• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Hackers Exploit Accellion Zero-Days in Recent Data Theft and Extortion Attacks

Recommended Posts


Cybersecurity researchers on Monday tied a string of attacks targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called UNC2546.

The attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang.

But in a twist, no ransomware was actually deployed in any of the recent incidents that hit organizations in the U.S., Singapore, Canada, and the Netherlands, with the actors instead resorting to extortion emails to threaten victims into paying bitcoin ransoms.


According to Risky Business, some of the companies that have had their data listed on the site include Singapore's telecom provider SingTel, the American Bureau of Shipping, law firm Jones Day, the Netherlands-based Fugro, and life sciences company Danaher.


Following the slew of attacks, Accellion has patched four FTA vulnerabilities that were known to be exploited by the threat actors, in addition to incorporating new monitoring and alerting capabilities to flag any suspicious behavior. The flaws are as follows -

  • CVE-2021-27101 - SQL injection via a crafted Host header
  • CVE-2021-27102 - OS command execution via a local web service call
  • CVE-2021-27103 - SSRF via a crafted POST request
  • CVE-2021-27104 - OS command execution via a crafted POST request

FireEye's Mandiant threat intelligence team, which is leading the incident response efforts, is tracking the follow-on extortion scheme under a separate threat cluster it calls UNC2582 despite "compelling" overlaps identified between the two sets of malicious activities and previous attacks carried out by a financially motivated hacking group dubbed FIN11.


"Many of the organizations compromised by UNC2546 were previously targeted by FIN11," FireEye said. "Some UNC2582 extortion emails observed in January 2021 were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020."

Once installed, the DEWMODE web shell was leveraged to download files from compromised FTA instances, leading to the victims receiving extortion emails claiming to be from the "CLOP ransomware team" several weeks later.

Lack of reply in a timely manner would result in additional emails sent to a wider group of recipients in the victim organization as well as its partners containing links to the stolen data, the researchers detailed.

Besides urging its FTA customers to migrate to kiteworks, Accellion said fewer than 100 out of 300 total FTA clients were victims of the attack and that less than 25 appear to have suffered "significant" data theft.

The development comes after grocery chain Kroger disclosed last week that HR data, pharmacy records, and money services records belonging to some customers might have been compromised as a result of the Accellion incident.

Then earlier today, Transport for New South Wales (TfNSW) became the latest entity to confirm that it had been impacted by the worldwide Accellion data breach.

"The Accellion system was widely used to share and store files by organisations around the world, including Transport for NSW," the Australian agency said. "Before the attack on Accellion servers was interrupted, some Transport for NSW information was taken."

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now