Accellion data breach: Difference between revisions

Line 14:

==The Attack==

Around Mid December, FIN11 targeted Accellion 20 year legacy ~~[[wikipedia:File_transfer~~|File Transfer Appliance]](FTA), deploying ~~2 [[wikipedia:~~Zero-~~day_vulnerability~~|zero-day-vulnerabilities]] that granted access to installation of a custom [[wikipedia:Web_shell|web shell]] named DEWMODE<ref>{{Cite web |date=23 February 2021 |title=Accellion Compromise Impacts Many Targets Including Healthcare Organizations |url=https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |url-status=live |access-date=26 March 2026 |website=hhs.gov}}</ref>, allowing for SQL injection into Accellion systems. On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 and 23 of December 2020.<ref name=":1">{{Cite web |last=Neill |first=Rob |date=3 March 2021 |title=Accellion hack: timeline clarifies when and how customers were notified |url=https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |url-status=live |access-date=26 March 2026 |website=ARN}}</ref> On 12 January, the company released a statement announcing the attack and urging customers to update to their newely released communication platform kiteworks.<ref>{{Cite web |date=12 January 2021 |title=Press Release Accellion Responds to Recent FTA Security Incident |url=https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20260118203606/https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |archive-date=18 January 2026 |access-date=26 March 2026 |website=Kiteworks}}</ref> On 20 January, hackers conducted more attacks after finding new vulnerabilities that included 2 more [[wikipedia:Zero-day_vulnerability|zero-day-vulnerabilities]]<ref name=":2">{{Cite web |date=1 March 2021 |title=ACCELLION, INC. FILE TRANSFER APPLIANCE (FTA) SECURITY ASSESSMENT |url=https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |url-status=live |archive-url=https://web.archive.org/web/20211128204658/https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |archive-date=28 November 2021 |access-date=27 March 2026 |website=Kiteworks}}</ref>, however after the vulnerability were noticed by Accellion customer service on 22 January, they were shortly patched three days later.<ref name=":0" /><ref name=":1" />Around late January, victims started receiving ransom emails that threatens to publish the stolen data. If the victim didn't respond, they would receive several more warnings messages urging the victim to respond.<ref>{{Cite web |last=Ilascu |first=Ionut |date=22 February 2021 |title=Global Accellion data breaches linked to Clop ransomware gang |url=https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/ |url-status=live |access-date=27 March 2026 |website=BleepingComputer}}</ref> The company would implement another patch on 28 January that enhanced the security of the 23 December patch. On 01 February, Accellion released an statement detailing the attack and adding no new vulnerabilities were detect at the time.<ref>{{Cite web |date=1 February 2021 |title=Press Release Accellion Provides Update to Recent FTA Security Incident |url=https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20210202020120/https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |archive-date=2 February 2021 |access-date=26 March 2026 |website=Accellion}}</ref> A last patch was implemented on 01 March in collaboration with [[wikipedia:Mandiant|Mandiant]] (subsidiary to [[Google]]) that fixed two additional vulnerabilities.<ref name=":2" /> Accellion would announce termination of its 20 year legacy [[wikipedia:File_transfer|File Transfer Appliance]], giving customers till 30 April to make any changes to their licensing agreements.<ref>{{Cite web |date=27 March 2026 |title=Accellion |url=https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |url-status=live |archive-url=https://web.archive.org/web/20220125042927/https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |archive-date=25 January 2022 |access-date=27 March 2026 |website=Kiteworks}}</ref>[[File:~~Hacker~~ group ransom demand message.png|alt=Hackers ~~Ransom Demand Message|thumb~~|Hackers ~~Ransom Demand Message~~ ]]

