Cyber attackers have been exploiting Accellion File Transfer (FTA) appliance 0-day vulnerabilities to steal data and threaten their victims with extortion attempts.
Starting in mid-December 2020, FireEye’s Mandiant cybersecurity team spotted previously unknown threat actors they call UNC25346 exploiting multiple FTA vulnerabilities to install a web shell dubbed DEWMODE.
According to the FireEye report, several organizations that were impacted by the UNC2546 attacks in December started receiving extortion emails in January from the same threat actors. The actors threatened to publish the stolen data on the “CL0P^_- LEAKS” .onion website. Moreover, FireEye believes the actors also used the DEWMODE web shell to steal the data.
“Across these incidents, Mandiant observed common infrastructure usage and TTPs, including exploitation of FTA devices to deploy the DEWMODE web shell,” FireEye explained in the blog post.
Accellion FTA is a 20-year-old legacy product used to transfer large files and goes end of life (EOL) effective April 30, 2021. Accellion strongly recommends their customers upgrade to their flagship kiteworks Content Firewall platform, built on different code base. To add, the older FTA platform is built on CentOS 6, which is also EOL.
Four Accellion FTA vulnerabilities have been reserved and subsequently patched by Accellion:
- CVE-2021-27101: SQL injection via a crafted Host header
- CVE-2021-27102: OS command execution via a local web service call
- CVE-2021-27103: SSRF via a crafted POST request
- CVE-2021-27104: OS command execution via a crafted POST request.
Three of the four vulnerabilities are rated Critical and sport a CVSS score of 9.8.
Moreover, FireEye confirmed the SQL injection vulnerability CVE-2021-27101 was likely used as the primary intrusion vector in the attacks.