A string of assaults exploiting a legacy file switch product have been linked to well-known monetary cybercrime gang FIN11.
The assaults on the New Zealand Central Bank, Singtel, Kroger and plenty of extra exploited a number of zero-day vulnerabilities in Accellion’s FTA product and are being tracked by FireEye as UNC2546.
“The motivation of UNC2546 was not instantly obvious, however beginning in late January 2021, a number of organizations that had been impacted by UNC2546 within the prior month started receiving extortion emails from actors threatening to publish stolen knowledge on the ‘CL0P^_- LEAKS’ .onion web site,” the seller defined.
“Among the revealed sufferer knowledge seems to have been stolen utilizing the DEWMODE net shell.”
FireEye mentioned that the FIN11 gang has beforehand revealed stolen sufferer knowledge from CLOP ransomware assaults on the identical .onion website, in double dip extortion campaigns. Though there was no ransomware within the Accellion assaults, investigators discovered different hyperlinks with the group.
It mentioned lots of the organizations compromised by UNC2546 had been beforehand focused by FIN11, and that an IP tackle that communicated with a DEWMODE net shell was within the “Fortunix Networks L.P.” netblock. It is a community ceaselessly utilized by FIN11 to host obtain and FRIENDSPEAK command and management (C2) domains, FireEye claimed.
The seller is monitoring the extortion exercise associated to the Accellion assaults as UNC2582 and mentioned it discovered much more overlaps between this and FIN11, together with emails despatched from the identical IP addresses as FIN11 phishing campaigns.
In an replace yesterday, Accellion itself revealed that “fewer than 100” of the 300 company customers of FTA had been affected by the marketing campaign, and “fewer than 25 seem to have suffered important knowledge theft.”