Cyberattacks aimed at a product of Accellion

Accellion, a company dedicated to providing cloud solutions for secure file sharing and business-to-business collaboration, has confirmed a security incident involving its File Transfer Application (FTA) product for file transfer, which has been the target of multiple sophisticated cyberattacks.

The product in question, which is nearing end-of-life, had a 0-Day vulnerability in mid- December last year. Accellion immediately fixed the problem and informed its customers about it. However, cybercriminals continued to develop exploits until this January.

It is a product used by various entities worldwide, which have been affected by unauthorised access to their data. These include so far: the Washington Auditor's Office (SAO), the Australian Securities and Investments Commission (ASIC), the Reserve Bank of NZ, the Harvard Business School (HBS), [Update 16/02/2021] Singtel, QIMR Berghofer Medical Research Institute, [Update 22/02/2021] Kroger, [Update 23/02/2021] Transport for NSW, [Update 24/02/2021] Bombardier [Update 05/03/2021] Qualys, [Update 08/03/2021] and Flagstar Bank.

Accellion currently maintains monitoring and alert mechanisms for further cyberattacks related to its product, while it is insisting on that its customers migrate to its other product, kiteworks, which is more secure and unaffected by the incident.

[Update 23/02/2021]

Accellion has published some conclusions about the research conducted by Mandiant, a division of FireEye, which has identified UNC2546 as the threat actor behind cyberattacks related to the legacy FTA product.

It is also alleged that numerous victims have received extortion emails threatening to publish their stolen data on the "CLOP^_-LEAKS.onion" website and that some of this data appears to have been stolen using the DEWMODE webshell.

Only less than 100 out of 300 Accellion users were affected and out of these, less than 25 appear to have suffered significant data theft.

The identifiers CVE-2021-27101, CVE-2021-27102, CVE-2021-27103 and CVE-2021-27104 are currently reserved to track the recently patched vulnerabilities. Mandiant, meanwhile, continues to track subsequent extortion activity under a separate threat group, UNC2582.