A string of attacks exploiting a legacy file transfer product have been linked to well-known financial cybercrime gang FIN11.
“The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the ‘CL0P^_- LEAKS’ .onion website,” the vendor explained.
“Some of the published victim data appears to have been stolen using the DEWMODE web shell.”
FireEye said that the FIN11 gang has previously published stolen victim data from CLOP ransomware attacks on the same .onion site, in double dip extortion campaigns. Although there was no ransomware in the Accellion attacks, investigators found other links with the group.
It said many of the organizations compromised by UNC2546 were previously targeted by FIN11, and that an IP address that communicated with a DEWMODE web shell was in the “Fortunix Networks L.P.” netblock. This is a network frequently used by FIN11 to host download and FRIENDSPEAK command and control (C2) domains, FireEye claimed.
The vendor is tracking the extortion activity related to the Accellion attacks as UNC2582 and said it found even more overlaps between this and FIN11, including emails sent from the same IP addresses as FIN11 phishing campaigns.
In an update yesterday, Accellion itself revealed that “fewer than 100” of the 300 corporate users of FTA were affected by the campaign, and “fewer than 25 appear to have suffered significant data theft.”