[Security Weekly] Accellion FTA Zero-Day Campaign Shows Ties to FIN11 and Clop Ransomware as Bombardier and Kroger Fall Victim

cover image

4th Week of February 2021


1. Accellion FTA attack campaign continues as ties to FIN11 and Clop ransomware unveil

The total number of companies hit by the Accellion FTA zero-day attack has surpassed 100, with at least 25 of them suffering serious data breaches. New victims identified in the past week included Canadian heavy industries manufacturer Bombardier, American retail giant Kroger, prominent law firm Jones Day, and Transport for NSW.

The good news is that security researchers have finally identified the threat actors behind the attacks to be the FIN11 and Clop ransomware group. FIN11 is a financially-motivated hacking group that has been using Clop ransomware for its attacks since 2019. The attackers exploited a total of four zero-day vulnerabilities in the legacy Accellion FTA product. It was said that the patch released by Accellion in December 2020 only covered one of the zero-days. The three other flaws were only discovered in late January 2021 and patched in the weeks after.

After the attackers exploited the zero-days, a web shell named DEWMODE was installed to exfiltrate data from Accellion FTA users. A number of victims reportedly received emails containing ransom notes, threatening them to publish their data on Clop ransomware’s leak site. However, the attack method used in the campaign involved no ransomware.

Sources: ZDNet, Threatpost


2. Finnish IT giant TietoEVRY shuts down services following ransomware attack

TietoEVRY disclosed a ransomware attack on February 23, which reportedly forced it to shut down parts of its IT infrastructure and suspend certain services to its customers. Based in Espoo, Finland, and listed on NASDAQ Nordic, TietoEVRY is a major IT managed service provider in the region with clients from a variety of industries.

The company initially noticed technical issues with some of its services. After confirming the ransomware infection, it was forced to turn off services for up to 25 clients. It later notified the incident to the affected customers and said that services would only resume when the encrypted data got safely recovered.

The company is currently working with Finnish authorities and cybersecurity experts to minimize the damage. As of now, it remains unclear whether sensitive data were breached in the process.

Sources: Threatpost, Bleeping Computer


3. Sensitive medical data of 500,000 French patients leaked online

In mid-February, security researchers running French cybersecurity blog Zataz discovered that the personally identifiable information (PII) and medical information of 491,840 French patients were published on a number of places online.

The data were found on at least seven different websites. All records contain names, phone numbers, and home addresses, with some containing additional information such as birth dates, social security numbers, as well as medical information including medical history and HIV status. 

French daily newspaper Liberation followed up on the incident and reported that the data were leaked from over 30 different testing laboratories across several northwestern provinces. The records dated between 2015 and 2020, a time period where all the breached labs were using the same software for medical data management, making it highly likely that a software vulnerability caused the incident.

Sources: Infosecurity, RT


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security