Accellion FTA Extortion Attacks Linked to FIN11 and CL0P Ransomware Gang

In mid-December, threat actors started exploiting zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) product, and over the next few weeks it became apparent that many companies had suffered data breaches.

The Accellion FTA was originally launched around 20 years ago to get around the problem of emailing large file attachments. Rather than emailing large files, individuals are sent links to the files hosted on the Accellion FTA and can download them.

Despite there now being many alternatives, this legacy file transfer solution is still used by many companies, organizations, and government agencies to transfer sensitive files.  Over the past few weeks several vulnerabilities in the Accellion FTA have been uncovered, some of which have been exploited to gain access to sensitive data. The first vulnerability was identified and patched by Accellion in mid-December, but that was the first of several SQL injection vulnerabilities to be identified.

In January, several of the company’s clients reported breaches, including the Reserve Bank of New Zealand, the Australian securities regulator AIC, Singtel, and the Washington State Auditor’s office. The initial investigation indicated fewer than 50 of its clients had been breached, although it now appears that closer to 100 have been affected including the law firm Jones Day, Kroger, Danaher, Fugro, and the University of Colorado.

Mandiant, a division of FireEye, has been investigating the attacks and has now released its preliminary findings. The attacks have been attributed to a threat actor tracked as UNC2546. Initially the motivation behind the attacks by UNC2546 were not known, then in late January attacked companies started receiving ransom demands. While ransomware was not used in the attacks, the ransom demands claimed data were stolen and threats were made to publish the information on the CL0P ransomware leak site if payment was not made.

The FIN11 threat group started using CL0P ransomware in attacks in 2020, but in this case, ransomware was not used. The attacks only involved data theft and extortion. In a recent joint press release from Accellion and Mandiant, the companies explain that fewer than 100 clients had been targeted by FIN11 and the CL0P ransomware gang, but fewer than 25 suffered major data losses through the UNC2546 attacks.

Those attacks exploited four zero-day SQL injection vulnerabilities – tracked as CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104 – for which patches have now been released. Some of the attacks combined exploits for these vulnerabilities with the DEWMODE web shell, and an IP address used for communication with the DEWMODE web shell had previously been used with FIN11 command and control domains. There were also several other overlaps with previous FIN11 activity.

Once the vulnerabilities were exploited to gain access to the Accellion FTA, UNC2546 made requests to gain access to further resources then deployed the DEWMODE web shell, which was used to extract files from the MySQL database on the FTA to a HTML page. An analysis of the extortion emails sent to victims of the breach revealed several had also been used in FIN11 phishing operations in the latter half of 2020.

The relationship between UNC2546 and FIN11 is still unclear, which is why the attacks are being tracked separately. They could have been conducted by FIN11, but this could similarly be a collaboration between a different threat actor and the FIN11 threat group.

In the joint press release, Accellion explained that the attacks were only conducted on clients that used the Accellion FTA, and while patches have now been released, clients are being encouraged to migrate from the legacy Accellion FTA to Accellion’s enterprise content firewall platform – Kiteworks.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of