Security News > 2021 > February > Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11
Researchers have identified a set of threat actors with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the global zero-day attacks on users of the Accellion legacy File Transfer Appliance product.
As noted, the point of entry for the attacks was Accellion FTA, a 20-year-old legacy product used by large corporations around the world.
The firm is still analyzing the zero-day exploitation, but it did say that in the early attacks in December, UNC2546 leveraged an SQL injection vulnerability in the Accellion FTA as its primary intrusion vector.
Onion site used in the Accellion FTA attacks, usually in a double-extortion demand following the deployment of Clop ransomware.
"We are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582," according to Mandiant.
"One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks."
News URL
https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/
Related news
- Six ransomware gangs behind over 50% of 2024 attacks (source)
- Microsoft fixes 6 zero-days under active attack (source)
- CISA warns of Jenkins RCE bug exploited in ransomware attacks (source)
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- Most Ransomware Attacks Occur When Security Staff Are Asleep, Study Finds (source)
- Google fixes ninth Chrome zero-day exploited in attacks this year (source)
- Most ransomware attacks occur between 1 a.m. and 5 a.m. (source)
- New Qilin Ransomware Attack Uses VPN Credentials, Steals Chrome Data (source)
- Week in review: PostgreSQL databases under attack, new Chrome zero-day actively exploited (source)
- Versa fixes Director zero-day vulnerability exploited in attacks (source)