Multiple Zero Day Vulnerabilities in Accelion FTA server exploited for data exfiltration and extortion

Threat Advisories

Multiple Zero Day Vulnerabilities in Accelion FTA server exploited for data exfiltration and extortion

March 4, 2021

THREAT LEVEL: RED

Multiple Zero Day Vulnerabilities have been discovered in Accellion’s legacy File Transfer Appliance (FTA) targeted by threat actors for data exfiltration, extortion, and ransomware. Accellion patched the vulnerabilities and continues its mitigations efforts. The company “strongly recommends that FTA customers migrate to Kiteworks” – an enterprise content firewall platform that has a different code base, features a security architecture, and includes a segregated, secure devops process.

Vulnerability Details

SQL Injection via a crafted host header: CVE-20121:27101
Affected Versions: 9.12.370
Affected CPE: cpe:2.3:a:accellion:fta::::::::
CWE: CWE-89

OS command execution via a local web service call: CVE-2021-27102
Affected Versions: 9.12.411
Affected CPE: cpe:2.3:a:accellion:fta::::::::
CWE: CWE-78

Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html: CVE-20121:27103
Affected Versions: 9.12.411
Affected CPE: cpe:2.3:a:accellion:fta::::::::
CWE: CWE-918

OS command execution via a crafted POST request to various admin endpoints: CVE-20121:27104
Affected Versions: 9.12.370
Affected CPE: cpe:2.3:a:accellion:fta::::::::
CWE: CWE-78

Threat Actors

FIN11
Financially motivated hacking group behind bold, large and long-running malware campaigns. Became highly active in last two years by expanding their targets for extremely aggressive ransomware attacks.

UNC2456
Became active in December 2020 by exploiting the vulnerabilities in Accelion FTA using a newly discovered web shell DEWMODE.

Clop
Cryptomix malware gang primarily attacking large enterprise companies in the US, Germany, India, Mexico, Russia, and Turkey.

UNC2582
In connection with UNC2456 and Clop Ransomware Team and using the DEWMODE web shell.

Recent Targets

  • Supermarket giant Kroger
  • Singtel
  • QIMR Berghofer Medical Research Institute
  • Reserve Bank of New Zealand
  • The Australian Securities, and Investments Commission (ASIC),
  • The Office of the Washington State Auditor (“SAO”).
  • Technical services company ABS Group
  • Law firm Jones Day
  • Fortune 500 science and technology corporation Danaher
  • Geo-data specialist Fugro
  • University of Colorado
  • Cyber security firm Qualys

Indicators of Compromise (IOCs)

DEWMODE Web Shells
MD5SHA256
2798c0e836b907e8224520e7e6e4bb425fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b
bdfd11b1b092b7c61ce5f02ffc5ad55a2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7
UNC2546 Source IP Addresses

 The following source IP addresses were observed in multiple UNC2546 intrusions:

  • 45.135.229.179
  • 79.141.162.82
  • 155.94.160.40
  • 192.154.253.120
  • 192.52.167.101
  • 194.88.104.24

Reference Advisories

https://github.com/accellion/CVEs – Third Party Advisory 

https://www.accellion.com/products/fta/n – Product Vendor Advisory 

References

https://nvd.nist.gov/vuln/detail/CVE-2021-27104

https://nvd.nist.gov/vuln/detail/CVE-2021-27103

https://nvd.nist.gov/vuln/detail/CVE-2021-27102

https://nvd.nist.gov/vuln/detail/CVE-2021-27101

https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html

https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/

Recent Posts

Join Our Newsletter 14,000+ subscribers and growing! Get top cybersecurity news delivered directly to your inbox.