The Data Theft and Extortion by FIN11 Exploit Accelion FTA


FireEye said that the cybercriminal Group FIN11 suspected of using a attack in the Accellion FTA server to attack about 100 companies around the world in December 2020 and January 2021.

During the attack, the hacker exploited four security vulnerabilities to attack the FTA server and installed a Web Shell named DEWMODE. The attacker then used the Web Shell to download files stored on the victim’s FTA device.

DEWMODE Web Shell screenshot:

the data theft and extortion by fin11 exploit accelion fta

An Accellion spokesperson said: “Of the approximately 300 FTA customers, only about 100 were the victims of this attack, and only 25 of them seem to have suffered serious data theft.”

FireEye said that the FTA file sharing server was attacked. After that, some of these 25 customers have now received ransom demands. The attacker contacted via email and asked for payment in Bitcoin, otherwise the victim’s data would be posted on the leaked site.

Extortion Note Template:

Your network has been hacked, a lot of valuable data stolen. <description of stolen data, including the total size of the compressed files> We are the CLOP team, you can google news and articles about us. We have a website where we publish news and stolen files from companies that have refused to cooperate. Here is his address http://[redacted].onion/ - use TOR browser or http://[redacted] - mirror. We are visited by 20-30 thousand journalists, IT experts, hackers and competitors every day. We suggest that you contact us via chat within 24 hours to discuss the current situation. <victim-specific negotiation URL> - use TOR browser We don't want to hurt, our goal is money. We are also ready to provide any evidence of the presence of files with us.
This is the last warning!
If you don’t get in touch today, tomorrow we will create a page with screenshots of your files (like the others on our site),  send messages to all the emails that we received from your files. Due to the fact that journalists and hackers visit our site, calls and questions will immediately begin, online publications will begin to publish information about the leak, you will be asked to comment.
Do not let this happen, write to us in chat or email and we will discuss the situation!
CHAT:  <victim-specific negotiation URL>
EMAIL: [email protected]

These attacks are associated with two active clusters tracked by FireEye, namely UNC2546 ( exploits on FTA devices) and UNC2582 (emails sent to victims threatening to release leaked data). The infrastructure used by these two groups of activities overlaps with FIN11. FIN11 is the main cybercrime group that FireEye discovered and recorded last year. Its fingers point to various forms of cybercrime activities.

Since the attack, Accellion has issued patches to fix the vulnerabilities used in the attack and announced its intention to phase out the old FTA server software this year.