Oleksii - stock.adobe.com

Accellion FTA attacks claim more victims

More details have emerged about the Accellion FTA attacks since the December disclosure, including possible threat groups behind the breach and a growing list of victims.

The Accellion breach has left a trail of victims in its wake, and the number appears to be growing by the day.

The target of the attack, which was first disclosed on Dec. 23, 2020, was Accellion's 20-year-old file-sharing product, File Transfer Appliance (FTA). The attackers utilized a zero-day vulnerability in FTA in what Accellion called a "highly sophisticated cyberattack."

While threat actor motivations were not immediately clear, FireEye last week published research that showed the breach was the work of threat actors the vendor identified as UNC2546, which have connections to Clop ransomware.

FireEye's Mandiant threat intelligence team started tracking the UNC2546 threat actors in mid-December after they exploited multiple zero-day vulnerabilities in Accellion's legacy product to install a newly discovered malicious web shell named DEWMODE. Accellion patched the four vulnerabilities, three of which were critical, but it appears damage had already been done.

In the blog post, FireEye Mandiant intelligence analysts Andrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta and Kimberly Goody said starting in January 2021, several organizations that were Accellion FTA customers began receiving extortion emails from an actor claiming association with the Clop ransomware team. That actor threatened to publish stolen data on "CLOP^_-LEAKS" .onion, a data leak shaming site on the dark web

Operators behind Clop ransomware are known to use the name-and-shame tactic to pressure victims into paying. They are also known for following through with that threat. One example occurred last year when a double extortion attack against Software AG resulted in leaked confidential data, including employees' passport details, internal emails and financial information.

"Some of the published victim data appears to have been stolen using the DEWMODE web shell," the blog post said. "Notably, the number of victims on the "CLOP^_-LEAKS" shaming site has increased in February 2021 with organizations in the United States, Singapore, Canada, and the Netherlands recently outed by these actors."

The Cybersecurity and Infrastructure Security Agency (CISA), published a joint advisory Feb. 24 with cybersecurity authorities of Australia, New Zealand, Singapore, the United Kingdom and the United States.

"Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors," the advisory said. "In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance."

One attack vector, plenty of victims

While Accellion FTA is a 20-year-old legacy product that is scheduled for end of life this year, it appears a significant number of organizations were still using it. In recent weeks, several enterprises have disclosed breaches and attributed the attacks to the product. SearchSecurity asked FireEye if it had ruled out any possible vectors besides FTA.

"FTA is a standalone appliance and does not have any integration with other Accellion products. Based on the evidence we've seen, I'd rule out attack vectors outside of the Accellion FTA," vice president of Mandiant consulting David Wong said in an email to SearchSecurity.

Initially, a handful of organizations, including international law firm Jones Day, disclosed breaches and data thefts last month following Accellion's initial disclosure. But the number of reported victims had steadily increased since then.

UPDTE: On March 3, cloud security vendor Qualys announced that a "limited number of customers" were impacted by a breach connected to the Accellion FTA zero-day vulnerability. The company confirmed the breach did not affect any production environments, product code or customer data hosted on the Qualys Cloud Platform. Because Qualys deployed its Accellion FTA server in a segregated DMZ environment, the breach only affected manually uploaded files for the vendor's customer support system.

One of the more recent victims is supermarket group Kroger. In a disclosure last week, Kroger confirmed that it was impacted by Accellion's data security incident. Additionally, the company said that it did not affect Kroger's IT systems or any grocery store systems or data -- meaning no credit or debit card information or customer account passwords were affected.

"Accellion's services were used by Kroger, as well as many other companies, for third-party secure file transfers. Accellion notified Kroger that an unauthorized person gained access to certain Kroger files by exploiting a vulnerability in Accellion's file transfer service," the statement said. "After being informed of the incident's effect on January 23, 2021, Kroger discontinued the use of Accellion's services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident."

The Reserve Bank of New Zealand (RBNZ) provided the latest update to its breach disclosure on Feb. 15.

"In January 2021, we reported a data breach of a third-party file sharing software application -- Accellion FTA -- that we use to share and store sensitive information. Following this malicious attack, the software application was secured and closed," the statement said.

According to the statement, the breach against the bank occurred on Dec. 25, 2020, and "a number of files were illegally downloaded from the FTA." RBNZ also slammed Accellion for not alerting the bank that a security update was available.

"Accellion released a patch to address the vulnerability on 20 December 2020, but failed to notify the Bank a patch was available. There was a period of five days from the patch on 20 December until 25 December when the breach occurred, during which the bank would have applied the patch if it had been notified it was available," the disclosure said.

During a press conference, RBNZ governor Adrian Orr said the "ongoing investigation makes it clear that the breach is serious and has significant data implications." He also said they believe Accellion "service levels have been below what they would have accepted here at the reserve bank."

SearchSecurity asked RBNZ to expand on the service expectations, but a spokesperson said they can't provide more details at this point.

"The Bank will provide more information regarding this incident as and when it is appropriate to do so, being mindful not to undermine the KPMG review and criminal and forensic investigations currently underway," a RBNZ spokesperson said in an email to SearchSecurity.

However, the disclosure also said RBNZ is "aware of shortcomings in the bank's processes and systems."

Another victim was the Australian Securities and Investments Commission (ASIC), which disclosed it became aware of a cyber incident on Jan. 15. "The cyber incident occurred due to a vulnerability in a file transfer appliance (FTA) provided by California-based Accellion and previously used by ASIC to receive attachments to Australian license applications," the disclosure said.

Hackers also breached the server of Canadian aviation company Bombardier. In a statement Feb. 23, Bombardier said it recently suffered a "limited cybersecurity breach."

"An initial investigation revealed that an unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application, which was running on purpose-built servers isolated from the main Bombardier IT network," the disclosure said.

SearchSecurity reached out to Bombardier to confirm if it was an Accellion FTA.

"Yes, Accellion. Bombardier was among several other organizations worldwide who were attacked through the same vulnerability in the same application, including financial organizations, governments and companies," a Bombardier spokeswoman said.

Next on the list of victims is the Transport for New South Wales (NSW), which also published a disclosure on Feb. 23.

"Transport for NSW has been impacted by a cyber attack on a file transfer system owned by international company Accellion. The Accellion system was widely used to share and store files by organisations around the world, including Transport for NSW. Before the attack on Accellion servers as interrupted, some Transport for NSW information was taken," the disclosure said. "This breach was limited to Accellion servers."

There are reports of additional victims including Goodwin Law, though there has not been a breach disclosure from the law firm. SearchSecurity asked Goodwin Law for comment, but the firm declined.

Accellion said it will retire the legacy software on April 30.

Next Steps

Accellion-related breach disclosures continue to unfold

Dig Deeper on Threats and vulnerabilities