The cybersecurity agencies of five countries – the U.S. Cybersecurity and Infrastructure Security Agency along with its counterparts in the U.K., Australia, New Zealand, and Singapore – have issued a joint advisory warning that hackers are exploiting vulnerabilities in Accellion. The attackers’ goal is to steal data and execute ransomware.
Accellion File Transfer Appliance is used worldwide by enterprises and governments to transfer and store sensitive files.
Attacks abusing its flaws have resulted in 100 companies being attacked and data stolen from 25 of them.
Last year, a hacker group called UNC2546 by FireEye’s Mandiant threat team began exploiting this vulnerability to install a newly discovered exploit called DEWMODE. In December, Accellion patched an SQL injection vulnerability in its file transfer platform of which it notified its customers. The attacks didn’t stop, though.
This week saw two new victims of these attacks. The state agency Transport for New South Wales in Australia and the Canadian aircraft manufacturer Bombardier both have been hit with Accellion-related data breaches.
Some of the previous victims included the Reserve Bank of New Zealand, Australia’s financial regulator ASIC; the Office of the Washington State Auditor, and the University of Colorado.
The vulnerabilities that attackers used in these incidents are known by the code names CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104.
To mitigate the risks, the joint advisory urges security agencies to update their Accellion to version FTA_9_12_432 or later. If not possible to upgrade, organizations should isolate or block all incoming or outgoing Internet connections to and from servers hosting the software, run antivirus scans, and consider moving to a new file-sharing platform.
Accellion will reach end of life on April 30, 2021 and the company will no longer support it. Instead, its customers are advised to migrate to the company’s newer product, Kiteworks.
