< Back to Searchlight Blog

Zero-day exploit in Accellion FTA leads to data compromise of multiple companies

Published on 03 Mar 2021 by Louise

This article evaluates the recent slew of data breaches suffered by a range of major organisations as a result of vulnerabilities in the soon-to-be-retired Accellion File Transfer Appliance, as well as the implications of suspected involvement by notorious ransomware gang Cl0p.

In mid-December, private cloud solutions company Accellion was notified of a zero-day exploit in Accellion FTA, a 20-year-old file-transfer application due to be retired in April and still widely used. Accellion swiftly released a security patch, but to no avail; further vulnerabilities were discovered by threat actors, with the ensuing weeks and months bearing reports of data compromise affecting a growing range of high- profile organisations. Whilst the breaches varied in severity, the common theme in all security incidents was the use of Accellion’s legacy software. This article evaluates the causes and consequences of the Accellion breach and the implications of potential involvement by ransomware gang Cl0p, after several data dumps belonging to Accellion's clients were posted on the group’s darknet leaks site.

Vulnerabilities and Organisations Affected

Before examining the roles of organisations and cybercriminal networks, let's clarify the technical aspects and scope of the breach. The US Cybersecurity & Infrastructure Security Agency (CISA) has released an advisory noting the original zero-day exploit found in FTA was quickly patched by Accellion in late December. However, this weakness drew the attention of threat actors who were quick to uncover further vulnerabilities - including SQL injection, operating system command executions, and server-side request forgery. These CVEs allowed attackers to run remote commands on compromised systems, via installation of a novel web shell identified by FireEye as DEWMODE, facilitating the exfiltration of data and log clean-up in order to avoid detection. Thus, threat actors were able to remove evidence of a cyberattack before standard security procedures could respond to the incident.

These methods of data theft and detection evasion partially explain the broad scope with which attackers were able to leverage FTA vulnerabilities against a vast range of organisations. Preliminary reports of breaches affecting governmental organisations – such as the Reserve Bank of New Zealand and the Office of the Washington State Auditor in December – were soon followed by disclosures from private-sector firms. These were no small targets; Jones Day, a top international law firm that previously represented the Trump campaign, Telecoms conglomerate SingTel, and US grocery retailer Kroger reside on the ever-growing list of victims to the third-party breach. Further sectors impacted include higher education, medical research, and aviation.

Searchlight's Cerberus tool indexes multiple previous instances of Accellion FTA vulnerabilities being discussed and offered for sale in darknet spaces - including hacking forum Exploit and vulnerability market 0Day - indicating that the software has been on the radar of cybercriminals for some time prior to the recent breach.

A screenshot of a forum post from 2016 mentioning an Accellion vulnerability

A screenshot of a market listing from 2019 offering an Accellion vulnerability

Accellion's Response and Persistence of Legacy Software Use

As well as attackers evading detection using log clean-up, another factor in the breadth and depth of these attacks lies in the vendor's response. Accellion announced it had patched the original zero-day exploit “in 72 Hours with Minimal Impact”, but the admission of further vulnerabilities and ongoing attacks throughout late December and early January was seen by some clients as less than forthcoming. An official update on February 1 stated the patching of all known vulnerabilities in FTA, along with the addition of new monitoring and alert systems surrounding the identified attack vectors. Accellion's initial estimation of fewer than 50 clients affected by the breach soon doubled, though it maintained no more than 25 customers suffered actual data theft as a result.

A further intervening variable in the size of the breach regards client-side company practices. As previously mentioned, Accellion FTA is entering its third decade of existence, with end-of-life scheduled for April 2021. At the time of the attacks, Accellion’s Chief ISO stated that clients had been encouraged over the past three years to migrate to Kiteworks, the company’s latest file-sharing platform, equipped with superior security architecture and development processes, as well as being built on an entirely separate codebase.

While FTA’s continued widespread use may have necessitated more robust support from Accellion - or a more resolute push to upgrade - this breach highlights the difficulties in managing legacy software as a large organisation, especially in a field as sensitive as data sharing.

Links to Cl0p: Tangential or Essential?

One peculiarity of the Accellion FTA breach was the initial absence of clear attribution or claims of responsibility for the attack campaign, a practice various cybercrime groups usually revel in. The first signs of culpability were reported by FireEye as surfacing in late January, when several victims were threatened via email with the publishing of their stolen data on the darknet site of ransomware gang Cl0p, titled CL0P^_- LEAKS. Predictably, company data linked to the Accellion FTA breaches soon appeared on the site for download in an effort to shame the victims into payment.

A screenshot of the CL0P^_- LEAKS homepage, accessed via the Cerberus proxy Accessed via the Cerberus proxy

Despite this, sole or direct involvement by Cl0p has been questioned due to a lack of ransomware being deployed in the attacks. This led researchers to believe the group may be collaborating with other threat actors identified as UNC2546 (responsible for the installation of DEWMODE and original data theft) and UNC2582 (responsible for subsequent extortion attempts), with some overlap between the two. This would not be the first instance of CL0P^_- LEAKS being leveraged by fellow threat actors, with Mandiant previously reporting on financially motivated cybercrime cluster FIN11 name-dropping the darknet site in its extortion threats. This multi-pronged approach also chimes with a recent report by CrowdStrike, which summarises the interconnected nature of the cybercrime ecosystem.

On the darknet at large, Cerberus has identified numerous subsequent posts on forums regarding the Accellion breach, including XSS and RaidForums. Forum users are requesting the stolen databases of Accellion client companies, showing that potential fallout from the breach is far from over.

A screenshot of a recent forum post (XSS) asking about Accellion databases

A screenshot of a recent forum post (RaidForums) asking about Accellion databases

Overall, the Accellion FTA breach highlights the growing imperative for organisations to invest in darknet monitoring as an early-warning system against potential threats, as well as regular audits and upgrades of any vulnerable third-party software used in day-to-day operations.

Try our Darknet Intelligence/Forensics tool for free, contact enquiries@slcyber.io

Latest News from Searchlight

20 May 2021

Is all press good press? DarkSide, Colonial Pipeline and Ransomware-as-a-Service

This article explores the darknet structures and relationships sustaining the ransomware ecosystem, and enquires whether the consequences of DarkSide's attack against Colonial Pipeline will affect the continued growth of this lucrative cybercriminal enterprise.


03 Mar 2021

Zero-day exploit in Accellion FTA leads to data compromise of multiple companies

This article evaluates the recent slew of data breaches suffered by a range of major organisations as a result of vulnerabilities in the soon-to-be-retired Accellion File Transfer Appliance, as well as the implications of suspected involvement by notorious ransomware gang Cl0p.


06 Jan 2021

Covid-19 and the darknet: deceit, disinformation and disruption

Since the beginning of the coronavirus pandemic, darknet actors have exploited the heightened sense of fear and uncertainty for financial and even political gain. In tandem with the much-anticipated rollout of vaccines for the disease in multiple countries worldwide, actors have renewed efforts at Covid-related fraud, disinformation, and cyber-espionage.


02 Dec 2020

The quest for Monero deanonymisation and potential impacts on darknet markets

Monero, often hailed by darknet users as the most private cryptocurrency available, has recently been the subject of efforts by security researchers to deanonymise and trace its transactions. How will Monero's potential traceability affect the illicit trade that occurs on darknet markets?