![]() ![]() Some extortion emails were sent from IP addresses and/or email accounts used by FIN11 in prior phishing campaigns.The use of the CL0P^_- LEAKS shaming site.Mandiant has noted several things that may link these attackers to the FIN11 attackers, including: Are these attackers the FIN11 cybercrime group? “Monitoring of the CL0P^_- LEAKS shaming website has demonstrated that has followed through on threats to publish stolen data as several new victims have appeared on the site in recent weeks, including at least one organization that has publicly confirmed that their Accellion FTA device had been recently targeted,” the researchers shared. It’s unknown whether some of the victims ended up paying the attackers. onion shaming website.Īccording to the researchers, the attackers would follow a pattern of escalation to pressure victims into paying extortion demands – a pattern that would occasionally end with emails to partners of the victim organization that included links to the stolen data and negotiation chat. These included a description of the stolen data and the threat that, if the victim doesn’t pay up, the attackers will publish the stolen data on the “CL0P^_- LEAKS”. This all happened quickly, sometimes withing hours of the installation of the web shell, but it took several weeks for the victims to start receiving extortion emails. The attackers used this list to download files through the DEWMODE web shell, and then initiated a cleanup routine. This SQL injection served as the primary intrusion vector,” Mandiant researchers explained.Īfter gaining access, the attackers succeeded in writing a web shell (DEWMODE) to the system, which extracted a list of available files from an FTA MySQL database. At this time, Mandiant identified UNC2546 leveraging an SQL injection vulnerability in the Accellion FTA. “The earliest identification of activity associated with this campaign occurred in mid-December 2020. The company has fixed the exploited vulnerabilities, but continues to advise enterprise users to migrate to kiteworks, its enterprise content firewall platform, which is “built on an entirely different code base, using state-of-the-art security architecture, and a segregated, secure devops process.” The attackers’ TTPs While Accellion has been pushing customers towards their newer and more secure platform for years, the legacy FTA solution was still used by too many organizations and some of those were hit in these attacks, including the the Australian Securities and Investments Commission, the Washington State Auditor Office, Singapore telecom Singtel, New Zealand’s central bank, the University of Colorado, Law firm Jones Day, and US retailer Kroger.Īccellion says that fewer than 25 of the 100 victims “have suffered significant data theft.” Starting in December 2020, unknown attackers began exploiting previously unknown vulnerabilities in Accellion FTA (File Transfer Appliance), an enterprise file-sharing solution for securely transfering large and sensitive files. Mandiant/FireEye researchers have tentatively linked the Accellion FTA zero-day attacks to FIN11, a cybercrime group leveraging CLOP ransomware to extort targeted organizations.Īccellion has also confirmed on Monday that “out of approximately 300 total FTA clients, fewer than 100 were victims of the attack.” A little bit of background information
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |