Since December 2020, cybersecurity experts have recorded massive attacks on companies and organizations using the outdated Accellion FTA (File Transfer Application) file-sharing service, but the company’s employees could not notify customers of the attack due to problems with mail.
FireEye analysts linked this activity to the FIN11 hacker group and warned that more than 100 companies had become victims of cybercriminals.According to the Accellion developers, among the approximately 300 FTA clients, “less than 100” were victims of attacks, and among them, less than 25 were affected by data theft. FireEye clarified that some of these 25 clients were blackmailed, and hackers demanded a ransom from them.
As part of this campaign, hackers exploited four vulnerabilities in the FTA (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) and then installed the DEWMODE web shell and used it to steal files stored on victims’ FTA devices. After that, the attackers blackmailed the victims, demanding a ransom and threatening to leak the stolen information into the public domain.
As a result, the developers of Accellion released several “waves” of fixes, but each time they emphasized that FTA has long been an outdated product, and urged their customers to migrate to the new Kiteworks platform. As a result, the company even stated that it would finally stop supporting the FTA from April 30, 2021.
As it turns out, the developers from the very beginning tried to notify customers about what was happening and the need to urgently install patches, but a faulty email tool delayed important notifications for several days.
According to FireEye (PDF) specialists, which Accellion hired to investigate the incident, the vulnerability patches were available as early as December 20 and then December 23.
However, a report released this week by the Reserve Bank of New Zealand, which was also affected by the FTA attacks, states that the financial institution’s employees did not receive any notifications from the developers, and did not know about what was happening at all.
That is, the attackers had weeks to hack into the FTA server and steal confidential information.
Audit firm KPMG, which investigated the attack, claims that the lack of timely notification of the issue contributed significantly to the hack. Experts say that very few Accellion customers even knew about the release of the patches, and as a result, they left their devices vulnerable throughout the winter holidays.
Let me remind you that I reported that FireEye Experts Link Accellion Clients Hacks to FIN11 Hack Group.
