Supply chain
[SC] Supply Chain
Mandiant / CISA AA21-055A / BleepingComputer / Tenable
Primary Source ↗Incident Details
FIN11 / UNC2546 (linked to Cl0p/TA505) exploited four zero-days in legacy 20-year-old Accellion FTA product starting Dec 25 2020. Used DEWMODE webshell to exfiltrate data. ~100 of 300 FTA customers victimized; 25 suffered significant data theft. Victims: Reserve Bank of New Zealand, Washington State Auditor, Kroger, Qualys, Transport for NSW, University of California, Shell, Jones Day law firm, Bombardier. Data-theft-only extortion, no ransomware deployed. Accellion had EOL’d FTA; pushed customers to migrate to Kiteworks.
Technical Details
- Initial Attack Vector
- CWE-89: SQL Injection (CVE-2021-27101 HOST header injection) leading to DEWMODE webshell installation
- Vendor / Product
- Accellion File Transfer Appliance (FTA)
- Software Package
Accellion FTA- Malware Family
- DEWMODE webshell / FINTEAM
- CVE / GHSA References
- CVE-2021-27101 CVE-2021-27102 CVE-2021-27103 CVE-2021-27104
- Supply Chain Attack
- ✅ Confirmed third-party / vendor compromise
Timeline
- 2020-12-25 Breach occurred
- 2021-01-11 Publicly disclosed
- 2021-02-01 Customers notified