< Back to Searchlight Blog

Zero-day exploit in Accellion FTA leads to data compromise of multiple companies

Published on 03 Mar 2021 by Louise

This article evaluates the recent slew of data breaches suffered by a range of major organisations as a result of vulnerabilities in the soon-to-be-retired Accellion File Transfer Appliance, as well as the implications of suspected involvement by notorious ransomware gang Cl0p.

In mid-December, private cloud solutions company Accellion was notified of a zero-day exploit in Accellion FTA, a 20-year-old file-transfer application due to be retired in April and still widely used. Accellion swiftly released a security patch, but to no avail; further vulnerabilities were discovered by threat actors, with the ensuing weeks and months bearing reports of data compromise affecting a growing range of high- profile organisations. Whilst the breaches varied in severity, the common theme in all security incidents was the use of Accellion’s legacy software. This article evaluates the causes and consequences of the Accellion breach and the implications of potential involvement by ransomware gang Cl0p, after several data dumps belonging to Accellion's clients were posted on the group’s darknet leaks site.

Vulnerabilities and Organisations Affected

Before examining the roles of organisations and cybercriminal networks, let's clarify the technical aspects and scope of the breach. The US Cybersecurity & Infrastructure Security Agency (CISA) has released an advisory noting the original zero-day exploit found in FTA was quickly patched by Accellion in late December. However, this weakness drew the attention of threat actors who were quick to uncover further vulnerabilities - including SQL injection, operating system command executions, and server-side request forgery. These CVEs allowed attackers to run remote commands on compromised systems, via installation of a novel web shell identified by FireEye as DEWMODE, facilitating the exfiltration of data and log clean-up in order to avoid detection. Thus, threat actors were able to remove evidence of a cyberattack before standard security procedures could respond to the incident.

These methods of data theft and detection evasion partially explain the broad scope with which attackers were able to leverage FTA vulnerabilities against a vast range of organisations. Preliminary reports of breaches affecting governmental organisations – such as the Reserve Bank of New Zealand and the Office of the Washington State Auditor in December – were soon followed by disclosures from private-sector firms. These were no small targets; Jones Day, a top international law firm that previously represented the Trump campaign, Telecoms conglomerate SingTel, and US grocery retailer Kroger reside on the ever-growing list of victims to the third-party breach. Further sectors impacted include higher education, medical research, and aviation.

Searchlight's Cerberus tool indexes multiple previous instances of Accellion FTA vulnerabilities being discussed and offered for sale in darknet spaces - including hacking forum Exploit and vulnerability market 0Day - indicating that the software has been on the radar of cybercriminals for some time prior to the recent breach.

A screenshot of a forum post from 2016 mentioning an Accellion vulnerability

A screenshot of a market listing from 2019 offering an Accellion vulnerability

Accellion's Response and Persistence of Legacy Software Use

As well as attackers evading detection using log clean-up, another factor in the breadth and depth of these attacks lies in the vendor's response. Accellion announced it had patched the original zero-day exploit “in 72 Hours with Minimal Impact”, but the admission of further vulnerabilities and ongoing attacks throughout late December and early January was seen by some clients as less than forthcoming. An official update on February 1 stated the patching of all known vulnerabilities in FTA, along with the addition of new monitoring and alert systems surrounding the identified attack vectors. Accellion's initial estimation of fewer than 50 clients affected by the breach soon doubled, though it maintained no more than 25 customers suffered actual data theft as a result.

A further intervening variable in the size of the breach regards client-side company practices. As previously mentioned, Accellion FTA is entering its third decade of existence, with end-of-life scheduled for April 2021. At the time of the attacks, Accellion’s Chief ISO stated that clients had been encouraged over the past three years to migrate to Kiteworks, the company’s latest file-sharing platform, equipped with superior security architecture and development processes, as well as being built on an entirely separate codebase.

While FTA’s continued widespread use may have necessitated more robust support from Accellion - or a more resolute push to upgrade - this breach highlights the difficulties in managing legacy software as a large organisation, especially in a field as sensitive as data sharing.

Links to Cl0p: Tangential or Essential?

One peculiarity of the Accellion FTA breach was the initial absence of clear attribution or claims of responsibility for the attack campaign, a practice various cybercrime groups usually revel in. The first signs of culpability were reported by FireEye as surfacing in late January, when several victims were threatened via email with the publishing of their stolen data on the darknet site of ransomware gang Cl0p, titled CL0P^_- LEAKS. Predictably, company data linked to the Accellion FTA breaches soon appeared on the site for download in an effort to shame the victims into payment.

