Bombardier, the Canadian manufacturer of business and commercial aircraft, has come forward as the latest victim of the wide-ranging Accellion FTA cyber attack after its data appeared on a dark web leak site operated by the Cl0p ransomware syndicate.
The firm described a “limited” breach in which an unauthorised party accessed and extracted data via a vulnerability in a third-party file transfer application. It said its Accellion instance was running on purpose-built servers isolated from its main network.
“Forensic analysis revealed that personal and other confidential information relating to employees, customers and suppliers was compromised,” the firm said in a statement. “Approximately 130 employees located in Costa Rica were impacted. Bombardier has been proactively contacting customers and other external stakeholders whose data was potentially compromised.
“The ongoing investigation indicates that the unauthorised access was limited solely to data stored on the specific servers. Manufacturing and customer support operations have not been impacted or interrupted.
“Bombardier can also confirm the company was not specifically targeted – the vulnerability impacted multiple organisations using the application. Bombardier will continue to assess the situation and stay in close contact with its clients, suppliers and employees, as well as other stakeholders.”
To date, more than 20 organisations, including the Reserve Bank of New Zealand, Singaporean telco Singtel and law firm Jones Day have had data stolen by the group behind the Accellion attack.
At the time of writing, analysis from forensics experts at Mandiant shows that the group exploited a total of four common vulnerabilities and exposures (CVEs) in Accellion’s FTA product. These are: CVEs 2021-27101, an SQL injection via a crafted host header; -27102, operating system (OS) command execution via a local web service call; -27103, SSRF via a crafted POST request; and -27104, OS command execution via a crafted POST request.
Accellion confirmed in a statement that all four of the CVEs have been patched, but continues to strongly recommend all FTA customers to migrate onto its new enterprise content firewall platform, kiteworks, which uses an entirely different code base, using new security architecture and a segregated and secure DevOps process. The kiteworks service is GDPR and HIPAA compliant, and FedRAMP authorised for moderate CUI for US users.
The firm said it had identified two distinct groups of affected FTA users, but that out of 300 total clients, fewer than 100 were attack victims and fewer than 25 have suffered any data loss.
Mandiant is currently tracking the Accellion attackers as UNC2546, and subsequent extortion activity as UNC2582, both of which share overlaps – including IP addresses and email accounts – associated with previous FIN11, or Cl0p, operations.
However, as none of the Accellion victims have actually been extorted via the Cl0p ransomware itself, merely had their data published on the same CL0P^_-LEAKS.onion website used by the operators of Cl0p, the precise nature of the relationship remains somewhat nebulous.
“The overlaps between FIN11, UNC2546 and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships,” said Mandiant’s team.
“One of the specific challenges is that the scope of the overlaps with FIN11 is limited to the later stages of the attack lifecycle. UNC2546 uses a different infection vector and foothold and, unlike FIN11, we have not observed the actors expanding their presence across impacted networks. We therefore have insufficient evidence to attribute the FTA exploitation…or data theft extortion activity to FIN11.”
Investigations into the attack continue.