FireEye identifies 2 threat activity clusters behind Accellion hack

Dive Brief:

FireEye's Mandiant identified the threat actors behind the Accellion hack, blaming UNC2546 for leveraging multiple zero-day vulnerabilities in Accellion's File Transfer Appliance (FTA) solution, the research firm said Monday. The threat actors installed a Dewmode web shell, which was just recently discovered.
Accellion said less than one-third of the 300 FTA customers were impacted by the attack. Of those customers, less than 25 have experienced a subsequent data breach.
The company is asking customers to upgrade to kiteworks, its enterprise content firewall platform, because "neither kiteworks nor Accellion the company were subject to these attacks." Kiteworks uses a separate code base from FTA and is FedRAMP authorized for compliance with cloud-based offerings.

Dive Insight:

Customers of Accellion — or any vendor used as a conduit for a supply chain compromise — have to decide whether to cut ties with the company. But using outdated tools, such as FTA, is a wakeup call for customers.

Vendors can only warn customers about legacy products before the damage is irreversible.

Stolen Accellion customer data started trickling out on "CL0P^_- LEAKS" .onion website over the last month, though none of the recent extortion attempts were paired with Clop ransomware, according to FireEye. In the cases of extortion, FireEye is identifying the activity as a separate threat activity cluster, UNC2582.

Cincinnati-based Kroger disclosed on Monday it was the latest company to find unauthorized intrusion in relation to the Accellion hack. The grocer said its IT systems were not impacted, but about 1% of customer data was.

Accellion customers who were impacted by the exploitation have since come forward with ransom demands from a threat group. Clop operators began posting the breached data of Jones Day and Singtel, both Accellion customers impacted by the hack; the data was stolen via Dewmode.

At this point in the investigation the cyberattack has parallels between UNC2582, UNC2546, and previously seen FIN11 operations, said FireEye. FIN11, a "financially motivated" threat cluster, is known for launching about five high-volume phishing campaigns weekly when it's active. FIN11 is known to use Clop ransomware and threaten publication of stolen data.

FireEye said it will "continue to evaluate the relationships between these clusters of activity," as there are discrepancies in tactics, techniques and procedures (TTPs) of the activity clusters and the Accellion hack.

Exploiting the FTA flaws to use Dewmode were consistent actions with UNC2546. FireEye found at least four CVEs in connection to the exploited FTA vulnerabilities, including:

CVE-2021-27101 – SQL injection via a crafted Host header
CVE-2021-27102 – OS command execution via a local web service call
CVE-2021-27103 – SSRF via a crafted POST request
CVE-2021-27104 – OS command execution via a crafted POST request

Because there were two types of malicious activity in the Accellion hack — one exploiting software bugs and the other extortion — FireEye is not linking the activity to the same threat actor yet.

"There has been at least one other case in which a ransomware group attempted to extort a company using data that it had purchased or otherwise acquired. It's not common, but it does happen," Brett Callow, threat analyst at Emsisoft, told Cybersecurity Dive in an email.

Ransomware gangs have used the supply chain to compromise other companies before. In March 2020, DoppelPaymer operators exploited a CVE to leak customer data from Boeing, Tesla and Lockheed Martin. Doppelpaymer was responsible throughout the hack.