A screenshot of the CL0P^_- LEAKS homepage, accessed via the Cerberus proxy Accessed via the Cerberus proxy

Despite this, sole or direct involvement by Cl0p has been questioned due to a lack of ransomware being deployed in the attacks. This led researchers to believe the group may be collaborating with other threat actors identified as UNC2546 (responsible for the installation of DEWMODE and original data theft) and UNC2582 (responsible for subsequent extortion attempts), with some overlap between the two. This would not be the first instance of CL0P^_- LEAKS being leveraged by fellow threat actors, with Mandiant previously reporting on financially motivated cybercrime cluster FIN11 name-dropping the darknet site in its extortion threats. This multi-pronged approach also chimes with a recent report by CrowdStrike, which summarises the interconnected nature of the cybercrime ecosystem.

On the darknet at large, Cerberus has identified numerous subsequent posts on forums regarding the Accellion breach, including XSS and RaidForums. Forum users are requesting the stolen databases of Accellion client companies, showing that potential fallout from the breach is far from over.

A screenshot of a recent forum post (XSS) asking about Accellion databases

A screenshot of a recent forum post (RaidForums) asking about Accellion databases

Overall, the Accellion FTA breach highlights the growing imperative for organisations to invest in darknet monitoring as an early-warning system against potential threats, as well as regular audits and upgrades of any vulnerable third-party software used in day-to-day operations.

Try our Darknet Intelligence/Forensics tool for free, contact enquiries@slcyber.io


Latest News from Searchlight

20 May 2021

Is all press good press? DarkSide, Colonial Pipeline and Ransomware-as-a-Service

This article explores the darknet structures and relationships sustaining the ransomware ecosystem, and enquires whether the consequences of DarkSide's attack against Colonial Pipeline will affect the continued growth of this lucrative cybercriminal enterprise.

Read more...

03 Mar 2021

Zero-day exploit in Accellion FTA leads to data compromise of multiple companies

This article evaluates the recent slew of data breaches suffered by a range of major organisations as a result of vulnerabilities in the soon-to-be-retired Accellion File Transfer Appliance, as well as the implications of suspected involvement by notorious ransomware gang Cl0p.

Read more...

06 Jan 2021

Covid-19 and the darknet: deceit, disinformation and disruption

Since the beginning of the coronavirus pandemic, darknet actors have exploited the heightened sense of fear and uncertainty for financial and even political gain. In tandem with the much-anticipated rollout of vaccines for the disease in multiple countries worldwide, actors have renewed efforts at Covid-related fraud, disinformation, and cyber-espionage.

Read more...

02 Dec 2020

The quest for Monero deanonymisation and potential impacts on darknet markets

Monero, often hailed by darknet users as the most private cryptocurrency available, has recently been the subject of efforts by security researchers to deanonymise and trace its transactions. How will Monero's potential traceability affect the illicit trade that occurs on darknet markets?

Read more...

Whoops, looks like something went wrong.

1/1 Swift_TransportException in AuthHandler.php line 181: Failed to authenticate on SMTP server with username "notifymcgoo@gmail.com" using 1 possible authenticators

  1. in AuthHandler.php line 181
  2. at Swift_Transport_Esmtp_AuthHandler->afterEhlo(object(Swift_Transport_EsmtpTransport)) in EsmtpTransport.php line 332
  3. at Swift_Transport_EsmtpTransport->_doHeloCommand() in AbstractSmtpTransport.php line 118
  4. at Swift_Transport_AbstractSmtpTransport->start() in FileSpool.php line 149
  5. at Swift_FileSpool->flushQueue(object(Swift_Transport_EsmtpTransport)) in SwiftmailerServiceProvider.php line 95
  6. at SwiftmailerServiceProvider->Silex\Provider\{closure}(object(Request), object(TemplateResponse), object(Application))
  7. at call_user_func(object(Closure), object(Request), object(TemplateResponse), object(Application)) in Application.php line 387
  8. at Application->Silex\{closure}(object(PostResponseEvent), 'kernel.terminate', object(TraceableEventDispatcher)) in WrappedListener.php line 61
  9. at WrappedListener->__invoke(object(PostResponseEvent), 'kernel.terminate', object(EventDispatcher)) in EventDispatcher.php line 184
  10. at EventDispatcher->doDispatch(array(object(WrappedListener), object(WrappedListener), object(WrappedListener)), 'kernel.terminate', object(PostResponseEvent)) in EventDispatcher.php line 46
  11. at EventDispatcher->dispatch('kernel.terminate', object(PostResponseEvent)) in TraceableEventDispatcher.php line 133
  12. at TraceableEventDispatcher->dispatch('kernel.terminate', object(PostResponseEvent)) in HttpKernel.php line 77
  13. at HttpKernel->terminate(object(Request), object(TemplateResponse)) in Application.php line 598
  14. at Application->terminate(object(Request), object(TemplateResponse)) in Application.php line 565
  15. at Application->run(object(Request)) in Application.php line 97
  16. at Application->run() in index.php line 12
Uncaught Exception: Swift_TransportException

