Kroger, Singtel, the University of Colorado. These are just a few organizations in the many affected by recently disclosed Accellion vulnerabilities. Some combination of threat actors with ties to the Clop Ransomware and Fin11 cyber-criminal groups are exploiting a 20-year old File Transfer Appliance (FTA) from Accellion. This group of threat actors have been given the names UNC2546 and UNC2582. Multiple vulnerabilities have surfaced as these breaches are coming to light, so let’s explore them and what you can do to patch them.

CVE-2021-27101 – This finding is an SQL injection vulnerability that can allow a remote, unauthenticated attacker to send a modified request to the file document_root.html on a vulnerable device in order to exploit the weakness. This finding has a CVSS v3.0 score of 9.8 which gives the vulnerability a “Critical” severity rating and should be addressed immediately by users of the vulnerable versions. This finding basically allows a threat actor to remotely run commands on the device. The affected versions of Accellion products include FTA 9_12_370 and earlier. To remediate this finding, affected organizations can simply upgrade to version FTA_9_12_380 or later.

CVE-2021-27103 – Like the previous finding, this vulnerability also has a CVSS v3.0 score of 9.8 and can also be exploited by a remote, unauthenticated attacker. A Server Side Request Forgery through a crafted POST request to a vulnerable version file named wmProgressstat is how this finding is exploited. The versions affected by this vulnerability include Accellion FTA 9_12_411 and earlier. This finding also has a software patch that will fix the issue. Affected organizations can simply update to FTA_9_12_416 and later.

CVE-2021-27104 – This finding is an OS command execution vulnerability and is exploited through a crafted POST request sent to an affected version by an unauthenticated, remote attacker. This finding also has a Critical severity risk rating CVSS v3.0 score of 9.8. Also like CVE-2021-27101, this vulnerability is also found in versions of FTA 9_12_370 and earlier and can be remediated by updating to FTA_9_12_380 and later.

CVE-2021-27102 – Although this finding is serious with a High severity CVSS v3.0 score of 7.8, it is the least severe of the four findings.  This vulnerability uses the technique of OS command execution via a local web service call. Unlike the previously outlined findings, in order to exploit this vulnerability, and attack needs to already have local access within a network with a vulnerable version of the FTA appliance. Affected versions include Accellion FTA 9_12_411 and earlier. Affected organizations can remediate the weakness by updating to FTA_9_12_416 and later.

Even though these vulnerabilities are extremely serious for organizations who use the FTA appliance, they can all be remediated by applying the specified software updates. Accellion released software patches within 72 hours of the disclosure of the vulnerabilities.

This past December, the threat group known as UNC2546 began exploiting the SQL Injection vulnerability (CVE-2021-27101) to install a previously unknown web shell named DEWMODE on affected Accellion FTA appliances. Through this web shell, the attackers were able to steal confidential data from affected organizations.

The security firm FireEye uncovered the phases of the attack during a forensic investigation and outlined the attack in a blog post. Evidence of the SQL Injection can be viewed in the following log file below:

Log Evidence of SQL Injection – FireEye

The SQL Injection allowed the threat actors to retrieve a key which was used alongside a request to a file named sftp_account_edit.php. These actions result in the execution of an Accellion file named which resulted in a web shell being written to oauth.api. Right after this sequence of events, the DEWMODE web shell is written to the system. The DEWMODE web shell allowed the threat actors the ability to run commands, exfiltrate data, and clear log files from Accellion FTA devices.

While the group UNC2546 was responsible for the actual exploitation of the vulnerability, the group UNC2582 followed the attack with extortion attempts against the victim organizations. This group extorted the affected organizations via email with threats to release the stolen data on the Clop Ransomware .onion site if payments were not made to the threat actors. Here is an example of the extortion email:

CISA, the Cybersecurity & Infrastructure Security Agency, released IOCs (Indicators of Compromise) related to this attack that network defenders and forensic investigators can check for to see if they may have been impacted. Teams with the Accellion FTA appliance should check the Apache /var/opt/cache/rewrite.log file for the following evidence of SQL Injection:

  • [.’))union(select(c_value)from(t_global)where(t_global.c_param)=(‘w1’))] (1) pass through /courier/document_root.html
  • [.’))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=(‘w1’))] (1) pass through /courier/document_root.html
  • [‘))union(select(loc_id)from(net1.servers)where(proximity)=(0))] (1) pass through /courier/document_root.html

Apache logs should also be checked for the following GET requests that may be evidence of data exfiltration:

  • “GET /courier/about.html?aid=1000 HTTP/1.1” 200 {Response size}
  • “GET /courier/about.htmldwn={Encrypted Path}&fn={encrypted file name} HTTP/1.1” 200 {Response size}

Network logs should also be checked for any TCP connections with the following IP addresses:

  • 88.104[.]24
  • 135.229[.]179

Teams with Accellion FTA appliances should check log files for these IOCs and update devices as soon as possible. If applying patches immediately isn’t an option for organizations, they should isolate or block internet access to the affected device.

In a press release from Accellion, the company stated that roughly 300 customers were still users of the vulnerable FTA appliance. Of those 300, less than 100 were victims of an attack, of those, less than 25 customers were victims of a serious data breach.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you are experiencing a breach, please call our Security Operations Center at 833.997.7327.