Cyber criminals have exploited several zero-day flaws in a legacy IT product developed by software firm Accellion to attack several dozen groups including Canadian airline manufacturer Bombardier.
The company confirmed that a portion of its data had been compromised after an unauthorised attacker exploited vulnerabilities in Accellion’s File Transfer Application (FTA) product. This data included confidential data relating to roughly 130 employees based in Costa Rica, as well as customers and suppliers.
In the wake of the attack, Accellion also confirmed that FTA had been targeted by cyber criminals but stressed it’s a legacy product and that customers should immediately migrate to its more up-to-date Kiteworks.
The truth about ransomware Experts blast SMBs' “head in the sand” approach to cyber security Best ransomware removal tools
This is a purpose-built application launched 20 years ago to allow enterprises to securely transfer large files. From roughly 300 total FTA clients, fewer than 100 were victims of the attack, with hackers siphoning away significant amounts of data from 25.
Hackers exploited several vulnerabilities in the legacy product, which will stop receiving support on 30 April 2021, in order to execute their attack. These included the following:
- CVE-2021-27101 - SQL injection via a crafted Host header
- CVE-2021-27102 - OS command execution via a local web service call
- CVE-2021-27103 - SSRF via a crafted POST request
- CVE-2021-27104 - OS command execution via a crafted POST request
Researchers with FireEye confirmed that hackers with the FIN11 group targeted FTA by exploiting these flaws to install a web shell named DEWMODE. This group is also associated with the Clop ransomware.
RELATED RESOURCE
Starting in January 2021, the ransomware gang began sending extortion emails to the companies from which they stole data, threatening to publish this on a dark web forum. Interestingly, the group hasn’t actually deployed ransomware at any stage during this attack and has appeared primarily to extort its victims instead.
The researchers say that Clop activity in this particular attack stretches back to December 2020, when they detected multiple incidents involving the newly-discovered DEWMODE web shell being used to exfiltrate data from FTA devices.
Based on analysis, the attackers follow a strategy of escalation in demanding a ransom in exchange for not publishing the compromised data. First initial emails are sent from a free account to a limited number of addresses before hundreds of thousands are sent from and to different email accounts if there’s no response.
Although Bombardier has confirmed its data was compromised as a result of the attack, the identity of the majority of the remaining 24 victims remains unknown. The Jones Day law firm, which previously served Donald Trump, is believed to be another company targeted as part of the FTA attack, with the FIN11 group allegedly stealing 100GB of confidential files.
-
Using WinRAR? Update now to avoid falling victim to this file path flawNews WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
Amazon CEO Andy Jassy doubles down on the company's AI focusNews Amazon CEO Andy Jassy thinks companies need to "lean into" AI and embrace the technology despite concerns over job losses.
-
Swiss government data published following supply chain attack – here’s what we know about the culpritsNews Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackersNews While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
