Accellion appliances under attack

The Risky Biz newsletter for February 2, 2021...

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

Accellion appliances are being thrown out nearest windows

Attacks on file transfer appliances sold by Silicon Valley-based Accellion have made headlines in Australia and New Zealand, but it was crickets elsewhere until this week.

As previously reported in this newsletter (see third item here), attackers have been helping themselves to files stored on Accellion file transfer appliances (FTAs), with New Zealand’s Reserve Bank, Australia’s corporate regulator and Allens, a large law firm, the first to disclose breaches in late December and early January.

While the investigation into these attacks started in the antipodes, that’s only where this story begins. Accellion is a Silicon Valley company with big US government clients. It’s the sort of appliance used by banks, aerospace companies, defence contractors, telcos, medical research networks, law firms, telcos, manufacturers and power and gas companies to transfer sensitive documents. It’s a little surprising how far under the radar this story has flown.

The first US-based victims are coming forward now. The Seattle Times reports that documents supporting 1.4 million unemployment claims were stolen from the Washington State Auditor’s Office, specifically from its Accellion file transfer appliance.

Accellion claims to have learned of an 0day in its FTA product in mid-December and to have patched it within 72 hours. We’re unsure if that’s when the attacks started or if that’s when the attacks started being discovered. In any case, Accellion provided customers scant details about the vulnerability, provided no details to the public, and didn’t tell customers that the vulnerability was being exploited until December 23.

Accellion now says attackers continued exploiting the appliances well into January 2021, as the company “identified additional exploits in the ensuing weeks and rapidly developed and released patches to close each vulnerability.”

The web portals for Accellion file transfer appliances are, by design, easily discoverable on the internet. In recent weeks, we’ve watched as dozens of organisations have decommissioned them, some of those efforts coming to light in media reports. Stanford Medicine was among several US medical research institutes to take their Accellion appliances offline, telling users on a temporary web page that “MedSecureSend is offline due to a critical security issue”.

The decommissioning of all these systems doesn’t necessarily indicate that they’ve been compromised and looks prudent given what we’ve learned in recent weeks. Of far greater concern is the sort of organisations that haven’t taken the same action. Several US government agencies with sensitive data protection requirements continue to host log-in pages for FTAs. These include a system lawmakers use to transfer large documents around the United States Capitol, for example.

That’s a bit of a worry, considering Accellion’s FTAs were vulnerable to easily exploited issues (see third item here) prior to the release of a patch on December 20, and other unreported issues since.

This week, GuidePoint Security published an analysis of the web shell used to exfiltrate data from compromised appliances. GuidePoint reverse engineer Drew Schmitt discovered that the new attacks look similar to techniques researcher Orange Tsai disclosed to Accellion back in 2016.

Accellion is painting this as the work of “highly sophisticated attackers’’ engaged in “cyber warfare”. Considering the appliances were hacked using run-of-the-mill SQLi bugs, that strikes us as PR-driven horse waste.

Some of the organisations that took FTAs offline appear to have upgraded to kiteworks, Accellion’s cloud-hosted successor to the appliance. Accellion promises kiteworks is secure in all the ways FTA isn’t. Judging from what we’ve learned about the code quality Accellion is willing to accept, we’re yet to be convinced.

There are several alternatives for the secure sharing of files that were not available in FTA’s heyday. Google Drive and Microsoft’s OneDrive could do most of the job. Specialty cloud services like Box are pretty much at feature parity with Accellion’s products, and Box cares enough about security to offer a vulnerability disclosure program. And if you have data sovereignty issues to contend with, there are plenty of niche players to choose from. (One of Risky Biz’ sponsors, Senatas, sells an alternative in the Australian market called SureDrop.) They’ll gladly take your money.

World v. Emotet: Fight!

A globally coordinated law enforcement operation has dismantled the Emotet botnet, one of the most impactful and evasive cybercrime operations on the planet.

Under Operation Ladybird, law enforcement agencies in eight countries teamed up with private security researchers to seize Emotet’s primary C2 servers, arrest two (presumably key) suspects, take control of hundreds of secondary C2s and push updates programmed to remove the Emotet malware from infected devices.

Netherlands’ National Police (Politie) seized two of Emotet’s primary C2 servers. They pushed an update from the seized C2 that instructed infected hosts to connect to new C2 servers controlled by another law enforcement partner, reportedly Germany’s Federal Criminal Police (BKA). The same update will also cause the Emotet malware to be uninstalled from infected hosts on April 25.

Law enforcement agencies will now catalogue the IP address, computer name and list of programs running on the 1.6m infected devices enrolled in the botnet and pass that information on to system owners. Emotet usually drops other malware (like TrickBot, QakBot etc) on to infected hosts, so system owners would be well advised to pay attention to these notifications.

The takedown appears to have been completely effective, both in terms of the availability of C2s and distribution of Emotet malspam. Ukraine’s “cyberpolice” released jaw-dropping footage of a raid that seized servers, laptops, hard drives, bank cards, cash and gold bars. They now claim to have leads on Emotet affiliates.

What stands out in this operation is the cooperation between law enforcement agencies and private individuals in the malware analysis community.

A group of private individuals, who asked to remain nameless, played a decisive role. For many months leading up to the takedown, they were collaborating on the long-term tracking of Emotet’s malware and infrastructure. Participants told Risky Biz that the usual national boundaries (researchers from different countries) or competitive boundaries (researchers from different cyber security companies) were of no consequence to this collaborative effort.

Western law enforcement agencies understood that network operators in some jurisdictions might not respond well to formal requests for assistance. So individuals in the threat intel and malware analysis communities were asked to reach out to peers working for network operators to enrol them in the operation on an informal basis.