Around Mid December, FIN11 targeted Accellion 20 year legacy {{Wplink|File transfer|File Transfer Appliance}} (FTA), deploying two {{Wplink|Zero-day vulnerability|zero-day-vulnerabilities}} that granted access to installation of a custom [[wikipedia:Web_shell|web shell]] named DEWMODE<ref>{{Cite web |date=23 February 2021 |title=Accellion Compromise Impacts Many Targets Including Healthcare Organizations |url=https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |url-status=live |access-date=26 March 2026 |website=hhs.gov}}</ref>, allowing for SQL injection into Accellion systems. On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 and 23 of December 2020.<ref name=":1">{{Cite web |last=Neill |first=Rob |date=3 March 2021 |title=Accellion hack: timeline clarifies when and how customers were notified |url=https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |url-status=live |access-date=26 March 2026 |website=ARN}}</ref> On 12 January, the company released a statement announcing the attack and urging customers to update to their newely released communication platform kiteworks.<ref>{{Cite web |date=12 January 2021 |title=Press Release Accellion Responds to Recent FTA Security Incident |url=https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20260118203606/https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |archive-date=18 January 2026 |access-date=26 March 2026 |website=Kiteworks}}</ref> On 20 January, hackers conducted more attacks after finding new vulnerabilities that included 2 more [[wikipedia:Zero-day_vulnerability|zero-day-vulnerabilities]]<ref name=":2">{{Cite web |date=1 March 2021 |title=ACCELLION, INC. FILE TRANSFER APPLIANCE (FTA) SECURITY ASSESSMENT |url=https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |url-status=live |archive-url=https://web.archive.org/web/20211128204658/https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |archive-date=28 November 2021 |access-date=27 March 2026 |website=Kiteworks}}</ref>, however after the vulnerability were noticed by Accellion customer service on 22 January, they were shortly patched three days later.<ref name=":0" /><ref name=":1" />Around late January, victims started receiving ransom emails that threatens to publish the stolen data. If the victim didn't respond, they would receive several more warnings messages urging the victim to respond.<ref>{{Cite web |last=Ilascu |first=Ionut |date=22 February 2021 |title=Global Accellion data breaches linked to Clop ransomware gang |url=https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/ |url-status=live |access-date=27 March 2026 |website=BleepingComputer}}</ref> The company would implement another patch on 28 January that enhanced the security of the 23 December patch. On 01 February, Accellion released an statement detailing the attack and adding no new vulnerabilities were detect at the time.<ref>{{Cite web |date=1 February 2021 |title=Press Release Accellion Provides Update to Recent FTA Security Incident |url=https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20210202020120/https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |archive-date=2 February 2021 |access-date=26 March 2026 |website=Accellion}}</ref> A last patch was implemented on 01 March in collaboration with [[wikipedia:Mandiant|Mandiant]] (subsidiary to [[Google]]) that fixed two additional vulnerabilities.<ref name=":2" /> Accellion would announce termination of its 20 year legacy [[wikipedia:File_transfer|File Transfer Appliance]], giving customers till 30 April to make any changes to their licensing agreements.<ref>{{Cite web |date=27 March 2026 |title=Accellion |url=https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |url-status=live |archive-url=https://web.archive.org/web/20220125042927/https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |archive-date=25 January 2022 |access-date=27 March 2026 |website=Kiteworks}}</ref>

[[File:~~Hacker~~ group last warning message.png|thumb|Hacker group last warning message]]

[[File:Accellion breach hacker group ransom demand message.png|thumb|alt=Hackers' ransom demand message.|Hackers' ransom demand message.]]

[[File:Accellion breach hacker group last warning message.png|thumb|alt=Hacker group's last warning message.|Hacker group's last warning message.]]

