Cybersecurity investigators on Monday tied a series of attacks targeting Accellion File Transfer Equipment (FTA) administrators over the past two months to a data theft and extortion campaign organized by a cyber-crime group called UNC2546.

The attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in legacy FTA software to install a new web shell called DEWMODE on victim networks and extract sensitive data, which was then published on a data leak and operated by the CLOP ransomware gang.

But in a while, no ransomware was used in any of the recent events and organizations in the United States, Singapore, Canada, and the Netherlands struck, with the actors instead resorting to extortion emails to threaten victims to pay bitcoin ransom.

According to Risky Business, some of the companies that have had their data listed on the site include Singapore telecommunications provider SingTel, the American Bureau of Shipping, the law firm Jones Day, the Fugro from the Netherlands, and the Danaher life sciences company.

Following the multitude of attacks, Accellion has patched four FTA vulnerabilities known to have been exploited by the threat actors, as well as incorporating new monitoring and alert capabilities to highlight any suspicious behavior. The shortcomings are as follows –

  • CVE-2021-27101 – SQL injection by skilled Host header
  • CVE-2021-27102 – Execute OS command via local web service call
  • CVE-2021-27103 – SSRF via skilled POST application
  • CVE-2021-27104 – Execute OS command via a crafty POST request

Mandiant FireEye’s threat intelligence team, which is leading the incident response efforts, is tracking the subsequent extortion scheme under a separate threat cluster it calls UNC2582 despite an “compelling” overlap identified between both sets of malicious activities and previous attacks carried out by and a financially motivated hacking group dubbed FIN11.

“Many of the organizations threatened by UNC2546 were previously targeted by FIN11,” said FireEye. “Some UNC2582 extrusion emails observed in January 2021 were sent from IP addresses and / or email accounts used by FIN11 in several phishing campaigns between August and December 2020.”

Once installed, the DEWMODE web shell was triggered to download files from threatened FTA cases, resulting in the victims receiving extortion emails claiming to be from a “CLOP ransomware team” several weeks later.

Failure to respond in a timely manner would result in additional emails being sent to a wider group of recipients in the victim organization along with its partners that includes links to the stolen data, the researchers detailed.

Apart from encouraging its FTA customers to migrate to kite work, Accellion said less than 100 out of 300 FTA clients were victims of the attack and less than 25 appeared to have been the victim of a “significant” data theft.

The development comes after the Kroger food chain revealed last week that HR data, pharmacy records, and cash services records owned by some customers may have been compromised as a result of the Accellion incident.

Then earlier today, Transport for New South Wales (TfNSW) became the latest entity to confirm that it was affected by the worldwide Accellion data breach.

“The Accellion system has been widely used to share and store files by organizations around the world, including Transport for NSW,” the Australian agency said. “Before disrupting the attack on Accellion servers, some Transport for NSW information was taken.”


Please enter your comment!
Please enter your name here