Uncaught Exception: Swift_TransportException .

Swift_TransportException in AuthHandler.php line 181:
Failed to authenticate on SMTP server with username "notifymcgoo@gmail.com" using 1 possible authenticators

                    if ($authenticator->authenticate($agent, $this->_username, $this->_password)) {
                        return;
                    }
                }
            }
            throw new Swift_TransportException(
                'Failed to authenticate on SMTP server with username "'.
                $this->_username.'" using '.$count.' possible authenticators'
                );
        }
    }

Google this Exception

Stack trace

# 1 \Swift_Transport_Esmtp_AuthHandl …::afterEhlo(Swift_Transport_EsmtpTransport)
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/EsmtpTransport.php # line 332
# 2 \Swift_Transport_EsmtpTransport::_doHeloCommand()
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/AbstractSmtpTransport.php # line 118
# 3 \Swift_Transport_AbstractSmtpTra …::start()
[root]/vendor/swiftmailer/swiftmailer/lib/classes/Swift/FileSpool.php # line 149
# 4 \Swift_FileSpool::flushQueue(Swift_Transport_EsmtpTransport)
[root]/vendor/silex/silex/src/Silex/Provider/SwiftmailerServiceProvider.php # line 95
# 5 Silex\Provider\SwiftmailerServiceProvider::Silex\Provider\{closure}(Request, TemplateResponse, Application)
# 6 call_user_func(Closure, Request, TemplateResponse, Application)
[root]/vendor/silex/silex/src/Silex/Application.php # line 387
# 7 Silex\Application::Silex\{closure}(PostResponseEvent, "kernel.terminate", TraceableEventDispatcher)
[root]/vendor/symfony/event-dispatcher/Debug/WrappedListener.php # line 61
# 8 Symfony\Component\EventDispatcher\Debug\WrappedListener::__invoke(PostResponseEvent, "kernel.terminate", EventDispatcher)
[root]/vendor/symfony/event-dispatcher/EventDispatcher.php # line 184
# 9 Symfony\Component\EventDispatcher\EventDispatcher::doDispatch([array], "kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/event-dispatcher/EventDispatcher.php # line 46
# 10 Symfony\Component\EventDispatcher\EventDispatcher::dispatch("kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php # line 133
# 11 Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher::dispatch("kernel.terminate", PostResponseEvent)
[root]/vendor/symfony/http-kernel/HttpKernel.php # line 77
# 12 Symfony\Component\HttpKernel\HttpKernel::terminate(Request, TemplateResponse)
[root]/vendor/silex/silex/src/Silex/Application.php # line 598
# 13 Silex\Application::terminate(Request, TemplateResponse)
[root]/vendor/silex/silex/src/Silex/Application.php # line 565
# 14 Silex\Application::run(Request)
[root]/vendor/bolt/bolt/src/Application.php # line 97
# 15 Bolt\Application::run()
[root]/public/index.php # line 12


Request data

content (empty)
languages en_US
en
charsets (empty)
encodings br
gzip
acceptableContentTypes text/html
application/xhtml+xml
application/xml
*/*
pathInfo /news/zero-day-exploit-in-accellion-fta-leads-to-data-compromise-of-multiple-companies
requestUri /news/zero-day-exploit-in-accellion-fta-leads-to-data-compromise-of-multiple-companies
baseUrl (empty)
basePath (empty)
method GET

