According to researchers from FireEye, a threat actor tracked by Mandiant as UNC2546 exploited multiple zero-days in Accellion’s legacy File Transfer Appliance (FTA). The goal of the attacks was to install a new web shell named DEWMODE. Starting in January 2021, the group’s motivation became clear when they began to send extortion emails to employees of the affected companies that threatened to post stolen data on the “CLOP^_LEAKS” Darknet website. Some of the posted data currently on the website appears to be stolen using the DEWMODE web shell. The number of victims on the leak site increased in February 2021, with a number of them from the US, Canada, Singapore, and the Netherlands. Previously identified by researchers, FIN11 has threatened to post stolen data from victims on the same leak site after they deployed the CLOP Ransomware, but in the recent posting from UNC2546, there has been no evidence of ransomware being used. There have been overlaps identified with the groups UNC2582, UNC2546, and FIN11, and Mandiant has stated they are tracking those overlaps. UNC2546 has been using SQL injection to gain a foothold into a network, whereas FIN11 has predominately used phishing emails and does not typically rely on vulnerabilities as an infection vector, limiting the chance that the groups are connected.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in