Hackers publish data stolen through Accellion FTA

Late last year, information surfaced online about attacks on companies using the outdated Accellion File Transfer Appliance (FTA). Some cybercriminals used Accellion FTA vulnerabilities to snatch confidential data, using the threat of publication to extort ransom from the victims. We are not pleased to report that they were true to their word.

What’s the vulnerability?

The Accellion FTA is an network appliance companies deploy for quick and easy delivery of large files.  Twenty years old, the solution is due to be retired this year, and developers have long called for a migration to more modern products.

In December 2020, the discovery of two vulnerabilities — CVE-2021-27101 and CVE-2021-27102 — in the solution enabled attackers to gain access to files uploaded to FTA devices. The vulnerabilities were closed, but January 2021 saw two more (CVE-2021-27103 and CVE-2021-27104) uncovered and patched.

Nonetheless, intruders managed to steal the data of several Accellion FTA users. Several high-profile press reports about the leaks followed. Apparently, not all of the victims agreed to pay the ransom, so the attackers carried out their threat to share the data they’d stolen.

How cybercriminals publish data

Recently, we registered mass e-mails aimed at compromising victims’ reputations in the eyes of employees, clients, and partners, as well as compet itors. The extent of the mailings and the sources of the addresses are not known for sure, but it seems the cybercriminals were trying to reach as many viewers as they could.

The attackers' e-mail to employees, clients, partners, and competitors.

The attackers’ e-mail to employees, clients, partners, and competitors.

The messages urged recipients to use the Tor browser to visit a .onion site, and they claimed the website got tens of thousands of hits per day. Among the purported visitors: all kinds of hackers and journalists able to cause even greater damage to a company’s infrastructure and reputation. Interestingly, the site belongs to the CL0P group, which specializes in ransomware, although in the attacks through the Accellion FTA vulnerabilities, the files were not encrypted. The hackers, it seems, took advantage of this convenient platform.

Of course, the aim is to intimidate other victims. Incidentally, both the e-mail and website contain details for contacting the attackers so as to get the published files removed, although there is little point once the information is out there.

It is also worth noting that the site features an ad offering lessons for administrators on closing the vulnerabilities through which data was stolen — for $250,000 in bitcoin.

Offer to help potential victims avoid the same fate.

Offer to help potential victims avoid the same fate.

We rather doubt anyone will bite. For starters, the developers have already released updated versions of Accellion FTA, and anyway, asking for help is tantamount to admitting that you can’t close the vulnerability and it’s still exploitable.

How to protect your company against such attacks

First, update Accellion FTA — or better, stop using the solution altogether (even the developers advise that).

Second, update all software products and services that have access to the Internet. It’s important to do that right away but also to ensure ongoing, timely updates.

In addition, protect every device — be it a workstation, server, or hardware/software solution — with a modern security product that can detect attempts to exploit vulnerabilities, including unknown ones.

For anyone who has fallen victim to extortionists, we do not recommend paying. Eugene Kaspersky’s recent post offers an in-depth explanation.