Multiple Zero Day Vulnerabilities in Accelion FTA server exploited for data exfiltration and extortion
Multiple Zero Day Vulnerabilities in Accelion FTA server exploited for data exfiltration and extortion
THREAT LEVEL: RED
Multiple Zero Day Vulnerabilities have been discovered in Accellion’s legacy File Transfer Appliance (FTA) targeted by threat actors for data exfiltration, extortion, and ransomware. Accellion patched the vulnerabilities and continues its mitigations efforts. The company “strongly recommends that FTA customers migrate to Kiteworks” – an enterprise content firewall platform that has a different code base, features a security architecture, and includes a segregated, secure devops process.
Vulnerability Details
SQL Injection via a crafted host header: CVE-20121:27101
Affected Versions: 9.12.370
Affected CPE: cpe:2.3:a:accellion:fta::::::::
CWE: CWE-89
OS command execution via a local web service call: CVE-2021-27102
Affected Versions: 9.12.411
Affected CPE: cpe:2.3:a:accellion:fta::::::::
CWE: CWE-78
Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html: CVE-20121:27103
Affected Versions: 9.12.411
Affected CPE: cpe:2.3:a:accellion:fta::::::::
CWE: CWE-918
OS command execution via a crafted POST request to various admin endpoints: CVE-20121:27104
Affected Versions: 9.12.370
Affected CPE: cpe:2.3:a:accellion:fta::::::::
CWE: CWE-78
Threat Actors
FIN11
Financially motivated hacking group behind bold, large and long-running malware campaigns. Became highly active in last two years by expanding their targets for extremely aggressive ransomware attacks.
UNC2456
Became active in December 2020 by exploiting the vulnerabilities in Accelion FTA using a newly discovered web shell DEWMODE.
Clop
Cryptomix malware gang primarily attacking large enterprise companies in the US, Germany, India, Mexico, Russia, and Turkey.
UNC2582
In connection with UNC2456 and Clop Ransomware Team and using the DEWMODE web shell.
Recent Targets
- Supermarket giant Kroger
- Singtel
- QIMR Berghofer Medical Research Institute
- Reserve Bank of New Zealand
- The Australian Securities, and Investments Commission (ASIC),
- The Office of the Washington State Auditor (“SAO”).
- Technical services company ABS Group
- Law firm Jones Day
- Fortune 500 science and technology corporation Danaher
- Geo-data specialist Fugro
- University of Colorado
- Cyber security firm Qualys
Indicators of Compromise (IOCs)
DEWMODE Web Shells
MD5 | SHA256 |
---|---|
2798c0e836b907e8224520e7e6e4bb42 | 5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b |
bdfd11b1b092b7c61ce5f02ffc5ad55a | 2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7 |
UNC2546 Source IP Addresses
The following source IP addresses were observed in multiple UNC2546 intrusions:
- 45.135.229.179
- 79.141.162.82
- 155.94.160.40
- 192.154.253.120
- 192.52.167.101
- 194.88.104.24
Reference Advisories
https://github.com/accellion/CVEs – Third Party Advisory
https://www.accellion.com/products/fta/n – Product Vendor Advisory
References
https://nvd.nist.gov/vuln/detail/CVE-2021-27104
https://nvd.nist.gov/vuln/detail/CVE-2021-27103
https://nvd.nist.gov/vuln/detail/CVE-2021-27102