Accellion Attack Involved Extensive Reverse Engineering

March 3, 2021 – Article posted on Bankinfosecurity

Among the many lessons to be learned from the Accellion File Transfer Appliance mess is this: Attackers will devote substantial resources to reverse-engineer hardware, software or a service if they see a financial upside.

In the case of Accellion’s FTA, reverse engineering enabled attackers to drop a web shell – a script that enables remote execution of commands – onto any server running the FTA software, according to FireEye’s Mandiant incident response group, which Accellion hired to investigate. The web shell allowed attackers to bypass authentication, remotely execute code on the vulnerable systems and steal data. In at least some cases, stolen data ended up in the hands of the Clop ransomware gang, which has been offering to sell it or to remove it if victims pay a ransom…

Investigators say attackers identified:

• How to call internal APIs to obtain keys to decrypt filenames;
• How to forge tokens for internal API calls;
• How to chain together the vulnerabilities involved to conduct unauthenticated remote code execution;
• How to navigate FTA’s internal database, requiring a detailed understanding of the database structure;
• How to bypass FTA’s built-in anomaly detector (in the case of the January exploit)

…Any organization continuing to use FTA is on borrowed time and should ensure it is fully patched as well as backed by rigorous log collection and analysis, and access review, Drew Schmitt, a senior threat intelligence analyst with GuidePoint Security in Herndon, Virginia, says in a guide for remaining FTA users….

Read more HERE.