Security News > 2021 > February > Attacks Targeting Accellion Product Linked to FIN11 Cybercrime Group
The hacking group behind the recent cyber-attack targeting Accellion's FTA file transfer service appears to be linked to a threat actor known as FIN11, security researchers with FireEye's Mandiant division reveal.
The attacks on FTA, a soon-to-be-retired service, started in mid-December 2020 and resulted in the compromise of data pertaining to multiple Accellion customers.
"Accellion strongly recommends that FTA customers migrate to kiteworks, Accellion's enterprise content firewall platform. These exploits apply exclusively to Accellion FTA clients: neither kiteworks nor Accellion the company were subject to these attacks," Accellion said on Monday.
FireEye's Mandiant security researchers have been tracking both the activity surrounding the exploitation of the Accellion FTA zero-day vulnerabilities and the data theft that resulted from the cyber-attack, and say they have discovered a connection between the attacks, extortion attempts related to the stolen data, and the FIN11 group.
Mandiant also discovered some overlaps between the UNC2582 and FIN11 infrastructure, as some of the email messages were sent from IP addresses and/or email accounts that FIN11 previously used in various phishing attacks.
The researchers also identified overlaps between UNC2546 and FIN11 activities, such as the targeting of the same organizations, and the use of an IP address that was in a network frequently used by FIN11 for a piece of malware named FRIENDSPEAK. "The overlaps between FIN11, UNC2546, and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships. One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack life cycle," Mandiant concludes.