Getty Images/iStockphoto

CISA Warns of Accellion FTA Exploit; Centene Among Breach Victims

Clop ransomware actors exploited vulnerabilities in unpatched Accellion FTA services and stole data from a range of breach victims, including Centene. CISA details indicators of compromise.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is urging all organizations to be on alert, as threat actors exploited several unpatched vulnerabilities in Accellion’s File Transfer Appliance (FTA) and stole a trove of data in an effort to extort victims. 

The joint alert from CISA and security agencies of the UK, Australia, New Zealand, and Singapore warns four known vulnerabilities in the FTA platform were exploited, impacting a range of companies, including those in the medical, legal, financial, telecommunications, and energy sectors.

Healthcare insurer Centene is among the latest victims, which also includes Kroger, Bombardier, and the Jones Day Law Firm.

A recent SEC filing shows that Centene was first notified by Accellion in January 2021 that its data was subjected to unauthorized access due to an exploit of the FTA vulnerability for a number of days.

“This incident is still under investigation, but we currently do not believe that it will have a material adverse effect on our business, reputation, results of operations, financial position and cash flows,” according to the filing.

“However, there can be no assurance that the January 2021 incident and other privacy or security breaches will not require us to expend significant resources to remediate any damage, interrupt our operations and damage our business or reputation, subject us to state, federal, or international agency review, and result in enforcement actions...,” it added.

An investigation led by Accellion and FireEye Mandiant recently confirmed that it appears the FIN11 group and Clop ransomware actors were behind the attack. The actors exploited several unpatched zero-day flaws in its FTA product, which resulted in a significant data theft.

Mandiant’s findings determined the exploits began in mid-December, where the attackers installed a newly discovered web shell named DEWMODE. No ransomware was deployed in the attacks.

It was not immediately clear what the attackers were attempting to gain from the exploit. But in late January, a number of organizations impacted by the incident began to receive extortion emails from the hackers, threatening to leak the stolen data.

So far, it appears at least 100 companies have been impacted by the incident. The Clop actor’s dark web blog has already leaked data from a number of victims from the US, Canada, Netherlands, and Singapore.

The CISA alert outlines indicators of compromise and details into several of the known attacks. In two incidents, CISA observed a large amount of data transferred over port 443 from federal agency IP addresses.

All organizations are being urged to review these IOCs and the Mandiant findings to determine if the entity has been impacted by the exploit.

“If an Accellion FTA appears compromised, organizations can get an indication of the exfiltrated files by obtaining a list of file-last-accessed events for the target files of the symlinks located in the /home/seos/apps/1000/ folder over the period of malicious activity, according to the alert.

“This information is only indicative and may not be a comprehensive identifier of all exfiltrated files,” it added.

All entities using Accellion FTA should temporarily isolate or block internet access to and from systems hosting the software. The system should then be reviewed for evidence of malicious activity, including the provided IOCs, and then obtain an image or snapshot of the system for a follow-up investigation.

If any malicious activity is found, the administrator should consider auditing all Accellion FTA user accounts for any unauthorized changes and consider a widespread password and security token reset. This reset should include the W1 encryption token, which could have been exposed through SQL injection.

The FTA should also be updated to version FTA_9_12_432 or later. The administrator should also evaluate potential solutions for migration to a supported file-sharing platform after appropriate testing has been completed.

Notably, Accellion reported FTA will reach end-of-life on April 30, 2021, which means the platform must be replaced before EOL to significantly reduce risks and costs.

CISA also recommended entities implement an automated software update tool to ensure all third-party software across the enterprise is continuously operating with the latest security updates provided by the vendor.

Further, systems should only operate with up-to-date and trusted third-party components. Additional security controls should also be implemented to prevent access from unauthorized sources.

Next Steps

Dig Deeper on Cybersecurity strategies