Attacks Targeting Accellion Product Linked to FIN11 Cybercrime Group

The hacking group behind the recent cyber-attack targeting Accellion’s FTA file transfer service appears to be linked to a threat actor known as FIN11, security researchers with FireEye’s Mandiant division reveal.


The attacks on FTA, a soon-to-be-retired service, started in mid-December 2020 and resulted in the compromise of data pertaining to multiple Accellion customers. As part of the attack, the adversaries targeted multiple vulnerabilities in the file transfer service.


Some of the affected Accellion customers include grocery and pharmacy chain Kroger, Australian Securities and Investments Commission (ASIC), U.S.-based law firm Jones Day, the Office of the Washington State Auditor (SAO), the Reserve Bank of New Zealand, and Singapore telecoms firm Singtel.


The attackers abused multiple vulnerabilities in FTA to gain access to and exfiltrate data, namely CVE-2021-27101 (SQL injection), CVE-2021-27102 (OS command execution), CVE-2021-27103 (SSRF), and CVE-2021-27104 (OS command execution).


Accellion says that all of these vulnerabilities have already been addressed and that, out of “300 total FTA clients, fewer than 100 were victims of the attack,” with fewer than 25 suffering “significant data theft.”


“Accellion strongly recommends that FTA customers migrate to kiteworks, Accellion’s enterprise content firewall platform. These exploits apply exclusively to Accellion FTA clients: neither kiteworks nor Accellion the company were subject to these attacks,” Accellion said on Monday.


FireEye’s Mandiant security researchers have been tracking both the activity surroun ..