Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact

Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact

insikt-logo-blog.png

Editor’s NoteLe message suivant est un extrait d'un rapport complet. Pour lire l'analyse complète, click here to download the report as a PDF.

This report provides a high-level overview of the Accellion File Transfer Appliance compromise and analysis of the DEWMODE webshell employed in the resulting breaches. Insikt Group used open source research (OSINT), PolySwarm, malware analysis, and the Recorded Future® Platform to execute this research. The target audience of this research includes day-to-day security practitioners as well executive decision-makers concerned about targeting of third-party systems and software.

Executive Summary

The compromise of the Accellion File Transfer Appliance (FTA) file sharing service impacting nearly 100 clients of the company was enabled primarily by 4 zero-day vulnerabilities in the tool that allowed threat actors to place the DEWMODE web shell on victim servers and exfiltrate files from those servers. As of February 25, 2021, 13 organizations in multiple sectors (finance, government, legal, education, telecommunications, healthcare, retail, and manufacturing) and multiple countries (Australia, New Zealand, Singapore, the UK, and the US) have suffered data breaches as a result of the Accellion FTA compromise. Victim data has appeared on the website CL0P LEAKS, establishing a link between the operators of this website and the attackers behind the Clop ransomware. There are likely to be reports of additional victims in the near future, and we suspect that these victims will be part of additional industries and countries beyond what have already been reported. Clients using Accellion FTA in their environment are advised to update the software to version FTA_9_12_416 or later and employ Insikt Group’s recommended mitigations to look for related malicious behavior on these servers.

Background

Le 10 janvier 2021, la Banque de réserve de Nouvelle-Zélande a signalé une violation de données due à la compromission d'un service tiers de partage de fichiers, rapidement identifié comme étant Accellion. La banque a publié un communiqué au sujet de cette violation le lendemain, dans lequel elle indiquait que des informations commerciales et personnelles sensibles avaient pu être compromises. Le gouverneur de la Banque de réserve, Adrian Orr, a déclaré avoir été informé par Accellion que la Banque de réserve n'était pas spécifiquement visée et que d'autres utilisateurs d'Accellion FTA avaient également été compromis.

Peu après, le 12 janvier, Accellion a déclaré dans un communiqué de presse que "moins de 50 clients" avaient été affectés par une vulnérabilité P0 "" dans son ancien logiciel FTA. Ils ont également déclaré avoir pris connaissance de cette vulnérabilité pour la première fois à la mi-décembre 2020, et qu'un correctif avait ensuite été publié "en 72 heures avec un impact minimal".

Key Judgements

Threat Analysis

Within a few weeks after Accellion’s initial press release, multiple other companies disclosed data breaches that occurred due to exploitation of Accellion FTA. Additionally, data of victims of Accellion FTA compromise began to appear on the website CL0P LEAKS, establishing a link between the operators of this website and the attackers behind the Clop ransomware. Based on an updated number of potential victims disclosed by Accellion on February 22, and an expanding list of victims up to the time of writing (March 12), we expect additional similar reports to appear over the next month. The following timeline tracks new victim disclosures, security researcher analysis, and updates from Accellion itself.

Accellion’s commentary on the scope of potential exploitation has changed since their original disclosure. On January 12, the company stated that fewer than 50 customers were impacted; by February 22, the company had amended this to fewer than 100 out of 300 total FTA clients.

Le graphique ci-dessous montre que le secteur public a été le plus touché par l'exploitation de la vulnérabilité FTA d'Accellion. Toutefois, sur la base de la répartition des secteurs d'activité des clients publiée par Accellion, nous soupçonnons que les secteurs de la santé, de la finance et de l'énergie ont été plus fortement touchés que ce qui a été annoncé publiquement.

dewmode-accellion-supply-chain-impact-1-1.png
Figure 1Répartition des secteurs d'activité des victimes ayant rendu publique l'exploitation de la vulnérabilité FTA d'Accellion (en bleu clair) par rapport à la répartition des secteurs d'activité des clients de renom répertoriés sur le site web d'Accellion (en bleu foncé) (Source : Recorded Future)

We anticipate that the countries identified by the Five Eyes report and our research as hosting victims of Accellion FTA compromise (Australia, Canada, New Zealand, Singapore, the UK, and the US) are and will continue to be the most impacted by this series of attacks based on the distribution of victims so far. However, we do not believe that these attacks are based on narrow targeting of these countries. Additionally, as the map below shows, there are several other countries that host customers of Accellion (and therefore potential victims of exploitation), including France, Germany, Israel, Italy, Japan, and the Netherlands.

dewmode-accellion-supply-chain-impact-2-1.png
Figure 2Pays touchés par l'exploitation de l'Accellion FTA. Les pays en rouge (Australie, Canada, Nouvelle-Zélande, Singapour, Royaume-Uni et États-Unis) sont les sièges sociaux des victimes confirmées de l'exploitation de l'Accellion FTA. Les pays en orange (France, Allemagne, Israël, Italie, Japon et Pays-Bas) sont les sièges sociaux d'autres clients d'Accellion, comme indiqué sur leur site web. (Source : Recorded Future)

Mitigations

While TTPs used in the Accellion breach and in association with the DEWMODE web shell have become widely publicized, and threat actors may modify them to evade detection, Insikt Group advises the following mitigations:

If your organization was running a vulnerable version of Accellion FTA, an incident response investigation should be undertaken to determine whether there was a breach. The following methods may be used to examine log data for indications of a compromise.

Outlook

Based on the changes in statements from Accellion over the course of reporting on this campaign, the company may still not be fully aware of the extent of compromise associated with these vulnerabilities. Furthermore, based on the number of industries and countries that include clients of Accellion, we suspect that future reports of Accellion FTA exploitation will disclose more companies, industries, and countries than have previously been reported.

As products approach end of life, such as Accellion FTA, they are likely to have less developer support, and update oversight moving forward. Organizations with software or hardware in their technology stack that has reached end of life or is approaching it should continue to monitor these products and develop migration strategies for these tools to more current, supported tools.

Editor’s NoteCet article est un extrait d'un rapport complet. Pour lire l'analyse complète, click here to download the report as a PDF.