The Accellion FTA Breach
In late 2020 and early 2021, attackers exploited multiple zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA), a legacy file-sharing product used by enterprises and government agencies. The breaches resulted in the theft of sensitive data from dozens of high-profile organizations, including law firms, universities, and healthcare providers.
The attackers, later linked to the FIN11 and Clop ransomware groups, leveraged the vulnerabilities to gain remote code execution on vulnerable FTA devices. Once inside, they exfiltrated sensitive files and extorted victims by threatening to leak the stolen data.
Technical Details
The attack chain involved a series of vulnerabilities, including SQL injection, command injection, and arbitrary file upload flaws. Attackers chained these vulnerabilities to bypass authentication, upload web shells, and execute arbitrary commands on the FTA appliance.
Proof of Concept
A simplified example of a web shell upload used in the attack:
<?php
if(isset($_REQUEST['cmd'])){
system($_REQUEST['cmd']);
}
?>
Attackers would upload this PHP file to the FTA device and execute commands remotely via HTTP requests.
Real-World Impact
The breach affected organizations worldwide, leading to the exposure of sensitive legal, financial, and healthcare data. Victims faced regulatory investigations, lawsuits, and reputational damage. Accellion announced the end-of-life for the FTA product and urged customers to migrate to its newer platform.
Lessons Learned
The Accellion FTA breach highlighted the risks of using unsupported or legacy software for critical business functions. Organizations should regularly assess the security posture of third-party solutions, decommission outdated products, and implement layered defenses to detect and respond to supply chain attacks.