SOCRadar® Cyber Intelligence Inc. | What is an Accellion Cyber Attack?
Home

Resources

Blog
Şub 05, 2022
3 Mins Read

What is an Accellion Cyber Attack?

Accellion specializes in file sharing and collaboration software that is safe and secure. More than 3,000 multinational enterprises, government organizations, hospitals, and colleges use the company’s enterprise content firewall. Baring Private Equity Asia and Bregal Sagemount are two major investors. 

Accellion Vulnerabilities Found

A zero-day exploit was discovered in the Accellion File Transfer Appliance product in December 2020. Between December 2020 and January 2021, Accellion patched various vulnerabilities. CVE (Common Vulnerabilities and Exposures) codes 2021–27101, 2021–27102, 2021–27103, and 2021–27104 

The Cybercriminal Group Behind the Accellion Attack: Researchers have identified a group of threat actors (UNC2546 and UNC2582) with ties to the FIN11 and Clop ransomware gangs as the cybercriminal group responsible for the Accellion attack. Threatpost, February 22, 2021.

Source: Threatpost, February 22, 2021. 

As a result of the cyberattack, Accellion must face a series of lawsuits on its own after a federal judicial body denied consolidation.

Source: Bloomberg Law, June 8, 2021. 

How Did The Accellion Breach Happen?

Threat actors used a combination of zero-day exploits and a new web shell to target Accellion’s legacy file transfer application (FTA). 

The attack appears to be primarily motivated by financial gain. Threat actors extort money from businesses by threatening to sell their data online if they do not pay the ransom. 

Although Accellion issued a patch in December 2020, it was insufficient to prevent a second assault in January 2021. Following that, a patch was provided to address the vulnerability

In connection with the Accellion breach, the following CVEs have been published: 

  • CVE-2021–27101 — SQL injection through a forged Host header in a request to document root.html affects Accellion FTA 9 12 370 and earlier. FTA 9 12 380 and later are the fixed versions. 
  • CVE-2021–27102 — OS command execution through a local web service call affects Accellion FTA 9 12 411 and earlier. FTA 9 12 416 and later are the fixed versions. 
  • CVE-2021–27103 — Accellion FTA 9 12 411 and earlier are vulnerable to SSRF via a crafted POST request to wmProgressstat.html. FTA 9 12 416 and later are the fixed versions. Accellion FTA 9 12 411 and earlier are vulnerable to SSRF via a crafted POST request to wmProgressstat.html. 
  • CVE-2021–27104 — OS command execution via a crafted POST request to different admin endpoints affects Accellion FTA 9 12 370 and earlier. FTA 9 12 380 and later are the fixed versions. 

How Can You Prevent The Accellion Vulnerability?

Security pros strongly advised not to utilize Accellion’s file transfer appliance app. The vendor no longer supports this program and will no longer receive security fixes. 

If you continue to use this application after it has reached its end-of-life date, you are putting your company in danger.

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Try for free