Recent zero-day attacks exploiting the legacy Accellion FTA product may be the work of a financially-motivated cybercrime group, tracked as FIN11. That’s according to a new report from researchers at FireEye’s Mandiant division.

The attacks that affected multiple organizations across the globe, including the New Zealand Central Bank, Singtel, Kroger to name a few, exploited several vulnerabilities in Accellion’s FTA product in order to gain access to target networks and steal data, namely CVE-2021-27101 (SQL injection),CVE-2021-27102 (OS command execution), CVE-2021-27103 (SSRF), and CVE-2021-27104 (OS command execution). Using these flaws, the attackers were able to install a web shell named DEWMODE, which then was used to download files stored on victim's FTA servers.

In a press release issued on Monday Accellion said that “out of approximately 300 total FTA clients, fewer than 100 were victims of the attack,” and “within this group, fewer than 25 appear to have suffered significant data theft.”

“Accellion has patched all known FTA vulnerabilities exploited by the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors,” the company added.

It should be noted that Accellion is also planning to retire legacy FTA server software by April 30, 2021.

The wave of attacks against Accellion FTA servers started in mid-December 2020 and attempted to exfiltrate sensitive data from the target systems. Tracked as UNC2546, the threat actor exploited the SQL injection vulnerability for initial access, which allowed them to retrieve a key used in conjunction with a request to a specific file, followed by the execution of the built-in Accellion utility admin.pl and the deployment of a web shell.

“The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell,” Mandiant said.

The researchers have been tracking the activity related to exploitation of the Accellion FTA zero-day vulnerabilities and subsequent data theft (tracked as UNC2582) and said that they have found a connection between UNC2582’s data theft extortion activity and prior FIN11 operations.

“Mandiant identified overlaps between UNC2582’s data theft extortion activity and prior FIN11 operations, including common email senders and the use of the CL0P^_- LEAKS shaming site. While FIN11 is known for deploying CLOP ransomware, we have previously observed the group conduct data theft extortion without ransomware deployment, similar to these cases. There are also limited overlaps between FIN11 and UNC2546,” the researchers said.

As for DEWMODE, the web shell extracts a list of available files from a MySQL database on the FTA and lists those files and corresponding metadata—file ID, path, filename, uploader, and recipient - on an HTML page. This list was then used by the attackers to download files.

“The overlaps between FIN11, UNC2546, and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships. One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks. We therefore have insufficient evidence to attribute the FTA exploitation, DEWMODE, or data theft extortion activity to FIN11,” Mandiant noted. “Using SQL injection to deploy DEWMODE or acquiring access to a DEWMODE shell from a separate threat actor would represent a significant shift in FIN11 TTPs, given the group has traditionally relied on phishing campaigns as its initial infection vector and we have not previously observed them use zero-day vulnerabilities.”