{
	"id": "86c1db3c-ae59-4266-a66c-d793b09f2ae1",
	"created_at": "2026-04-06T03:36:03.038339Z",
	"updated_at": "2026-04-10T03:30:21.158068Z",
	"deleted_at": null,
	"sha1_hash": "bef028c4c23317595dfd7428087222723b58e18e",
	"title": "Global Accellion data breaches linked to Clop ransomware gang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 846542,
	"plain_text": "Global Accellion data breaches linked to Clop ransomware gang\r\nBy Ionut Ilascu\r\nPublished: 2021-02-22 · Archived: 2026-04-06 02:52:57 UTC\r\nThreat actors associated with financially-motivated hacker groups combined multiple zero-day vulnerabilities and a new\r\nweb shell to breach up to 100 companies using Accellion's legacy File Transfer Appliance and steal sensitive files.\r\nThe attacks occurred in mid-December 2020 and involved the Clop ransomware gang and the FIN11 threat group. Unlike\r\nprevious attacks by these groups, the Clop file-encrypting malware was not deployed.\r\nIt appears that the actors opted for an extortion campaign. After stealing the data, they threatened victims over email with\r\nmaking stolen information publicly available on the Clop leak site unless a ransom was paid.\r\nhttps://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nBleepingComputer has been tracking these Accellion-related breaches and discovered almost a dozen victims.\r\nAmong them are supermarket giant Kroger, Singtel, QIMR Berghofer Medical Research Institute, Reserve Bank of New\r\nZealand, the Australian Securities and Investments Commission (ASIC), and the Office of the Washington State Auditor\r\n(\"SAO\").\r\nAdditional victims tracked by BleepingComputer include :\r\ntechnical services company ABS Group\r\nlaw firm Jones Day\r\nFortune 500 science and technology corporation Danaher\r\ngeo-data specialist Fugro\r\nthe University of Colorado\r\nAfter we reported on the Singtel breach earlier this month, the Clop gang contacted us and stated that they stole 73 GB of\r\ndata as part of their attack. When BleepingComputer asked how they gained access to Singtel's data, Clop refused to share\r\nthat information.\r\nBleepingComputer has learned from sources that the American Bureau of Shipping (ABS), who Clop listed as Eagle.org,\r\nreceived a ransom note via email.\r\nDetails about Accellion attacks revealed\r\nA coordinated announcement from Accellion and Mandiant today sheds light on how the attacks against the Accellion FTA\r\ndevices took place.\r\nIn its press release, Accellion says there were 300 customers using its legacy, 20-years old File Transfer Appliance (FTA).\r\nOf these customers, less than 100 were victims of the attacks from Clop and FIN11, and that less “than 25 appear to have\r\nsuffered significant data theft.\r\nAccellion patched the vulnerabilities and continues its mitigations efforts. The company “strongly recommends that FTA\r\ncustomers migrate to Kiteworks” - an enterprise content firewall platform that has a different code base, features a security\r\narchitecture, and includes a segregated, secure devops process.\r\nIncident responders at FireEye Mandiant investigated these attacks for some of their customers and highlighted the\r\ncollaboration between Clop ransomware and the FIN11 gang in this campaign.\r\nBoth groups have worked together before. Last year, FIN11 joined the ransomware business and started to encrypt the\r\nnetworks of their victims using Clop.\r\nMandiant has been tracking the recent exploitation of Accellion FTA using multiple zero-days as UNC2546. The following\r\nvulnerabilities have been discovered:\r\nhttps://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/\r\nPage 3 of 6\n\n- CVE-2021-27101 - SQL injection via a crafted Host header\r\n- CVE-2021-27102 - OS command execution via a local web service call\r\n- CVE-2021-27103 - SSRF via a crafted POST request\r\n- CVE-2021-27104 - OS command execution via a crafted POST request\r\nThe researchers distinguish this activity from the extortion campaign, which they track as UNC2582. However, they did\r\nnotice overlaps between the two and previous operations attributed to FIN11.\r\nNew DEWMODE webshell planted on Accellion devices\r\nWhile investigating the incidents, the researchers observed that the intruders used a previously undocumented webshell that\r\nthey called DEWMODE.