Jump to content

Worldwide Accellion data breaches linked to Clop ransomware gang


Recommended Posts

Worldwide Accellion data breaches linked to Clop ransomware gang




Threat actors associated with financially-motivated hacker groups combined multiple zero-day vulnerabilities and a new web shell to breach up to 100 companies using Accellion's legacy File Transfer Appliance and steal data.


The attacks occurred in mid-December 2020 and were part of attacks that involve the Clop ransomware gang and the FIN11 threat group. The file-encrypting malware was not deployed in the recent incidents, though.


It appears that the actors opted for an extortion campaign. After stealing the data, they threatened victims over email with making stolen information publicly available on the Clop leak site unless a ransom was paid.


BleepingComputer has been tracking these Accellion-related breaches and discovered almost a dozen victims. Among them are Singtel (Clop claims to have 73GB of data), QIMR Berghofer Medical Research InstituteReserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), and the Office of the Washington State Auditor ("SAO").


Additional victims include:

supermarket giant Kroger

- technical services company ABS Group

- law firm Jones Day

- Fortune 500 science and technology corporation Danaher

- geo-data specialist Fugro

- the University of Colorado


A press release from Accellion today says that of about 300 customers using its legacy, 20-years old File Transfer Appliance (FTA), less than 100 were victims of these attacks from Clop and FIN11, and that less “than 25 appear to have suffered significant data theft.


Accellion patched the vulnerabilities and continues its mitigations efforts. The company “strongly recommends that FTA customers migrate to Kiteworks” - an enterprise content firewall platform that has a different code base, features a security architecture, and includes a segregated, secure devops process.


Incident responders at FireEye Mandiant investigated these attacks for some of their customers and highlighted the collaboration between Clop ransomware and the FIN11 gang in this campaign.


Both groups have worked together before. Last year, FIN11 joined the ransomware business and started to encrypt the networks of their victims using Clop.


Mandiant has been tracking the recent exploitation of Accellion FTA using multiple zero-days as UNC2546. The following vulnerabilities have been discovered:

- CVE-2021-27101 - SQL injection via a crafted Host header

- CVE-2021-27102 - OS command execution via a local web service call

- CVE-2021-27103 - SSRF via a crafted POST request

- CVE-2021-27104 - OS command execution via a crafted POST request


The researchers distinguish this activity from the extortion campaign, which they track as UNC2582. However, they did notice overlaps between the two and previous operations attributed to FIN11.

New DEWMODE webshell planted on Accellion devices

While investigating the incidents, the researchers observed that the intruders used a previously undocumented webshell that they called DEWMODE.

“Mandiant determined that a common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546's activities”


The researchers reconstructed the compromise of Accellion FTAs using system logs from the breached devices, trailing the initial entry, the deployment of DEWMODE, and the follow-up interaction.


The attacker used the SQL injection vulnerability to gain access and then followed with requests to additional resources. Once they obtained the necessary access level, the hackers wrote the DEWMODE web shell to the system.


The role of the webshell was to extract a list of available files from a MySQL database on the FTA and to list them on an HTML page along with the accompanying metadata (file ID, path, filename, uploader, and recipient).


A blog post from Mandiant today explains all the technical aspects regarding the use of the web shell and how the hackers gained access to their targets.



Source: Worldwide Accellion data breaches linked to Clop ransomware gang

Link to comment
Share on other sites

  • Replies 0
  • Views 191
  • Created
  • Last Reply

Top Posters In This Topic

  • mood


Popular Days

Top Posters In This Topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...