Attackers broke into the Shell oil and gas company (Royal Dutch Shell), which ranks fifth in the Fortune Global 500. The hackers exploited the outdated file-sharing service Accellion FTA (File Transfer Application).
Shell disclosed information about the attack in a public statement posted on its official website. The company representatives assure that the incident affected only the device with Accellion FTA, which was used to securely transfer large files.Shell has already notified the relevant authorities and regulators about the incident, as the attackers gained access to the files transferred using the compromised Accellion FTA device. Some of this data reportedly belonged to stakeholders and Shell subsidiaries.
Let me remind you that last month information security specialists linked attacks on vulnerable Accellion FTA installations with the FIN11 hack group. Analysts at FireEye wrote that more than 100 companies had become victims of cybercriminals at that time.
According to the developers of Accellion themselves, among the approximately 300 FTA clients, “less than 100” were victims of attacks, and among them less than 25 were affected by data theft. FireEye clarified that some of these 25 customers are being blackmailed, and hackers are demanding a ransom from them.
As part of this campaign, hackers exploit four vulnerabilities in the FTA (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) and then install the DEWMODE web shell and use it to steal files stored on victims’ FTA devices. After that, attackers often blackmail the victims, demanding a ransom and threatening to leak the stolen information into the public domain.
It is noteworthy that the stolen data is published on a website owned by the operators of the Clop ransomware, but not a single machine has been encrypted on the networks of the affected companies. That is, they all became victims of hacking and classic extortion, not ransomware attacks.
Accellion developers have already released several “waves” of fixes, but each time they emphasized that FTA has long been an obsolete product, and urged their customers to migrate to the new Kiteworks platform. As a result, the company said that it would finally stop supporting the FTA on April 30, 2021.
Let me remind you that Engineering company Bombardier also fell victim to attack on Accellion FTA.
