Security News > 2021 > February > Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11

Researchers have identified a set of threat actors with connections to the FIN11 and the Clop ransomware gang as the cybercriminal group behind the global zero-day attacks on users of the Accellion legacy File Transfer Appliance product.

As noted, the point of entry for the attacks was Accellion FTA, a 20-year-old legacy product used by large corporations around the world.

The firm is still analyzing the zero-day exploitation, but it did say that in the early attacks in December, UNC2546 leveraged an SQL injection vulnerability in the Accellion FTA as its primary intrusion vector.

Onion site used in the Accellion FTA attacks, usually in a double-extortion demand following the deployment of Clop ransomware.

"We are currently tracking the exploitation of the zero-day Accellion FTA vulnerabilities and data theft from companies running the legacy FTA product as UNC2546, and the subsequent extortion activity as UNC2582," according to Mandiant.

"One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle. UNC2546 uses a different infection vector and foothold, and unlike FIN11, we have not observed the actors expanding their presence across impacted networks."

News URL

https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/