Accellion Attack Reverse Engineered
Accellion FTA mess : Attackers will devote substantial resources to reverse engineering hardware, software or a service if they see a financial upside.
In Accellion’s FTA, reverse engineering enabled attackers to drop a web shell a script that enables remote execuion of commands onto any server running the FTA software, FireEye’s Mandiant incident response group, which Accellion hired to investigate.
The web shell allowed attackers to bypass authentication, remotely execute code on the vulnerable systems and steal data. In at least some cases, stolen data ended up in the hands of the Clop ransomware gang, which has been offering to sell it or to remove it if victims pay a ransom
The investigators say attackers identified:
- How to call internal APIs to obtain keys to decrypt filenames;
- How to forge tokens for internal API calls;
- How to chain together the vulnerabilities involved to conduct unauthenticated remote code execution;
- How to navigate FTA’s internal database, requiring a detailed understanding of the database structure;
- How to bypass FTA’s built-in anomaly detector (in the case of the January exploit).
In December, using a previously unknown SQL injection flaw – CVE-2021-27101 – attackers planted a web shell – named “Dewmode” by Mandiant – on vulnerable systems. The web shell includes the ability to delete FTA logs to help attackers hide their tracks.
The uploading of the Dewmode web shell to the file location where the attacker placed it had the effect of tripping the built-in anomaly detector included in the FTA software,Mandiant reports. Once the anomaly detector is tripped it generates an email alert to the customer advising the customer to contact Accellion for support. As a result, any FTA customer affected by the December exploit likely was sent such an email – which, per Accellion, is how the December exploit came to its attention.
Mandiant says it’s validated that all FTA patches issued by Accellion have fully blocked the attacks.
Imperative: Migrate to New Software
For organizations that continue to use FTA, it’s time to move on.
Accellion’s “end of life” notice to FTA customers .
Accellion says it will stop FTA support on April 30. It notes that for three years, it’s been urging remaining users to ditch “legacy FTA software” and migrate to its newer product, Kiteworks, which is based on an entirely different code base. The company says Kiteworks is more secure.
Any organization continuing to use FTA is on borrowed time and should ensure it’s fully patched as well as backed by rigorous log collection and analysis, and access review.
3 thoughts on “Accellion Attack Reverse Engineered”