- Accellion breach pdf#
- Accellion breach Patch#
Temporarily isolate or block internet access to and from systems hosting the software. This information is only indicative and may not be a comprehensive identifier of all exfiltrated files. If an Accellion FTA appears compromised, organizations can get an indication of the exfiltrated files by obtaining a list of file-last-accessed events for the target files of the symlinks located in the /home/seos/apps/1000/ folder over the period of malicious activity. Organizations are encouraged to investigate the IOCs outlined in this advisory and in AR21-055A. In one incident, the Cyber Security Agency of Singapore observed multiple TCP sessions with IP address 45.135.229179. In two incidents, the Cybersecurity and Infrastructure Security Agency (CISA) observed a large amount of data transferred over port 443 from federal agency IP addresses to 14. When the clean-up function is run, it modifies archived Apache access logs /var/opt/apache/c1s1-access_log.*.gz and replaces the file contents with the following string: The entries are the SQL injection attempt indicating an attempt at exploitation of the HTTP header parameter HTTP_HOST.Īpache access logging shows successful file listings and file exfiltration: These entries are followed shortly by a pass-through request to sftp_account_edit.php. (1) pass through /courier/document_root.html. The Apache /var/opt/cache/rewrite.log file may also contain the following evidence of compromise: The clean-up functionality of the webshell helps evade detection and analysis during post incident response. 
The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The webshell is located on the target system in the file /home/httpd/html/about.html or /home/seos/courier/about.html.
Actors have exploited this vulnerability to deploy a webshell on compromised systems. One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices.
CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier). CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier). CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier). CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier). Since then, Accellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities. Accellion breach Patch#
In mid-December 2020, Accellion was made aware of a zero-day vulnerability in Accellion FTA and released a patch on December 23, 2020.
Accellion breach pdf#
For a downloadable copy of IOCs, see: AA21-055B.stix and MAR-10325064-1.v1.stix.Ĭlick here for a PDF version of this report.Īccellion FTA is a file transfer application that is used to share files. This Joint Cybersecurity Advisory provides indicators of compromise (IOCs) and recommended mitigations for this malicious activity. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance. In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. According to Accellion, this activity involves attackers leveraging four vulnerabilities to target FTA customers. Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors. This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States. These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA). This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia, New Zealand, Singapore, the United Kingdom, and the United States.
0 kommentar(er)