Parties that were judged unlikely to cooperate (or untrustworthy) were side-stepped. Cooperative network operators were asked to block traffic to a subset of IP addresses in Emotet’s config file that were known to be based in countries that weren’t trusted with knowledge of the operation. That allowed the operation to take over most of the C2 and drop routing to the C2 they couldn’t seize.

One participant, who has been involved in several takedowns, described the Emotet operation as “the largest and broadest coalition” he’s been involved with, mostly because of the community research that went into it.

“There’s a lot of optimism about this model of cooperation going forward,” he said. “The camaraderie that’s arisen from this will play a role when we’re dealing with other threats.”

It’s difficult to calculate the losses that stemmed from Emotet infections over its seven year run. Numerous cybercrime operations relied on the Emotet botnet for fresh batches of infected devices for banking fraud, ransomware and other misdeeds. The US DoJ put their collective finger in the air and came up with “hundreds of millions”. The Ukrainians say it’s US$2.5 billion. We’ll just go with “incalculable”.

Ransomware spoils funnelled through very few parties

A Washington DC thought-bubble that would seek to impose KYC obligations on cryptocurrency exchanges is unlikely to cure the world’s ills overnight, but it’s definitely a thought provoking proposal in the fight against ransomware.

The process by which ransomware actors and dark market operators extract cryptocurrency payments, pay their suppliers and bank the balance is a serious area of vulnerability for them.

Last week we saw further evidence that a limited number of parties are responsible for laundering the proceeds of ransomware.

Blockchain analysis firm Chainalysis tracked $348.6 million in Bitcoin that passed through known ransomware wallets, and found that statistically, the spoils of ransomware campaigns get funnelled through relatively few money laundering services. The analysis also showed that ransomware gangs often transfer portions of their earnings to regular suppliers, which Chainalysis assumes to be exploit brokers and bulletproof hosting services.

During 2020, 199 deposit addresses received 80% of all funds sent by ransomware groups, and only 25 of those accounts collected almost half the funds.

That tells us that it may be possible for the relevant authorities to disrupt ransomware operations by targeting their ill-gotten gains. It would be difficult, it might even require executive approval, but it is food for thought.

Consider a few other recent studies:

Think of the potential impact if you were to throw the top 10 key players in the ransomware economy (launderers) off the proverbial bridge. Alternatively, just “disappear” their clients’ money, and let those clients do the throwing-people-off-bridges for you.

SonicWall owned via 0day. Or popped creds. Or something.

If I were the CEO of a network security vendor, I’d want to be pretty certain that my company was hacked using 0day in its own products before announcing that delightful news to the world.

A week ago SonicWall announced its internal systems were breached by attackers using “probable zero-day vulnerabilities on certain SonicWall secure remote access products”. A week later the company wasn’t so certain anymore, and wondered out loud whether a recent series of attacks on customers was actually just a case of credential re-use.

SonicWall changed its tune once NCC Group researchers reported an 0day vulnerability in SMA 100 series products that were reportedly being exploited in the wild. SonicWall’s customers must have been thrilled to see the disclosure process play out in a Twitter thread.

Earlier today, SonicWall officially acknowledged there was a zero-day vulnerability in version 10.x of its SMA 100 series, as disclosed by NCC Group, which it expects to patch by the end of today (February 2, 2021). Who knows if it’s the same bug that attackers used against the company’s internal systems? Not them lol.

Three reasons to actually be cheerful this week:

  1. Backups FTW: The average and median payment made to ransomware gangs declined in late 2020 for the first time in two years.
  2. iMessage gets a security boost: Reverse engineers at Google studied changes Apple made to iMessage in iOS14 (released in Sept 2020) and concluded that the app is now far more resilient against the sort of “interaction-less” 0day NSO Group customers used in attacks against journalists and activists last year.
  3. Self-licking ice cream: Microsoft is making SO much money out of security. Yay Microsoft! We think it’s amazing this goes unchallenged. It’s like car-makers charging huge premiums for safety critical features like AEB or airbags.


NetWalker feels a little heat

The NetWalker ransomware operation hit a snag after Bulgarian police seized one of its servers and the US DoJ indicted an affiliate that used the malware during ransomware attacks.

US Federal Court resorts to air gaps

The Associated Press reports that in response to HAND-WAVY RUSSIASTUFF, court documents usually published in the federal judiciary’s electronic case management system are now only being uploaded to air-gapped computers. The only way for lawyers to access documents published in the District Court of Massachusetts is to physically go to the courthouse.

One person’s influence op is another person’s digital marketing campaign

Researchers uncovered a network of fake Twitter profiles that were set up to condemn a ban on “high-risk” Chinese networking vendors in Belgium’s 5G rollout. The bots linked off to Huawei-produced articles and their tweets were retweeted by Huawei employees.

Sudo patch your sudo

It sort of goes without saying that Unix/Linux admins should patch the Sudo bug flagged on the podcast last week. Maybe these guys can convince you to hurry it along a bit?

TrickBot gettin’ all fancy

TrickBot has been testing a new module that uses open source utility Masscan to scan for systems with open ports on the same LAN as the infected host. The results are sent back to C2 servers to help attackers plan out lateral movement.

Phishing kits that build themselves

RiskIQ has uncovered a phishing kit that fetches and displays logos and text in real-time to adapt to its target.

India to ban cryptocurrencies

India’s government has proposed regulations that will ban the use of any digital currency that wasn’t created by the government. Indians are dumping their crypto in a panic. Our advice? They should go long on Western Australian toilet paper futures. Stonks!

This week’s long read

Andy Greenberg at Wired spoke to activists and cryptographers about the counterintuitive migration of WhatsApp users to Telegram.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at