==List of responses from affected organizations==

@@ Line 14: / Line 14: @@
 ==The Attack==
-Around Mid December, FIN11 targeted Accellion 20 year legacy [[wikipedia:File_transfer|File Transfer Appliance]](FTA), deploying 2  [[wikipedia:Zero-day_vulnerability|zero-day-vulnerabilities]] that granted access to installation of a custom [[wikipedia:Web_shell|web shell]] named DEWMODE<ref>{{Cite web |date=23 February 2021 |title=Accellion Compromise Impacts Many Targets Including Healthcare Organizations |url=https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |url-status=live |access-date=26 March 2026 |website=hhs.gov}}</ref>, allowing for SQL injection into Accellion systems.  On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 and 23 of December 2020.<ref name=":1">{{Cite web |last=Neill |first=Rob |date=3 March 2021 |title=Accellion hack: timeline clarifies when and how customers were notified |url=https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |url-status=live |access-date=26 March 2026 |website=ARN}}</ref> On 12 January, the company released a statement announcing  the attack and urging customers to update to their newely released communication platform kiteworks.<ref>{{Cite web |date=12 January 2021 |title=Press Release Accellion Responds to Recent FTA Security Incident |url=https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20260118203606/https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |archive-date=18 January 2026 |access-date=26 March 2026 |website=Kiteworks}}</ref>  On 20 January, hackers conducted more attacks after finding new vulnerabilities that included 2 more [[wikipedia:Zero-day_vulnerability|zero-day-vulnerabilities]]<ref name=":2">{{Cite web |date=1 March 2021 |title=ACCELLION, INC. FILE TRANSFER APPLIANCE (FTA) SECURITY ASSESSMENT |url=https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |url-status=live |archive-url=https://web.archive.org/web/20211128204658/https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |archive-date=28 November 2021 |access-date=27 March 2026 |website=Kiteworks}}</ref>, however after the vulnerability were noticed by Accellion customer service on 22 January, they were shortly patched three days later.<ref name=":0" /><ref name=":1" />Around late January, victims started receiving ransom emails that threatens to publish the stolen data. If the victim didn't respond, they would receive several more warnings messages urging the victim to respond.<ref>{{Cite web |last=Ilascu |first=Ionut |date=22 February 2021 |title=Global Accellion data breaches linked to Clop ransomware gang |url=https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/ |url-status=live |access-date=27 March 2026 |website=BleepingComputer}}</ref> The company would implement another patch on 28 January that enhanced the security of the 23 December patch. On 01 February, Accellion released an statement detailing the attack and adding no new vulnerabilities were detect at the time.<ref>{{Cite web |date=1 February 2021 |title=Press Release Accellion Provides Update to Recent FTA Security Incident |url=https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20210202020120/https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |archive-date=2 February 2021 |access-date=26 March 2026 |website=Accellion}}</ref>  A last patch was implemented on 01 March in collaboration with [[wikipedia:Mandiant|Mandiant]] (subsidiary to [[Google]]) that fixed two additional vulnerabilities.<ref name=":2" /> Accellion would announce termination of its 20 year legacy [[wikipedia:File_transfer|File Transfer Appliance]], giving customers till 30 April to make any changes to their licensing agreements.<ref>{{Cite web |date=27 March 2026 |title=Accellion |url=https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |url-status=live |archive-url=https://web.archive.org/web/20220125042927/https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |archive-date=25 January 2022 |access-date=27 March 2026 |website=Kiteworks}}</ref>[[File:Hacker group ransom demand message.png|alt=Hackers Ransom Demand Message|thumb|Hackers Ransom Demand Message ]]
+Around Mid December, FIN11 targeted Accellion 20 year legacy {{Wplink|File transfer|File Transfer Appliance}} (FTA), deploying two {{Wplink|Zero-day vulnerability|zero-day-vulnerabilities}} that granted access to installation of a custom [[wikipedia:Web_shell|web shell]] named DEWMODE<ref>{{Cite web |date=23 February 2021 |title=Accellion Compromise Impacts Many Targets Including Healthcare Organizations |url=https://www.hhs.gov/sites/default/files/accellion-analyst-note.pdf |url-status=live |access-date=26 March 2026 |website=hhs.gov}}</ref>, allowing for SQL injection into Accellion systems.  On 16 December, Accellion became aware of the vulnerability after a customer reported the vulnerability, and shorty after releasing a patch within 72 hours on 20 and 23 of December 2020.<ref name=":1">{{Cite web |last=Neill |first=Rob |date=3 March 2021 |title=Accellion hack: timeline clarifies when and how customers were notified |url=https://www.arnnet.com.au/article/1261917/accellion-hack-timeline-clarifies-when-and-how-customers-were-notified.html |url-status=live |access-date=26 March 2026 |website=ARN}}</ref> On 12 January, the company released a statement announcing  the attack and urging customers to update to their newely released communication platform kiteworks.<ref>{{Cite web |date=12 January 2021 |title=Press Release Accellion Responds to Recent FTA Security Incident |url=https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20260118203606/https://www.kiteworks.com/company/press-releases/accellion-responds-to-recent-fta-security-incident/ |archive-date=18 January 2026 |access-date=26 March 2026 |website=Kiteworks}}</ref>  On 20 January, hackers conducted more attacks after finding new vulnerabilities that included 2 more [[wikipedia:Zero-day_vulnerability|zero-day-vulnerabilities]]<ref name=":2">{{Cite web |date=1 March 2021 |title=ACCELLION, INC. FILE TRANSFER APPLIANCE (FTA) SECURITY ASSESSMENT |url=https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |url-status=live |archive-url=https://web.archive.org/web/20211128204658/https://kiteworks.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf |archive-date=28 November 2021 |access-date=27 March 2026 |website=Kiteworks}}</ref>, however after the vulnerability were noticed by Accellion customer service on 22 January, they were shortly patched three days later.<ref name=":0" /><ref name=":1" />Around late January, victims started receiving ransom emails that threatens to publish the stolen data. If the victim didn't respond, they would receive several more warnings messages urging the victim to respond.<ref>{{Cite web |last=Ilascu |first=Ionut |date=22 February 2021 |title=Global Accellion data breaches linked to Clop ransomware gang |url=https://www.bleepingcomputer.com/news/security/global-accellion-data-breaches-linked-to-clop-ransomware-gang/ |url-status=live |access-date=27 March 2026 |website=BleepingComputer}}</ref> The company would implement another patch on 28 January that enhanced the security of the 23 December patch. On 01 February, Accellion released an statement detailing the attack and adding no new vulnerabilities were detect at the time.<ref>{{Cite web |date=1 February 2021 |title=Press Release Accellion Provides Update to Recent FTA Security Incident |url=https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |url-status=live |archive-url=https://web.archive.org/web/20210202020120/https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/ |archive-date=2 February 2021 |access-date=26 March 2026 |website=Accellion}}</ref>  A last patch was implemented on 01 March in collaboration with [[wikipedia:Mandiant|Mandiant]] (subsidiary to [[Google]]) that fixed two additional vulnerabilities.<ref name=":2" /> Accellion would announce termination of its 20 year legacy [[wikipedia:File_transfer|File Transfer Appliance]], giving customers till 30 April to make any changes to their licensing agreements.<ref>{{Cite web |date=27 March 2026 |title=Accellion |url=https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |url-status=live |archive-url=https://web.archive.org/web/20220125042927/https://kiteworks.com/sites/default/files/resources/fta-eol.pdf |archive-date=25 January 2022 |access-date=27 March 2026 |website=Kiteworks}}</ref>
-[[File:Hacker group last warning message.png|thumb|Hacker group last warning message]]
+[[File:Accellion breach hacker group ransom demand message.png|thumb|alt=Hackers' ransom demand message.|Hackers' ransom demand message.]]
+[[File:Accellion breach hacker group last warning message.png|thumb|alt=Hacker group's last warning message.|Hacker group's last warning message.]]
 ==List of responses from affected organizations<!-- This contains only companies having any resemblance to consumers  -->==