Mandiant Identifies Criminal Threat Actor and Mode of Attacks
Accellion, Inc., provider of the industry’s first enterprise content firewall, today issued a statement regarding Mandiant’s preliminary findings with regards to the previously reported cyberattacks on Accellion’s legacy FTA product.
Mandiant, a division of FireEye, Inc., has identified UNC2546 as the criminal hacker behind the cyberattacks and data theft involving Accellion’s legacy File Transfer Appliance product. Multiple Accellion FTA customers who have been attacked by UNC2546 have received extortion emails threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell. Mandiant is tracking the subsequent extortion activity under a separate threat cluster, UNC2582.
Accellion strongly recommends that FTA customers migrate to kiteworks, Accellion’s enterprise content firewall platform. These exploits apply exclusively to Accellion FTA clients: neither kiteworks nor Accellion the company were subject to these attacks. Kiteworks is built on an entirely different code base, using state-of-the-art security architecture, and a segregated, secure devops process. The kiteworks platform is FedRAMP authorized for Moderate CUI, and demonstrates compliance with GDPR, HIPAA, NIST 800-171, FIPS, SOC2, ISO 27001, and other data privacy regulations and standards.
Accellion has patched all known FTA vulnerabilities exploited by the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.
Accellion does not access the information that its customers transmit via FTA. Following the attack, however, Accellion has worked at many customers’ request to review their FTA logs to help understand whether and to what extent the customer might have been affected. As a result, Accellion has identified two distinct groups of affected FTA customers based on initial forensics. Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack. Within this group, fewer than 25 appear to have suffered significant data theft.
Accellion continues to offer support to all affected FTA customers to mitigate the impact of the attack.
The following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:
To read Mandiant’s preliminary findings on the cyberattack on Accellion’s legacy FTA product, please visit https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html. Mandiant’s complete report will be made available in the coming weeks.
To learn more how Accellion helps organizations secure their third party communications, please visit Enterprise Content Firewall.
Kiteworks’ mission is to empower organizations to effectively manage risk in every send, share, receive, and save of sensitive content. The Kiteworks platform provides customers with a Private Content Network that delivers content governance, compliance, and protection. The platform unifies, tracks, controls, and secures sensitive content moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all sensitive content communications.
Accellion and kiteworks are registered trademarks of Accellion, Inc. in the US and other countries. All other trademarks contained herein are the property of their respective owners.