Cyberattacks aimed at a product of Accellion
Accellion, a company dedicated to providing cloud solutions for secure file sharing and business-to-business collaboration, has confirmed a security incident involving its File Transfer Application (FTA) product for file transfer, which has been the target of multiple sophisticated cyberattacks.
The product in question, which is nearing end-of-life, had a 0-Day vulnerability in mid- December last year. Accellion immediately fixed the problem and informed its customers about it. However, cybercriminals continued to develop exploits until this January.
It is a product used by various entities worldwide, which have been affected by unauthorised access to their data. These include so far: the Washington Auditor's Office (SAO), the Australian Securities and Investments Commission (ASIC), the Reserve Bank of NZ, the Harvard Business School (HBS), [Update 16/02/2021] Singtel, QIMR Berghofer Medical Research Institute, [Update 22/02/2021] Kroger, [Update 23/02/2021] Transport for NSW, [Update 24/02/2021] Bombardier [Update 05/03/2021] Qualys, [Update 08/03/2021] and Flagstar Bank.
Accellion currently maintains monitoring and alert mechanisms for further cyberattacks related to its product, while it is insisting on that its customers migrate to its other product, kiteworks, which is more secure and unaffected by the incident.
[Update 23/02/2021]
Accellion has published some conclusions about the research conducted by Mandiant, a division of FireEye, which has identified UNC2546 as the threat actor behind cyberattacks related to the legacy FTA product.
It is also alleged that numerous victims have received extortion emails threatening to publish their stolen data on the "CLOP^_-LEAKS.onion" website and that some of this data appears to have been stolen using the DEWMODE webshell.
Only less than 100 out of 300 Accellion users were affected and out of these, less than 25 appear to have suffered significant data theft.
The identifiers CVE-2021-27101, CVE-2021-27102, CVE-2021-27103 and CVE-2021-27104 are currently reserved to track the recently patched vulnerabilities. Mandiant, meanwhile, continues to track subsequent extortion activity under a separate threat group, UNC2582.
References:
- 01/02/2021 accellion.com Accellion provides update to recent FTA security incident
- 10/01/2021 incibe-cert.es Ciberincidente en el Banco central de NZ
- 15/01/2021 asic.ov.au Accellion cyber incident
- 04/02/2021 sao.wa.gov About the Accellion data security breach
- 03/02/2021 unaaldia.hispasec.com Filtrados más de un millón y medio de registros de demandantes de empleo en Washington
- 11/02/2021 singtel.com ABOUT ACCELLION FTA SECURITY INCIDENT
- 11/02/2021 qimrberghofer.edu.au QIMR Berghofer investigates suspected Accellion data breach
- 19/02/2021 ir.kroger.com Accellion Security Incident Impacts Kroger Family of Companies Associates and Limited Number of Customers
- 22/02/2021 accellion.com Mandiant Identifies Criminal Threat Actor and Mode of Attacks
- 23/02/2021 transport.nsw.gov.au Transport for NSW impacted by the worldwide Accellion data breach
- 23/02/2021 bombardier.com Bombardier Statement on Cybersecurity Breach
- 23/02/2021 accellion.com Accellion provides update to FTA security incident following Mandiant’s preliminary findings
- 01/03/2021 accellion.com ACCELLION, INC. FILE TRANSFER APPLIANCE (FTA) SECURITY ASSESSMENT
- 03/03/2021 blog.qualys.com Qualys Update on Accellion FTA Security Incident
- 08/03/2021 flagstar.com Flagstar Bank Statement on Accellion Vulnerability