Threat Actors Exploit Accellion FTA for Data Theft and Extortion
Tags
country: Canada Netherlands Singapore United States Of America
maec-delivery-vectors: Watering Hole
attack-pattern: Data Domains - T1583.001 Domains - T1584.001 Email Account - T1087.003 Email Accounts - T1585.002 Email Accounts - T1586.002 Ip Addresses - T1590.005 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Python - T1059.006 Web Service - T1481 Web Shell - T1505.003 Vulnerabilities - T1588.006 Sudo - T1169 Web Shell - T1100 Web Service - T1102
Show in Graph
Common Information
Type Value
UUID a03b24bc-2019-48fe-8d3f-8dd8b365c229
Fingerprint 381f901b09a58be1
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 22, 2021, midnight
Added to db Nov. 8, 2023, 11:07 p.m.
Last updated Nov. 17, 2024, 5:55 p.m.
Headline Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
Title Threat Actors Exploit Accellion FTA for Data Theft and Extortion
Detected Hints/Tags/Attributes 84/3/32
Source URLs
Redirection Url
Details Source https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
Details Source https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion
URL Provider
Details Provider Source level domain
Details fireeye.com www.fireeye.com
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details CVE 20 
cve-2021-27101
Details CVE 16 
cve-2021-27102
Details CVE 17 
cve-2021-27103
Details CVE 17 
cve-2021-27104
Details Domain 2 
admin.pl
Details Domain 1 
onion.dog
Details Domain 2 
support-box.com
Details Email 2 
unlock@support-box.com
Details File 3 
document_root.html
Details File 3 
sftp_account_edit.php
Details File 2 
admin.pl
Details File 17 
about.html
Details File 3 
adminpl.log
Details File 1 
cache.js
Details File 9 
webshell.php
Details md5 4 
11454bd782bb41db213d415e10a0fb3c
Details md5 3 
bdfd11b1b092b7c61ce5f02ffc5ad55a
Details md5 1 
2798c0e836b907e8224520e7e6e4bb42
Details sha256 2 
5fa2b9546770241da7305356d6427847598288290866837626f621d794692c1b
Details sha256 3 
2e0df09fa37eabcae645302d9865913b818ee0993199a6d904728f3093ff48c7
Details IPv4 3 
45.135.229.179
Details IPv4 2 
79.141.162.82
Details IPv4 2 
155.94.160.40
Details IPv4 1 
192.154.253.120
Details IPv4 2 
192.52.167.101
Details IPv4 3 
194.88.104.24
Details Mandiant Security Validation Actions 1 
A101-515
Details Mandiant Security Validation Actions 1 
A101-516
Details Mandiant Uncategorized Groups 8 
UNC2546
Details Mandiant Uncategorized Groups 3 
UNC2582
Details Threat Actor Identifier - FIN 127 
FIN11
Details Yara rule 1 
rule DEWMODE_PHP_Webshell {
	strings:
		$s1 = /if \(isset\(\$_REQUEST\[[\x22\x27]dwn[\x22\x27]]\)[\x09\x20]{0,32}&&[\x09\x20]{0,32}isset\(\$_REQUEST\[[\x22\x27]fn[\x22\x27]\]\)\)\s{0,256}\{/
		$s2 = "<th>file_id</th>"
		$s3 = "<th>path</th>"
		$s4 = "<th>file_name</th>"
		$s5 = "<th>uploaded_by</th>"
		$s6 = "target=\\\"_blank\\\">Download</a></td>"
		$s7 = "Content-Type: application/octet-stream"
		$s8 = "Content-disposition: attachment; filename="
	condition:
		all of them
}