Headers

host ["bolt"]
connection ["close"]
user-agent ["CCBot/2.0 (https://commoncrawl.org/faq/)"]
accept ["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"]
accept-language ["en-US,en;q=0.5"]
accept-encoding ["br,gzip"]

Server

HTTP_HOST bolt
HTTP_CONNECTION close
HTTP_USER_AGENT CCBot/2.0 (https://commoncrawl.org/faq/)
HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
HTTP_ACCEPT_LANGUAGE en-US,en;q=0.5
HTTP_ACCEPT_ENCODING br,gzip
PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SERVER_SIGNATURE <address>Apache/2.4.25 (Debian) Server at bolt Port 80</address>
SERVER_SOFTWARE Apache/2.4.25 (Debian)
SERVER_NAME bolt
SERVER_ADDR 192.168.80.2
SERVER_PORT 80
REMOTE_ADDR 192.168.80.3
DOCUMENT_ROOT /var/www/html/public
REQUEST_SCHEME http
CONTEXT_PREFIX (empty)
CONTEXT_DOCUMENT_ROOT /var/www/html/public
SERVER_ADMIN [no address given]
SCRIPT_FILENAME /var/www/html/public/index.php
REMOTE_PORT 34304
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.0
REQUEST_METHOD GET
QUERY_STRING (empty)
REQUEST_URI /news/zero-day-exploit-in-accellion-fta-leads-to-data-compromise-of-multiple-companies
SCRIPT_NAME /index.php
PHP_SELF /index.php
argv []
Arguments:
array:1 [
  0 => Swift_Transport_EsmtpTransport {
    -_handlers: array:1 [
      "AUTH" => Swift_Transport_Esmtp_AuthHandler {
        -_authenticators: array:3 [
          0 => Swift_Transport_Esmtp_Auth_CramMd5Authenticator {}
          1 => Swift_Transport_Esmtp_Auth_LoginAuthenticator {}
          2 => Swift_Transport_Esmtp_Auth_PlainAuthenticator {}
        ]
        -_username: "notifymcgoo@gmail.com"
        -_password: "6690823boyded"
        -_auth_mode: "login"
        -_esmtpParams: array:6 [
          0 => "LOGIN"
          1 => "PLAIN"
          2 => "XOAUTH2"
          3 => "PLAIN-CLIENTTOKEN"
          4 => "OAUTHBEARER"
          5 => "XOAUTH"
        ]
      }
    ]
    -_capabilities: array:7 [
      "SIZE" => array:1 [
        0 => "35882577"
      ]
      "8BITMIME" => []
      "AUTH" => array:6 [
        0 => "LOGIN"
        1 => "PLAIN"
        2 => "XOAUTH2"
        3 => "PLAIN-CLIENTTOKEN"
        4 => "OAUTHBEARER"
        5 => "XOAUTH"
      ]
      "ENHANCEDSTATUSCODES" => []
      "PIPELINING" => []
      "CHUNKING" => []
      "SMTPUTF8" => []
    ]
    -_params: array:8 [
      "protocol" => "tcp"
      "host" => "smtp.gmail.com"
      "port" => 587
      "timeout" => 30
      "blocking" => 1
      "tls" => true
      "type" => 1
      "stream_context_options" => []
    ]
    #_buffer: Swift_Transport_StreamBuffer {
      -_stream: &1 stream resource @1004
        crypto: array:4 [
          "protocol" => "TLSv1.2"
          "cipher_name" => "ECDHE-ECDSA-AES128-GCM-SHA256"
          "cipher_bits" => 128
          "cipher_version" => "TLSv1.2"
        ]
        timed_out: false
        blocked: true
        eof: false
        stream_type: "tcp_socket/ssl"
        mode: "r+"
        unread_bytes: 0
        seekable: false
        options: []
      }
      -_in: &1 stream resource @1004
      -_out: &1 stream resource @1004
      -_params: array:8 [
        "protocol" => "tcp"
        "host" => "smtp.gmail.com"
        "port" => 587
        "timeout" => 30
        "blocking" => 1
        "tls" => true
        "type" => 1
        "stream_context_options" => []
      ]
      -_replacementFactory: Swift_StreamFilters_StringReplacementFilterFactory {
        -_filters: []
      }
      -_translations: []
      #_sequence: 28
      -_filters: []
      -_writeBuffer: ""
      -_mirrors: []
    }
    #_started: false
    #_domain: "[192.168.80.2]"
    #_eventDispatcher: Swift_Events_SimpleEventDispatcher {
