Accellion FTA Vulnerabilities Exploited in APT Attacks - New AWAF Signatures
Recently it’s been reported that multiple threat actors are successfully exploiting newly discovered CVEs found in Accellion FTA (File Transfer Appliance). Accellion FTA is an enterprise grade secure file transfer solution – it is based on PHP and supports on-premise, private cloud or hosted configurations. The vulnerabilities were discovered in December 2020 and a patch was issued quickly by Accellion on December 23rd 2020. The CVEs are the following: • CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header • CVE-2021-27102 – Operating system command execution via a local web service call • CVE-2021-27103 – Server-side request forgery via a crafted POST • CVE-2021-27104 – Operating system command execution via a crafted POST Ideally, sensitive file sharing systems should be kept sufficiently restricted and network moderated – away from the access of public Internet. However, as it is a challenging task for organizations, many of them are failing to implement the required diligent steps to protect their digital assets. FireEye has published a full forensic breakdown of the attack by threat actor UNC2546: https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html From the report is seems the attack vector uses the SQLI vulnerability (CVE-2021-27101) to install the DEWMODE WebShell. The payloads as shown in this attack are: [.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))] [.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))] ['))union(select(loc_id)from(net1.servers)where(proximity)=(0))] These payload help the attacker extract a special key, which is subsequently used to interact with a page called sftp_account_edit.php. This page is used to install a simple eval WebShell, which is then used to upload the more sophisticated DEWMODE WebShell. Mitigation with Advanced WAF Advanced WAF customers under any supported version are already protected against this vulnerability as exploitation attempts will be detected by SQL Injection and Command Execution attack signatures. The SQL injection payloads have been tested against F5 WAF and found to be mitigated by the following attack signatures: 200002550 - SQL-INJ "end-quote UNION" (Parameter) 200000073 - SQL-INJ "UNION SELECT" (Parameter) 200002736 - SQL-INJ 'UNION SELECT (Parameter) 200002441 - SQL-INJ "reverse()" (Parameter) In addition, we have released dedicated attack signatures to provide coverage against the DEWMODE WebShell which was used extensively in this attack, in the form of the following signatures: 200019140 - DEWMODE WebShell upload attempt 200019141 - DEWMODE WebShell request attempt (2) 200019142 - Generic eval WebShell upload attempt 200019143 - DEWMODE WebShell detected 200019144 - DEWMODE WebShell request attempt (1) To include the signatures mentioned in this article in your policy – make sure to enable SQL-Injection and Trojan/Backdoor/Spyware attack types. The 3 other CVEs – concerning Operating System command execution and SSRF – can be mitigated with the Command Execution and Other Application Attacks signature sets.
