Mandiant Identifies Criminal Threat Actor and Mode of Attacks
PALO ALTO, Calif., Feb. 22, 2021 (GLOBE NEWSWIRE) — Accellion, Inc., provider of the industry’s first enterprise content firewall, today issued a statement regarding Mandiant’s preliminary findings with regards to the previously reported cyberattacks on Accellion’s legacy FTA product.
Mandiant, a division of FireEye, Inc., has identified UNC2546 as the criminal hacker behind the cyberattacks and data theft involving Accellion’s legacy File Transfer Appliance product. Multiple Accellion FTA customers who have been attacked by UNC2546 have received extortion emails threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell. Mandiant is tracking the subsequent extortion activity under a separate threat cluster, UNC2582.
Accellion strongly recommends that FTA customers migrate to kiteworks, Accellion’s enterprise content firewall platform. These exploits apply exclusively to Accellion FTA clients: neither kiteworks nor Accellion the company were subject to these attacks. Kiteworks is built on an entirely different code base, using state-of-the-art security architecture, and a segregated, secure devops process. The kiteworks platform is FedRAMP authorized for Moderate CUI, and demonstrates compliance with GDPR, HIPAA, NIST 800-171, FIPS, SOC2, ISO 27001, and other data privacy regulations and standards.
Accellion has patched all known FTA vulnerabilities exploited by the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.
Accellion does not access the information that its customers transmit via FTA. Following the attack, however, Accellion has worked at many customers’ request to review their FTA logs to help understand whether and to what extent the customer might have been affected. As a result, Accellion has identified two distinct groups of affected FTA customers based on initial forensics. Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack. Within this group, fewer than 25 appear to have suffered significant data theft.
Accellion continues to offer support to all affected FTA customers to mitigate the impact of the attack.
The following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:
- CVE-2021-27101 – SQL injection via a crafted Host header
- CVE-2021-27102 – OS command execution via a local web service call
- CVE-2021-27103 – SSRF via a crafted POST request
- CVE-2021-27104 – OS command execution via a crafted POST request
To read Mandiant’s preliminary findings on the cyberattack on Accellion’s legacy FTA product, please visit https://www.fireeye.com/blog/
To learn more how Accellion helps organizations secure their third party communications, please visit Enterprise Content Firewall.
The Accellion enterprise content firewall prevents data breaches and compliance violations from sensitive third party communications. With Accellion, CIOs and CISOs gain complete visibility, compliance, and control over IP, PII, PHI, and other sensitive content across all third-party communication channels, including email, file sharing, mobile, enterprise apps, web portals, SFTP, and automated inter-business workflows. Accellion has protected more than 25 million end users at more than 3,000 global corporations and government agencies, including NYC Health + Hospitals; KPMG; Kaiser Permanente; AVL; American Automobile Association (AAA); Linde Gas; Tyler Technologies; and the National Institute for Standards and Technology (NIST). For more information, please visit www.accellion.com or call (650) 485-4300. Follow Accellion on LinkedIn, Twitter, Facebook, and Accellion’s Blog.
Accellion and kiteworks are registered trademarks of Accellion USA LLC. in the US and other countries. All other trademarks contained herein are the property of their respective owners.