Three weeks after Accellion issued patches for four vulnerabilities in its File Transfer Appliance that were under active attack, CISA is warning that attackers are continuing to exploit the flaws to install webshells and steal data from organizations that have not updated their systems.
The attacks have affected companies and government agencies in several countries, including the United States, New Zealand, Singapore, and Australia, and in some instances the adversaries exploiting the bugs have threatened to release information stolen from the victims unless the organizations pay a ransom. These incidents did not involve ransomware, but were simple extortion attempts. The attacks against the vulnerabilities in Accellion FTA have been ongoing since at least mid-December, when researchers first noticed the activity and realized the attackers were exploiting previously unknown flaws. The main method of compromise for these attackers is a SQL injection vulnerability (CVE-2021-27101) in the FTA. After the initial access, the attackers eventually write a webshell to oauth.api.
“In mid-December 2020, Mandiant responded to multiple incidents in which a web shell we call DEWMODE was used to exfiltrate data from Accellion FTA devices. The Accellion FTA device is a purpose-built application designed to allow an enterprise to securely transfer large files. The exfiltration activity has affected entities in a wide range of sectors and countries,” an analysis of the attacks by Mandiant says.
“Across these incidents, Mandiant observed common infrastructure usage and TTPs, including exploitation of FTA devices to deploy the DEWMODE web shell. Mandiant determined that a common threat actor we now track as UNC2546 was responsible for this activity. While complete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple client investigations has shown multiple commonalities in UNC2546's activities.”
"The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs."
The Accellion FTA is an older file-transfer product that is nearing end of life. After Mandiant notified Accellion of the attacks, the company released a patch a few days later.
“In mid-December, Accellion was made aware of a zero-day vulnerability in its legacy FTA software. Accellion released a fix within 72 hours. This initial incident was the beginning of a concerted cyberattack on the Accellion FTA product that continued into January 2021. Accellion identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability. Accellion continues to work closely with FTA customers to mitigate the impact of the attack and to monitor for anomalies,” Accellion said in an advisory.
The three additional vulnerabilities the company discovered include two command execution flaws in the operating system and a server-side request forgery flaw. In its advisory issued Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) said it had seen two separate incidents in which attackers transferred large amounts of data from compromised Accellion FTA machines in federal agencies over port 443.
“One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Actors have exploited this vulnerability to deploy a webshell on compromised systems. The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The clean-up functionality of the webshell helps evade detection and analysis during post incident response,” CISA’s advisory says.