IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers publish Bombardier data in wide-reaching FTA cyber attack

Hackers compromise the data of 25 firms as part of an attack against Accellion's legacy FTA application

A plane manufactured by Bombardier flying against a cloudy blue sky

Cyber criminals have exploited several zero-day flaws in a legacy IT product developed by software firm Accellion to attack several dozen groups including Canadian airline manufacturer Bombardier. 

The company confirmed that a portion of its data had been compromised after an unauthorised attacker exploited vulnerabilities in Accellion’s File Transfer Application (FTA) product. This data included confidential data relating to roughly 130 employees based in Costa Rica, as well as customers and suppliers.

In the wake of the attack, Accellion also confirmed that FTA had been targeted by cyber criminals but stressed it’s a legacy product and that customers should immediately migrate to its more up-to-date Kiteworks.

This is a purpose-built application launched 20 years ago to allow enterprises to securely transfer large files. From roughly 300 total FTA clients, fewer than 100 were victims of the attack, with hackers siphoning away significant amounts of data from 25. 

Hackers exploited several vulnerabilities in the legacy product, which will stop receiving support on 30 April 2021, in order to execute their attack. These included the following:

  • CVE-2021-27101 - SQL injection via a crafted Host header
  • CVE-2021-27102 - OS command execution via a local web service call
  • CVE-2021-27103 - SSRF via a crafted POST request
  • CVE-2021-27104 - OS command execution via a crafted POST request

Researchers with FireEye confirmed that hackers with the FIN11 group targeted FTA by exploiting these flaws to install a web shell named DEWMODE. This group is also associated with the Clop ransomware.

Related Resource

Ransomware report

The global state of the channel

Global state of the channel - ransomware report from DattoDownload now

Starting in January 2021, the ransomware gang began sending extortion emails to the companies from which they stole data, threatening to publish this on a dark web forum. Interestingly, the group hasn’t actually deployed ransomware at any stage during this attack and has appeared primarily to extort its victims instead.

The researchers say that Clop activity in this particular attack stretches back to December 2020, when they detected multiple incidents involving the newly-discovered DEWMODE web shell being used to exfiltrate data from FTA devices.

Based on analysis, the attackers follow a strategy of escalation in demanding a ransom in exchange for not publishing the compromised data. First initial emails are sent from a free account to a limited number of addresses before hundreds of thousands are sent from and to different email accounts if there’s no response. 

Although Bombardier has confirmed its data was compromised as a result of the attack, the identity of the majority of the remaining 24 victims remains unknown. The Jones Day law firm, which previously served Donald Trump, is believed to be another company targeted as part of the FTA attack, with the FIN11 group allegedly stealing 100GB of confidential files.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022