\r\n“Mandiant determined that a common threat actor we now track as UNC2546 was responsible for this activity. While\r\ncomplete details of the vulnerabilities leveraged to install DEWMODE are still being analyzed, evidence from multiple\r\nclient investigations has shown multiple commonalities in UNC2546's activities”\r\nThe researchers reconstructed the compromise of Accellion FTAs using system logs from the breached devices, trailing the\r\ninitial entry, the deployment of DEWMODE, and the follow-up interaction.\r\nThe attacker used the SQL injection vulnerability to gain access and then followed with requests to additional resources.\r\nOnce they obtained the necessary access level, the hackers wrote the DEWMODE web shell to the system.\r\nThe role of the webshell was to extract a list of available files from a MySQL database on the FTA and to list them on an\r\nHTML page along with the accompanying metadata (file ID, path, filename, uploader, and recipient).\r\nA blog post from Mandiant today explains all the technical aspects regarding the use of the web shell and how the hackers\r\ngained access to their targets.\r\nThe intruders stole the data via DEWMODE but did not encrypt the compromised systems. In late January, though, victims\r\nstarted to get extortion emails from someone threatening to publish the stolen data on Clop ransomware’s leak site.\r\nIf the victim did not respond to the initial threats, other emails followed with the clear intention to force payment.\r\nhttps://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/\r\nPage 4 of 6\n\nThe researchers note that the first emails are delivered to a smaller set of recipients from a free email account that appears to\r\nbe unique for each victim.\r\nLack of a reply from the victim led to the hackers sending out additional emails, “to a much larger number of recipients from\r\nhundreds or thousands of different email accounts and using varied SMTP infrastructure,” Mandiant says.\r\n“In at least one case, UNC2582 also sent emails to partners of the victim organization that included links to the stolen data\r\nand negotiation chat” - Mandiant\r\nAnalyzing the extortion emails, the researchers found that some of the IP addresses and email accounts had been used by\r\nFIN11 in phishing operations between August and December 2020.\r\nFurthermore, some of the targets compromised through Accellion’s FTA had been compromised by FIN11 in the past,\r\nlinking the group to this set of intrusions.\r\nAnother connection is an IP address used to communicate with DEWMODE web shell, which is assigned to Fortunix\r\nNetworks L.P., a network that FIN11 uses frequently for one of their malware downloaders tracked as FRIENDSPEAK.\r\nMandiant says that the connection between FIN11 and UNC2546 in the Accellion breaches are \"compelling\" but the the\r\nrelationship is still under assessment, which explains why the researchers are tracking the threats separately.\r\nA reason is that the infection vector and foothold attributed to UNC2546 are different from what has been attributed to\r\nFIN11. Moreover, the uncategorized actor did not move laterally across the network, something that FIN11 does.\r\nBased on this, Mandiant considers that they have insufficient evidence for attributing the attacks to FIN11.\r\n\"Using SQL injection to deploy DEWMODE or acquiring access to a DEWMODE shell from a separate threat actor would\r\nrepresent a significant shift in FIN11 TTPs, given the group has traditionally relied on phishing campaigns as its initial\r\ninfection vector and we have not previously observed them use zero-day vulnerabilities,\" the researchers say.\r\nhttps://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/\r\nhttps://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/"
	],
	"report_names": [
		"global-accellion-data-breaches-linked-to-clop-ransomware-gang"
	],
	"threat_actors": [
		{
			"id": "6728f306-6259-4e7d-a4ea-59586d90a47d",
			"created_at": "2023-01-06T13:46:39.175292Z",
			"updated_at": "2026-04-10T02:00:03.236282Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"TEMP.Warlock",
				"UNC902"
			],
			"source_name": "MISPGALAXY:FIN11",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775446563,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bef028c4c23317595dfd7428087222723b58e18e.pdf",
		"text": "https://archive.orkl.eu/bef028c4c23317595dfd7428087222723b58e18e.txt",
		"img": "https://archive.orkl.eu/bef028c4c23317595dfd7428087222723b58e18e.jpg"
	}
}