Energy giant Shell latest victim in Accellion FTA cyberattacks

By / / Cybersecurity Attacks, Data Breach, Security Updates & Patches, Vulnerabilities & Exploits, Zero-days / Accellion, CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104, Cyberattack, EOL, FireEye, FTA, Mandiant, Zero-day
Energy giant Shell latest victim in Accellion FTA cyberattacks

Energy giant Shell was the latest victim in a series of cyberattacks on customers of Accellion’s legacy File Transfer Appliance (FTA) product used to transfer large files.

Shell posted the notice about the cybersecurity incident that resulted in a breach of certain personal data and Shell company data likely uploaded to the file transfer service.

“The ongoing investigation has shown that an unauthorized party gained access to various files during a limited window of time. Some contained personal data and others included data from Shell companies and some of their stakeholders,” Shell stated in a blog post.

Shell also confirmed there was “no evidence of any impact to Shell’s core IT systems,” since the the Accellion FTA file transfer service was isolated from the rest of the company’s internal infrastructure.

Previous FTA cyberattacks

Last month, Cybersecurity experts spotted attackers exploiting Accellion File Transfer (FTA) appliance 0-day vulnerabilities to steal data and threaten their victims with extortion attempts.

Starting in mid-December 2020, FireEye’s Mandiant cybersecurity team spotted previously unknown threat actors they called UNC25346 exploiting multiple Accellion FTA vulnerabilities to install a web shell dubbed DEWMODE.

According to the FireEye report, several organizations that were impacted by the UNC2546 attacks in December started receiving extortion emails in January from the same threat actors. The actors then threatened to publish the stolen data on the “CL0P^_- LEAKS” .onion website. Moreover, FireEye believes the actors also used the DEWMODE web shell to steal the data.

Earlier this month, cybersecurity firm Qualys announced a “limited” number of their customers had been impacted by a data breach caused by an exploited Accellion FTA zero-day vulnerability on Qualys customer support systems.

Attackers infiltrated Qualys systems running Accellion FTA used to transfer customer support files. However, the company said the impact was minimal since the FTA servers were not connected to their Qualys Cloud Platform and were segregated in a DMZ from the rest of the network.

FTA vulnerabilities

The four Accellion FTA vulnerabilities exploited were previously patched by Accellion:

  1. CVE-2021-27101: SQL injection via a crafted Host header
  2. CVE-2021-27102: OS command execution via a local web service call
  3. CVE-2021-27103: SSRF via a crafted POST request
  4. CVE-2021-27104: OS command execution via a crafted POST request.

Three of the four vulnerabilities are rated Critical and sport a CVSS score of 9.8.

Cybersecurity experts also warned the SQL injection vulnerability CVE-2021-27101 was likely used as the primary intrusion vector in the attacks.

FTA goes EOL in April

Finally, it is important to know that Accellion FTA is a 20-year-old legacy product used to transfer large files and goes end of life (EOL) effective April 30, 2021.

Accellion strongly recommends their customers upgrade to their flagship kiteworks Content Firewall platform, built on different code base. To add, the older FTA platform is built on CentOS 6, which is also EOL.

Related Articles