [the group] has followed through on threats to publish stolen data as several new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted,” the researchers shared.

Are these attackers the FIN11 cybercrime group?

Mandiant has noted several things that may link these attackers to the FIN11 attackers, including:

  • The use of the CL0P^_- LEAKS shaming site
  • Some extortion emails were sent from IP addresses and/or email accounts used by FIN11 in prior phishing campaigns
  • An IP address that communicated with a DEWMODE web shell was in the “Fortunix Networks L.P.” netblock, a network frequently used by FIN11 to host download and C&C domains

Also, they note, many of the organizations that experienced FTA exploitation and DEWMODE installation were previously targeted by FIN11.

But what the overlaps are compelling, they say that they have insufficient evidence to attribute the Accellion FTA attacks (FTA exploitation, DEWMODE, data theft extortion activity) to FIN11.

“Using SQL injection to deploy DEWMODE or acquiring access to a DEWMODE shell from a separate threat actor would represent a significant shift in FIN11 TTPs, given the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities,” they concluded.


from Help Net Security https://ift.tt/3socdzZ

0 comments:

Post a Comment