The Clop ransomware gang has continued to take advantage of the Accellion FTA vulnerability to extort Accellion’s clients by threatening to leak the data they stole. Thus far, the group has already managed to target supermarket giant Kroger, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), Singtel, QIMR Berghofer Medical Research Institute, the Office of the Washington State Auditor (SAO), and the energy company Shell. This week, the group has released screenshots of sample data belonging to the University of Colorado and the University of Miami. The University of Colorado announced that they suffered a breach in February but did not know the severity. Clop has since posted screenshots of information such as university financial documents, student grades, academic records, enrollment information, and student biographical information. As for the University of Miami, it seems as if they’ve had information pertaining to the university’s health system published, including medical records, demographic reports, Social Security Numbers (SSNs), and a spreadsheet with email addresses and phone numbers. Although only a limited amount of data has been posted thus far, it is likely Clop will continue to post more screenshots in an effort to force the universities to pay their extortion demands.
Analyst Notes
Previously released recommendations on how to protect against exploitation of the Accellion FTA vulnerability remain the same. Those include:
• Temporarily isolate or block internet access to and from systems hosting the software until they are fully patched.
• Assess the system for evidence of malicious activity including the IOCs and obtain a snapshot or forensic disk image and memory capture of the system for subsequent investigation.
• If malicious activity is identified, obtain a snapshot or forensic disk image of the system for subsequent investigation, then:
o Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes and consider resetting user passwords.
o Reset any security tokens on the system, including the “W1” encryption token, which may have been exposed through SQL injection.
• Update Accellion FTA to version FTA_9_12_432 or later.
• Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing.
o Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021. Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.
Organizations are also advised to stay on the lookout for any updates from Accellion and continue working with trusted cyber security professionals on how to better protect their data moving forward.
Sources:
https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-stolen-from-colorado-miami-universities/
https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf
