CISA Gives Warning on Active Exploitation of Vulnerabilities in Accellion File Transfer Appliance

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities in Singapore, New Zealand, Australia, and the United Kingdom have released a notification for Accellion File Transfer Appliance (FTA) users regarding 4 vulnerabilities that threat actors are actively exploiting to get access to sensitive information.

The Accellion FTA is an old file transfer appliance that is used for sharing big files. Accellion discovered a zero-day vulnerability in the FTA in the middle of December 2020 and introduced a patch to deal with the vulnerability. However, more vulnerabilities were identified since.

The following describes the vulnerabilities being monitored:

  1. CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header
  2. CVE-2021-27102 – Operating system command execution vulnerability via a local web service
  3. CVE-2021-27103 – Server-side request forgery via a crafted POST request
  4. CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request

The SQL injection flaw (CVE-2021-27011) enables an unauthorized person to execute remote commands on vulnerable devices. An exploit for the vulnerability was coupled with a webshell, with the last mentioned used to receive commands from the attacker and exfiltrate information and clean up logs. Because the clean-up logs are removed, the attacker can steer clear of detection and examination of the attack is hampered.

With the exfiltration of sensitive information, the attacker tries to extort cash from the victim by issuing threats to publicly disclose the stolen information on a ransomware data leak website when no ransom is paid. FireEye/Mandiant have related the attacks to the FIN11 and CL0P ransomware activities, though no ransomware is used by the attackers.

Accellion knew about the attacks that take advantage of the vulnerabilities in January 2021 and less than 100 clients have reported being affected with about 2 dozen of them allegedly sustaining substantial data theft. Kroger has lately announced that a number of pharmacy and little Clinic customers were affected. Centene also experienced a data breach by means of exploiting the vulnerabilities. Other reported victims of the attacks are:

  • Transport for New South Wales in Australia
  • Canadian Aircraft maker Bombardier
  • Reserve Bank of New Zealand
  • Australian financial regulator ASIC
  • Office of the Washington State Auditor
  • The University of Colorado

CISA has given Indicators of Compromise (IoCs) in its cybersecurity advisory (AA21-055A) which Accellion clients can use to know if the vulnerabilities were exploited, as well as be advised as soon as malicious activity is found.

Besides doing an analysis to determine whether the vulnerabilities were exploited, CISA proposes separating systems hosting the software program from the Web and upgrading Accellion FTA to version FTA_9_12_432 or a more recent one. Accellion and CISA additionally suggested switching from this old tool to a more secure file sharing platform. The Accellion FTA’s end-of-life is on April 30, 2021. Accellion suggests using its Kiteworks file sharing platform, which has improved security functions.