CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
87.0%
This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia,[1] New Zealand,[2] Singapore,[3] the United Kingdom,[4] and the United States.[5][6] These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA).[7] This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States.
Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors. According to Accellion, this activity involves attackers leveraging four vulnerabilities to target FTA customers.[8] In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.
This Joint Cybersecurity Advisory provides indicators of compromise (IOCs) and recommended mitigations for this malicious activity. For a downloadable copy of IOCs, see: AA21-055B.stix and MAR-10325064-1.v1.stix.
Click here for a PDF version of this report.
Accellion FTA is a file transfer application that is used to share files. In mid-December 2020, Accellion was made aware of a zero-day vulnerability in Accellion FTA and released a patch on December 23, 2020. Since then, Accellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities.
One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Actors have exploited this vulnerability to deploy a webshell on compromised systems. The webshell is located on the target system in the file /home/httpd/html/about.html
or /home/seos/courier/about.html
. The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The clean-up functionality of the webshell helps evade detection and analysis during post incident response. The Apache /var/opt/cache/rewrite.log
file may also contain the following evidence of compromise:
[.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
[.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
['))union(select(loc_id)from(net1.servers)where(proximity)=(0))] (1) pass through /courier/document_root.html
These entries are followed shortly by a pass-through request to sftp_account_edit.php
. The entries are the SQL injection attempt indicating an attempt at exploitation of the HTTP header parameter HTTP_HOST
.
Apache access logging shows successful file listings and file exfiltration:
βGET /courier/about.html?aid=1000 HTTP/1.1β 200 {Response size}
βGET /courier/about.htmldwn={Encrypted Path}&fn={encrypted file name} HTTP/1.1β 200 {Response size}
When the clean-up function is run, it modifies archived Apache access logs /var/opt/apache/c1s1-access_log.*.gz
and replaces the file contents with the following string:
Binary file (standard input) matches
In two incidents, the Cybersecurity and Infrastructure Security Agency (CISA) observed a large amount of data transferred over port 443 from federal agency IP addresses to 194.88.104[.]24
. In one incident, the Cyber Security Agency of Singapore observed multiple TCP sessions with IP address 45.135.229[.]179
.
Organizations are encouraged to investigate the IOCs outlined in this advisory and in AR21-055A. If an Accellion FTA appears compromised, organizations can get an indication of the exfiltrated files by obtaining a list of file-last-accessed events for the target files of the symlinks located in the /home/seos/apps/1000/
folder over the period of malicious activity. This information is only indicative and may not be a comprehensive identifier of all exfiltrated files.
Organizations with Accellion FTA should:
Additional general best practices include:
[1] Australian Cyber Security Centre (ACSC)
[2] New Zealand National Cyber Security Centre (NZ NCSC)
[3] Singapore Cyber Security Agency (CSA)
[4] United Kingdom National Cyber Security Centre (UK NCSC)
[5] United States Cybersecurity and Infrastructure Security Agency (CISA)
[6] United States Multi-State Information Sharing and Analysis Center (MS-ISAC)
[7] Accellion Press Release: Update to Recent FTA Security Incident
[8] Accellion Press Release: Update to Recent FTA Security Incident
[9] Accellion Announcement: End-of-Life for Legacy FTA Software
February 24, 2021: Initial Version|June 17, 2021: Replaced STIX file to remove an IOC reported as non-malicious.
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a
nvd.nist.gov/vuln/detail/CVE-2021-27101
nvd.nist.gov/vuln/detail/CVE-2021-27102
nvd.nist.gov/vuln/detail/CVE-2021-27103
nvd.nist.gov/vuln/detail/CVE-2021-27104
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Exploitation%20of%20Accellion%20File%20Transfer%20Appliance+https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a
us-cert.cisa.gov/ncas/alerts/aa20-245a
us-cert.cisa.gov/ncas/analysis-reports/ar21-055a
www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/
www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/
www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/
www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/
www.accellion.com/sites/default/files/resources/fta-eol.pdf
www.accellion.com/sites/default/files/resources/fta-eol.pdf
www.cisa.gov/
www.cisa.gov/
www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
www.cisecurity.org/controls/
www.cisecurity.org/ms-isac/
www.cisecurity.org/ms-isac/
www.cisecurity.org/ms-isac/
www.csa.gov.sg/
www.csa.gov.sg/
www.cyber.gov.au/
www.cyber.gov.au/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a&title=Exploitation%20of%20Accellion%20File%20Transfer%20Appliance
www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a
www.ncsc.gov.uk/
www.ncsc.gov.uk/
www.ncsc.govt.nz/
www.ncsc.govt.nz/
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Exploitation%20of%20Accellion%20File%20Transfer%20Appliance&body=www.cisa.gov/news-events/cybersecurity-advisories/aa21-055a
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
87.0%