Hackers behind Accellion breach linked to FIN11 group

Mandiant, a division of cybersecurity firm FireEye, is investigating the attacks which started in Mid-December and continued into January, affecting several organisations including Singaporean telecommunications company Singtel. It has discovered “compelling” overlaps between some aspects of the malicious activity and patterns of behaviour by notorious group FIN11.

The attackers exploited multiple zero-day vulnerabilities in the FTA system to install a newly discovered web shell named DEWMODE, according to preliminary findings by Mandiant. Organisations then began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website, with some of the data appearing to have been stolen using DEWMODE, said Mandiant

Mandiant has labelled the data theft as ‘UNC2546’ and the subsequent extortion activity as ‘UNC2582’

A spokesperson said: “We have identified overlaps between UNC2582, UNC2546, and prior FIN11 operations, and we will continue to evaluate the relationships between these clusters of activity.”

Mandiant has discovered similarities between the UNC2582 extortion activity and FIN11, including common email senders and the use of the CL0P^_- LEAKS shaming site.

FIN11 is a financially motivated cybercrime group that has been active since 2016 and was linked with attacks on the financial, retail and restaurant sectors in 2017 and 2018. It is widely believed to be Russia-based. Starting in 2019, however, the group diversified its targeting and arsenal and transitioned to ransomware distribution.

According to website Bleeping Computer, FIN11 has in recent months started attacking organisations in the defence, energy, finance, healthcare/pharmaceutical, legal, telecommunications, technology, and transportation sectors.

However when it comes to the data theft itself, Mandiant found that UNC2546 uses a different infection vector and foothold and unlike FIN11, it has not observed the actors expanding their presence across impacted networks. It therefore does not have the evidence to link the FTA exploitation to FIN11 at this time.

Following the attacks, Accellion strongly recommends FTA customers migrate to kiteworks, its up-to-date content firewall platform. This is because FTA, a large-file transfer product, is 20 years old and nearing the end of its life.

The company has patched all known FTA vulnerabilities exploited by the threat actors. Mandiant says it has validated the patches and is performing a penetration testing and code review of FTA’s current version.

“[Mandiant] has not found any other critical vulnerabilities in the FTA product based on our analysis to date,” it added.

California-based Accellion also said it has added monitoring and alerting capabilities to flag anomalies associated with the hackers.

 Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox