FireEye links 0-day attacks on FTA servers & extortion campaign to FIN11 group

FireEye: Hackers breached companies running FTA servers, stole private files, and are now publishing data on the Clop ransomware leak site.
Written by Catalin Cimpanu, Contributor
Image: FireEye

The attacks using zero-days in Accellion FTA servers that have hit around 100 companies across the world in December 2020 and January 2021 have been carried out by a cybercrime group known as FIN11, cyber-security firm FireEye said today.

During the attacks, hackers exploited four security flaws to attack FTA servers, install a web shell named DEWMODE, which the attackers then used to download files stored on victim's FTA appliances.

"Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack," Accellion said in a press release today. "Within this group, fewer than 25 appear to have suffered significant data theft."

But FireEye says that some of these 25 customers have now received ransom demands following the attacks on their FTA file-sharing servers.

The attackers reached out via email and asked for Bitcoin payments, or they'd publish the victims' data on a "leak site" operated by the Clop ransomware gang.

Image: FireEye

FireEye, which has been helping Accellion investigate these attacks, said the attacks had been linked to two activity clusters the company tracks as UNC2546 (the zero-day exploitation on FTA devices) and UNC2582 (the emails sent to victims threatening to publish data on the Clop ransomware leak site).

Both groups have infrastructure overlaps with FIN11, a major cybercrime gang that FireEye discovered and documented last year, which has its fingers in various forms of cybercrime operations.

FireEye says that despite the fact that FIN11 operators are now publishing data from Accellion FTA customers on the Clop ransomware leak site, these companies haven't had any part of their internal network encrypted but are rather victims of a classic name-and-shame extortion scheme.

Security podcast Risky Business spotted the Accellion FTA companies on the Clop ransomware leak site last week, even before the FireEye report published today. Companies that had their data listed on the Clop site so far include the likes of:

Other companies that have reported network breaches due to attacks on their FTA servers (but have not had data leaked on the Clop site) also include the likes of:

Accellion to retire the old FTA servers

But while Accellion's response to these attacks has been slow in the beginning, the company is now operating on all cylinders.

Since the attacks have begun, the company has released several waves of patches to address the bugs exploited in the attacks but has also announced its intention to retire the old FTA server software later this year, on April 30, 2021.

The company is now actively urging its customers to update to its newer Kiteworks product, which superseded the old FTA server, a file-sharing tool developed in the early 2000s that allowed companies a simple way to share files with employees and customers, at a time before products like Dropbox or Google Drive were largely available.

Due to the amount of data that has been uploaded to these servers, which were often developed with little security features in mind, FTA systems have now become a prime target for attackers.

Accellion hopes companies understand the risks they are now facing and choose to update to its newer line of products instead, and avoid having sensitive files like trade secrets, intellectual property, or personal data, leak online.

Editorial standards