**Updated 5th March 2021**
A recent zero-day disclosure was published for Accellion FTA as part of an attack campaign where cyber criminals exploit Accellion FTA for data theft and Extortion.
Vulnerability Description:
You can read more about it in the original disclosure blogpost published by FireEye in the following link:
https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.
Below are manual mitigation steps to address Accellion FTA Exploitation (for On-Prem customers):
- Create a new manual dictionary or use an existing one
- Create 5 new signatures (inside the dictionary from the previous step) with the following definition:
Accellion FTA Exploitation - DEWMODE Web Shell Communication 1
part="/home/seos/courier/", part="dwn", part="fn=", rgxp="\/home\/seos\/courier\/(about\.html|httpd\.pid|oauth\.api|DF|cache\.jz\.gz)"
- Protocols:
http
https
- Search Signature in:
Urls And Parameters
Accellion FTA Exploitation - DEWMODE Web Shell Communication 2
part="/tmp/", part="dwn", part="fn=", rgxp="\/tmp\/\.?(out|scr)"
- Protocols:
http
https
- Search Signature in:
Urls And Parameters
Accellion FTA Exploitation - DEWMODE Web Shell RCE 1
part="/home/seos/courier/", part="csrftoken", rgxp="csrftoken\=(11454bd782bb41db213d415e10a0fb3c|bdfd11b1b092b7c61ce5f02ffc5ad55a)"
- Protocols:
http
https
- Search Signature in:
Urls And Parameters
Accellion FTA Exploitation - DEWMODE Web Shell RCE 2
part="/tmp/", part="csrftoken", rgxp="csrftoken=(11454bd782bb41db213d415e10a0fb3c|bdfd11b1b092b7c61ce5f02ffc5ad55a)"
- Protocols:
http
https
- Search Signature in:
Urls And Parameters
Accellion FTA Exploitation - DEWMODE Web Shell File Dump
part="/courier/cache.js.gz”
- Protocols:
http
https
- Search Signature in:
Url
3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it.
#On-PremisesWAF(formerlySecuresphere)