Cybersecurity Incident: Accellion File Transfer Appliance Targeted by UNC2546
Cybersecurity researchers reported a significant data theft and extortion campaign linked to a series of attacks targeting Accellion File Transfer Appliance (FTA) servers. The cybercrime group identified as UNC2546 has been active in executing these attacks over the last two months. The campaign primarily exploited multiple zero-day vulnerabilities in the legacy FTA software, allowing the group to install a malicious web shell named DEWMODE on compromised networks, which facilitated the exfiltration of sensitive data.
The onset of these attacks began in mid-December 2020 and was marked by the exploitation of serious vulnerabilities within the FTA software. Surprisingly, despite the severity of the breaches, the group did not deploy ransomware. Instead, they resorted to sending extortion emails demanding payment in bitcoin from affected organizations in several countries, including the United States, Singapore, Canada, and the Netherlands.
Among the organizations impacted by this campaign, notable victims include Singapore’s telecommunications provider SingTel, the American Bureau of Shipping, law firm Jones Day, Dutch company Fugro, and life sciences organization Danaher. These entities had their data published on a leak site managed by the CLOP ransomware gang, escalating the seriousness of the situation.
In response, Accellion has taken steps to mitigate the risks posed by these vulnerabilities, including the patching of four critical flaws that were exploited during the attacks. These flaws consist of CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104, all of which pertain to different injection and command execution vulnerabilities. The company has also implemented enhanced monitoring and alerting features to identify suspicious activities on their platforms.
The incident’s complexity has led to the involvement of FireEye’s Mandiant threat intelligence team, which is tracking the extortion efforts under a distinct threat cluster named UNC2582. There are notable overlaps between this group and FIN11, a financially motivated hacking collective known for its phishing campaigns, raising concerns about the interconnected nature of these cybercriminal activities.
Evidence suggests that many of the organizations fallen victim to UNC2546 had been previously targeted by FIN11, indicating a potentially alarming trend in the tactics employed by these adversaries. Emails from this extortion campaign were notably dispatched from IP addresses linked to FIN11, raising questions about the coordination among cybercriminals.
Furthermore, as the DEWMODE web shell was utilized to download sensitive files from the compromised FTA instances, the victims received follow-up extortion emails claiming to represent the CLOP ransomware team. To heighten pressure, the actors escalated their approach by reaching out to a broader audience within the victim organizations and their partners, comprising links to the stolen data.
Accellion reassured its FTA customers by stating that, despite the extensive nature of the incident, fewer than 100 of the 300 total FTA clients were directly impacted, and it appears that only a minority experienced “significant” data losses. Recent disclosures from impacted entities, such as the grocery chain Kroger, indicate that various sensitive information, including HR data and pharmacy records, has been compromised due to the Accellion incident.
Transport for New South Wales (TfNSW) has also confirmed its involvement in this widespread breach, noting that their system, widely used for international file sharing and storage, was affected by the exploitation of Accellion servers. This underscores the potential global ramifications of the vulnerabilities exploited by UNC2546 and emphasizes the necessity for organizations with similar systems to adopt robust cybersecurity measures.
Potential MITRE ATT&CK tactics and techniques relevant to this incident include Initial Access through exploitation of software vulnerabilities, Persistence achieved via the installation of the DEWMODE web shell, and Data Exfiltration through the unauthorized transfer of sensitive files. The dynamic nature of these attacks highlights the ongoing threats businesses face in the evolving landscape of cybersecurity.
