Zero-days in Accellion file transfer app used for data theft

Zero-days in Accellion file transfer app used for data theft

Back in December 2020, a software vendor Accellion informed about an actively exploited zero-day vulnerability in its File Transfer Appliance (FTA). As found out later, the file transfer security compromise was a part of a broader, coordinated attack. No wonder the interest – the two-decades-old software server has been carrying oodles of customer data.

Altogether three critical and one highly severe security flaw can be tracked in the list of common vulnerabilities and exposures accordingly:

  • CVE-2021-27101 – SQL injection via a crafted Host header;
  • CVE-2021-27102 – OS command execution via a local web service call;
  • CVE-2021-27103 – SSRF via a crafted POST request;
  • CVE-2021-27104 – OS command execution via a crafted POST request.

Initially, the attackers SQL-injected the application’s servers to remotely execute commands. They pursued by writing a web shell named DEWMODE to a system, although research still did not uncover how. Web shell granted a path to access and download files from victims’ internal databases. It also included a clean-up function, but analysts can verify records of a compromise in Apache and system access logs.


LIFARS’ Incident Response and Digital Forensic team of professionals will effectively manage data breach response, examine digital evidence and compromised systems for forensic artifacts of threat actor actions, lateral movement, and data exfiltration.


Accellion has patched all the file transfer security gaps in a series of updates, while versions FTA_9_12_432 and later should now be secured. Nevertheless, the company announced that the legacy file-sharing product will be reaching the end of its days by April 2021. The customers will need to switch to a new solution afterwards.

Part of an Extortion Scheme

A hundred subjects fell victim to the malicious intentions of hackers in the attack, including critical infrastructure operators or government bodies. Around 25 organizations received an extortion email demanding payment in Bitcoin unless they wanted their documents published. Some of them have already found their data breached on the Clop ransomware gang .onion leak site.

The investigators identified overlays in the infrastructures of the FTA zero-day exploitation and the data theft campaign of FIN11. It is a known cybercrime group, which has been deploying Clop since the last year. Researches anyhow remain skeptical about a definite attribution, since FIN11 tends to rely on phishing as an initial attack vector.

Is It Possible to Mitigate?

The case seems like a sophisticated example of a financially motivated fraud scheme. Nevertheless, it is remarkable by exploiting zero-day vulnerabilities instead of conventional and easy-available techniques. These require not only an early update in the customers’ yards, but the vendor must provide then them with one. Most importantly, the unpredictability of zero-days must be confronted with an active and continual approach to security.

On the other hand, the intruders in this case did not make the effort to encrypt the accessed databases. Such – so-called double extortion – ransomware attacks have made more victims sad over the past year. Either addressing encrypted files, the threat of a confidential data breach, or both credibility and reputation are in the game. Businesses should therefore deploy data loss prevention programs to mitigate the risks for their file servers or cloud services.




CISA Alert (AA21-055A)

FireEye Threat Research