For several weeks, organizations in Canada, the U.S., the Netherlands and Singapore — including most recently the pharmacies of the Kroger supermarket chain in the U.S. — have reported data breaches relating to vulnerabilities in a legacy file transfer called Accellion FTA.
Researchers at FireEye’s Mandiant threat intelligence division say they believe multiple threat groups are working together in a scheme of data theft and extortion involving a ransomware gang but no deployment of ransomware. It could also be the work of one group, researchers added.
In a report published Monday, researchers painted this picture: Starting in mid-December 2020, an uncategorized threat actor – Mandiant calls it UNC2546 – exploited multiple zero-day vulnerabilities in Accellion FTA to install a newly discovered web shell they dub Dewmode. Then in late January, several organizations that had been impacted by UNC2546 began receiving extortion emails from criminals threatening to publish stolen data on the Clop ransomware gang’s website on the dark web. Some of the published victim data appear to have been stolen using the Dewmode web shell. Mandiant suggests a second group, which it calls UNC2585, is doing the extortion.
In addition, overlaps have been found between UNC2582, UNC2546, and a financially-motivated theft group Mandiant calls FIN11. In some attacks over the years, FIN11 has sometimes deployed ransomware, and other times — as in these cases — just uses data theft and extortion.
These are some of the commonalities:
- Some UNC2582 extortion emails observed in January were sent from IP addresses and/or email accounts used by FIN11 in multiple phishing campaigns between August and December 2020, including some of the last campaigns that were clearly attributable to the group.
- Mandiant hasn’t seen any FIN11 phishing activity in the new year. FIN11 has typically paused their phishing operations over the winter holidays, researchers say, and had several extended gaps in their operations. However, the timing of this current hiatus is also consistent with UNC2582’s data theft extortion activity.
- UNC2582 extortion emails contained a link to the Clop leaks website and/or a victim-specific negotiation page. The linked websites were the same ones used to support historical CLOP operations, a series of ransomware and data theft extortion campaigns we suspect can be exclusively attributed to FIN11.
- Many of the organizations compromised by UNC2546 were previously targeted by FIN11.
- An IP address that communicated with a DEWMODE web shell was in the “Fortunix Networks L.P.” netblock, a network frequently used by FIN11 to host download and FRIENDSPEAK command and control (C2) domain
The revelation of the sudden wave of attacks on Accellion FTA customers has customers and the developer concerned. Accellion was moved to announce the product is being retired and is encouraging customers to move to its Kiteworks enterprise content firewall.
Similar but still different
In a statement on Monday, Accellion said it has identified two distinct groups of affected FTA customers based on initial forensics. Out of approximately 300 total FTA clients, fewer than 100 were victims of an attack. Within this group, fewer than 25 appear to have suffered significant data theft.
Meanwhile, Accellion has patched the four vulnerabilities in FTA being used by attackers:
- CVE-2021-27101 – SQL injection via a crafted Host header.
- CVE-2021-27102 – OS command execution via a local web service call.
- CVE-2021-27103 – SSRF via a crafted POST request.
- CVE-2021-27104 – OS command execution via a crafted POST request.
“The overlaps between FIN11, UNC2546, and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships,” indicated Mandiant researchers. “One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks. We therefore have insufficient evidence to attribute the FTA exploitation, Dewmode, or data theft extortion activity to FIN11.”
Using SQL injection to deploy Dewmode or acquiring access to a Dewmode shell from a separate threat actor would represent a “significant shift” in FIN11 usual techniques, the report says, given the group has traditionally relied on phishing campaigns as its initial infection vector, and, so far, Mandiant hasn’t seen it using zero-day vulnerabilities.
Mandiant says this connected spree of attacks had its origin in mid-December, 2020 when UNC2546 leveraged an SQL injection vulnerability in the Accellion FTA. This SQL injection served as the primary intrusion vector for installing the Dewmode web shell.
Shortly after installation of the web shell — in multiple cases, within hours — UNC2546 leveraged Dewmode to download files from compromised FTA instances. Several weeks later, victims began to receive extortion emails from what appears to be another group, dubbed UNC2583, claiming association with the Clop ransomware team and threatening to publish copied data unless the victim paid an extortion fee.
How separate these groups are isn’t clear. Mandiant has seen at least one case where an actor interacted with a Dewmode web shell from a host that was used to send UNC2582-attributed extortion email.
The message victims get has this to say: “We are the CLOP ransomware team, you can google news and articles about us. We have a website where we publish news and stolen files from companies that have refused to co-operate. This may confuse reporters and threat researchers who think these are ransomware attacks, when in fact no ransomware has been deployed. That may allow victim organizations to publicly deny they’ve been hit by ransomware while acknowledging a ‘cyber incident.'”