Endpoint Security , Fraud Management & Cybercrime , Fraud Risk Management

Cybersecurity Agencies Warn of Accellion Vulnerability Exploits

Latest Victims Include Australia's Transport for New South Wales and Canada's Bombardier
Cybersecurity Agencies Warn of Accellion Vulnerability Exploits
Accellion's File Transfer Appliance has been involved in many breaches.

The cybersecurity agencies of five countries have issued a joint advisory warning that hackers are exploiting unpatched vulnerabilities in the Accellion File Transfer Appliance to steal data and execute ransomware, as has been widely reported.

See Also: Cyber Insurance Assessment Readiness Checklist

Meanwhile, two additional victims of these attacks have come forward. The state agency Transport for New South Wales in Australia and the Canadian aircraft manufacturer Bombardier both confirm being hit with Accellion-related attacks.

Some of the other victimized organizations are:

Joint Warning Issued

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency along with its counterparts in the U.K., Australia, New Zealand and Singapore warned that hackers are exploiting unpatched vulnerabilities in Accellion FTA to attack a wide array of public and private entities (see: Accellion: How Attackers Stole Data and Ransomed Companies).

The flaws are CVE-2021-27101, CVE-2021-27102, CVE-2021-27103 and CVE-2021-27104.

The security agencies recommend updating to Accellion FTA version FTA_9_12_432 or later as the best way to mitigate the risks. If this is not possible, organizations should isolate or block internet access to and from systems hosting the software, check systems for malicious activity and consider moving to a new file-sharing platform.

Accellion says FTA will reach end of life on April 30, 2021, when the company will no longer support it. Accellion is recommending its customers migrate to its newer product, Kiteworks, which it says is more secure.

"Good for Accellion for urging its customers to migrate away from the vulnerable FTA web server that appears to have resulted in 100 companies being attacked and data stolen from 25 of them thus far. Accellion's transparency is commendable," says Sam Curry, chief security officer at Cybereason.

Transport for NSW

Transport for New South Wales reported this week that the agency had been affected by the Accellion FTA vulnerability and that some data had been stolen before servers were taken offline. The agency is part of the New South Wales Department of Transportation that handles planning for road, rail and freight transportation in the state.

Cyber Security NSW, an agency that oversees cybersecurity for the state, is managing the Transport for NSW investigation with the help of forensic specialists. "We are working closely with Cyber Security NSW to understand the impact of the breach, including to customer data," the transport agency said.

The timing of the attack and type and amount of data involved were not disclosed, but the agency says it is informing those whose data was affected.

Cyber Security NSW says that all instances of Accellion FTA have been retired from service in the state.

Transport for NSW says none of its other systems were affected by the breach of Accellion FTA.


The Canadian aircraft manufacturer Bombadier on Wednesday confirmed to Information Security Media Group that a security incident now under investigation was caused by an attack against Accellion FTA. Personal information on employees, customers and suppliers was compromised, the company says. This includes 130 employees at the company's Costa Rica facility.

"The ongoing investigation indicates that the unauthorized access was limited solely to data stored on the specific servers. Manufacturing and customer support operations have not been impacted or interrupted," Bombardier says.

The company did not say when the attack took place or give additional details on the information that was exfiltrated.

Accellion Breach Timeline

In mid-December 2020, Accellion patched a SQL injection vulnerability in FTA and privately notified its customers. At that time, a group designated UNC2546 by FireEye's Mandiant threat team began exploiting this vulnerability to install a newly discovered web shell that Mandiant calls DEWMODE.

The researchers are not clear how the attackers managed to write DEWMODE to disk, but the web shell extracts a list of files and the metadata of those files from FTA's MySQL database.

Accellion says that fewer than 100 customers have been attacked as the result of four now-patched FTA vulnerabilities and that fewer than 25 "appear to have suffered significant data theft."

ISMG Principal Correspondent Prajeet Nair contributed to this story.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.