Cyber attack: Bombardier disappears from the list of victims of Cl0p
[Update February 23, 2021 @ 9:00 pm] In a press release, Bombardier has just admitted having been "recently the object of a cybersecurity attack with limited consequences". According to the aircraft manufacturer, "an unauthorized third party accessed and extracted data by taking advantage of a flaw in a third party file transfer application that was running on specialized servers isolated from the main IT network. of Bombardier ”. He assures us that the first analyzes "independently confirmed that the company's security controls were effective in limiting the scope and extent of the incident."
As a reminder, Bombardier was using Accellion's file transfer appliance (FTA), vulnerabilities of which have already been exploited, in other users, to compromise data, by the same group of attackers. We have identified a few dozen organizations, particularly across the Atlantic and in Europe, which may have constituted potential targets for the attackers involved. The list of victims claimed by the operators of the Cl0p campaign could therefore grow longer in the days and weeks to come.
[Original article] Operators of the Cl0p ransomware claim on their blog to have stolen files from Bombardier. They do not indicate the volume of data concerned, but present, on their blog, screenshots of what looks like CAD files, and in particular related to one of the jets of the Canadian aircraft manufacturer, among other data. techniques. Bombardier has not responded to requests sent by e-mail by the editorial staff at the time of this publication. We'll be sure to update this article when these answers reach us.
The aircraft manufacturer thus extends the list of victims recently claimed by the operators of the Cl0p ransomware, including the American Bureau of Shipping (eagle.org), Jones Day, SingTel, Fugro and Danaher. And it may not be a coincidence. Brett Winterford on the blog Risky.biz , has established a link between the last five of these victims, "these five companies have historically published web portals where customers or third parties could send and receive large files using the appliance Accellion file transfer ”. And that also applies to Bombardier, according to data from specialist search engine Shodan, at least until the end of January.
And precisely, in a blog post, the teams of Mandiant, a division of FireEye, explain that, “since mid-December 2020, the malicious actors monitored by Mandiant under the designation UNC2546 have exploited multiple unprecedented vulnerabilities in the appliance Accellion Historic File Transfer (FTA) to install a newly discovered web shell called Dewmode ”. And several affected organizations have started receiving extortion emails threatening to post the stolen data using webshells on the Cl0p ransomware operators blog.
Activities related to this blog have so far been tracked by Mandiant with the designation UNC2582. And Mandiant indicates having observed links with previous operations of the FIN11 group, considered as a spin-off of TA505, a group on which the National Agency for the Security of Information Systems (Anssi) has examined in great detail. month of June 2020.
In a press release, Accellion draws on Mandiant's analysis to "strongly recommend FTA customers to migrate to Kiteworks, [its] enterprise content firewall platform ." He also recalled having corrected “all known vulnerabilities of FTA exploited by malicious actors”, while adding additional supervision and alert capacities to identify “the anomalies associated with these attack vectors ”.
As a reminder, Bombardier was using Accellion's file transfer appliance (FTA), vulnerabilities of which have already been exploited, in other users, to compromise data, by the same group of attackers. We have identified a few dozen organizations, particularly across the Atlantic and in Europe, which may have constituted potential targets for the attackers involved. The list of victims claimed by the operators of the Cl0p campaign could therefore grow longer in the days and weeks to come.
[Original article] Operators of the Cl0p ransomware claim on their blog to have stolen files from Bombardier. They do not indicate the volume of data concerned, but present, on their blog, screenshots of what looks like CAD files, and in particular related to one of the jets of the Canadian aircraft manufacturer, among other data. techniques. Bombardier has not responded to requests sent by e-mail by the editorial staff at the time of this publication. We'll be sure to update this article when these answers reach us.
The aircraft manufacturer thus extends the list of victims recently claimed by the operators of the Cl0p ransomware, including the American Bureau of Shipping (eagle.org), Jones Day, SingTel, Fugro and Danaher. And it may not be a coincidence. Brett Winterford on the blog Risky.biz , has established a link between the last five of these victims, "these five companies have historically published web portals where customers or third parties could send and receive large files using the appliance Accellion file transfer ”. And that also applies to Bombardier, according to data from specialist search engine Shodan, at least until the end of January.
And precisely, in a blog post, the teams of Mandiant, a division of FireEye, explain that, “since mid-December 2020, the malicious actors monitored by Mandiant under the designation UNC2546 have exploited multiple unprecedented vulnerabilities in the appliance Accellion Historic File Transfer (FTA) to install a newly discovered web shell called Dewmode ”. And several affected organizations have started receiving extortion emails threatening to post the stolen data using webshells on the Cl0p ransomware operators blog.
Activities related to this blog have so far been tracked by Mandiant with the designation UNC2582. And Mandiant indicates having observed links with previous operations of the FIN11 group, considered as a spin-off of TA505, a group on which the National Agency for the Security of Information Systems (Anssi) has examined in great detail. month of June 2020.
In a press release, Accellion draws on Mandiant's analysis to "strongly recommend FTA customers to migrate to Kiteworks, [its] enterprise content firewall platform ." He also recalled having corrected “all known vulnerabilities of FTA exploited by malicious actors”, while adding additional supervision and alert capacities to identify “the anomalies associated with these attack vectors ”.