      -_eventMap: array:5 [
        "Swift_Events_CommandEvent" => "Swift_Events_CommandListener"
        "Swift_Events_ResponseEvent" => "Swift_Events_ResponseListener"
        "Swift_Events_SendEvent" => "Swift_Events_SendListener"
        "Swift_Events_TransportChangeEvent" => "Swift_Events_TransportChangeListener"
        "Swift_Events_TransportExceptionEvent" => "Swift_Events_TransportExceptionListener"
      ]
      -_listeners: []
      -_bubbleQueue: []
    }
    #_sourceIp: null
  }
]
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
Arguments:
array:1 [
  0 => Swift_Transport_EsmtpTransport {
    -_handlers: array:1 [
      "AUTH" => Swift_Transport_Esmtp_AuthHandler {
        -_authenticators: array:3 [
          0 => Swift_Transport_Esmtp_Auth_CramMd5Authenticator {}
          1 => Swift_Transport_Esmtp_Auth_LoginAuthenticator {}
          2 => Swift_Transport_Esmtp_Auth_PlainAuthenticator {}
        ]
        -_username: "notifymcgoo@gmail.com"
        -_password: "6690823boyded"
        -_auth_mode: "login"
        -_esmtpParams: array:6 [
          0 => "LOGIN"
          1 => "PLAIN"
          2 => "XOAUTH2"
          3 => "PLAIN-CLIENTTOKEN"
          4 => "OAUTHBEARER"
          5 => "XOAUTH"
        ]
      }
    ]
    -_capabilities: array:7 [
      "SIZE" => array:1 [
        0 => "35882577"
      ]
      "8BITMIME" => []
      "AUTH" => array:6 [
        0 => "LOGIN"
        1 => "PLAIN"
        2 => "XOAUTH2"
        3 => "PLAIN-CLIENTTOKEN"
        4 => "OAUTHBEARER"
        5 => "XOAUTH"
      ]
      "ENHANCEDSTATUSCODES" => []
      "PIPELINING" => []
      "CHUNKING" => []
      "SMTPUTF8" => []
    ]
    -_params: array:8 [
      "protocol" => "tcp"
      "host" => "smtp.gmail.com"
      "port" => 587
      "timeout" => 30
      "blocking" => 1
      "tls" => true
      "type" => 1
      "stream_context_options" => []
    ]
    #_buffer: Swift_Transport_StreamBuffer {
      -_stream: &1 stream resource @1004
        crypto: array:4 [
          "protocol" => "TLSv1.2"
          "cipher_name" => "ECDHE-ECDSA-AES128-GCM-SHA256"
          "cipher_bits" => 128
          "cipher_version" => "TLSv1.2"
        ]
        timed_out: false
        blocked: true
        eof: false
        stream_type: "tcp_socket/ssl"
        mode: "r+"
        unread_bytes: 0
        seekable: false
        options: []
      }
      -_in: &1 stream resource @1004
      -_out: &1 stream resource @1004
      -_params: array:8 [
        "protocol" => "tcp"
        "host" => "smtp.gmail.com"
        "port" => 587
        "timeout" => 30
        "blocking" => 1
        "tls" => true
        "type" => 1
        "stream_context_options" => []
      ]
      -_replacementFactory: Swift_StreamFilters_StringReplacementFilterFactory {
        -_filters: []
      }
      -_translations: []
      #_sequence: 28
      -_filters: []
      -_writeBuffer: ""
      -_mirrors: []
    }
    #_started: false
    #_domain: "[192.168.80.2]"
    #_eventDispatcher: Swift_Events_SimpleEventDispatcher {
      -_eventMap: array:5 [
        "Swift_Events_CommandEvent" => "Swift_Events_CommandListener"
        "Swift_Events_ResponseEvent" => "Swift_Events_ResponseListener"
        "Swift_Events_SendEvent" => "Swift_Events_SendListener"
        "Swift_Events_TransportChangeEvent" => "Swift_Events_TransportChangeListener"
        "Swift_Events_TransportExceptionEvent" => "Swift_Events_TransportExceptionListener"
      ]
      -_listeners: []
      -_bubbleQueue: []
    }
    #_sourceIp: null
  }
]
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)
(Arguments not available. Raise debug_trace_argument_limit to see them)