What We Know About the Hackers Behind the Accellion Data Breach
Posted February 23, 2021
- Accellion recently discovered that a threat actor had been exploiting zero-day vulnerabilities in its legacy file-transfer service application (called “FTA” for short)—a file-sharing and storage product used by approximately 300 clients. Despite subsequent patches, there has been a steady stream of FTA-related data breaches involving banks, universities, large companies, government agencies, and more.
- On Monday, Accellion announced that it has been working with cyber firm FireEye since the incident, and that researchers have identified a group, dubbed “UNC2546,” as the “criminal hacker behind the cyberattacks and data theft.”
- “Ransomware groups are amorphous. The core dev [development] team may be involved in other ransomware operations and the affiliates certainly will be. A member of REvil, for example, claimed that Egregor ransomware and Maze were both created by Evil Corp [a large cybercrime network]. And Evil Corp is responsible for WastedLocker and BitPaymer, and there may also be links to DoppelPaymer. And all those groups have affiliates and specialists who likely also work for other groups. And all use smoke and mirrors, so working out who did what and who’s working with who is far from easy.” – Brett Callow, Emsisoft Analyst
- Digital forensics have shown that the initial intrusion mechanism used by UNC2546 in its FTA attacks was an SQL injection—a common cyberattack that injects foreign code into an application via a vulnerability. The actor then leveraged a webshell (a malicious script), which researchers have dubbed “DEWMODE,” to steal data from the FTA. DEWMODE lifted and downloaded bulk data and metadata straight from the application’s MySQL database.
- After the data had been stolen via DEWMODE, “UNC2582″ would kick into gear with a barrage of extortion emails.
– Lucas Ropek | February 23, 2021