Blog Viewer

Manual Mitigation for Zero-Day vulnerability disclosure in Accellion FTA

By Patrick Mccrudden(csp) posted 02-26-2021 04:18

  

**Updated 5th March 2021**

A recent zero-day disclosure was published for Accellion FTA as part of an attack campaign where cyber criminals exploit Accellion FTA for data theft and Extortion.

 

Vulnerability Description:
You can read more about it in the original disclosure blogpost published by FireEye in the following link:
https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html

 

 

Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.

 

Below are manual mitigation steps to address Accellion FTA Exploitation (for On-Prem customers):

 

  1. Create a new manual dictionary or use an existing one
  2. Create 5 new signatures (inside the dictionary from the previous step) with the following definition:

 

  • Signature name:

Accellion FTA Exploitation - DEWMODE Web Shell Communication 1

  • Signature pattern:

part="/home/seos/courier/", part="dwn", part="fn=", rgxp="\/home\/seos\/courier\/(about\.html|httpd\.pid|oauth\.api|DF|cache\.jz\.gz)"

  • Protocols:
    http
    https
  • Search Signature in:

Urls And Parameters

 

 

  • Signature name:

Accellion FTA Exploitation - DEWMODE Web Shell Communication 2

  • Signature pattern:

part="/tmp/", part="dwn", part="fn=", rgxp="\/tmp\/\.?(out|scr)"

  • Protocols:
    http
    https
  • Search Signature in:

Urls And Parameters

 

 

  • Signature name:

Accellion FTA Exploitation - DEWMODE Web Shell RCE 1

  • Signature pattern:

part="/home/seos/courier/", part="csrftoken", rgxp="csrftoken\=(11454bd782bb41db213d415e10a0fb3c|bdfd11b1b092b7c61ce5f02ffc5ad55a)"

  • Protocols:
    http
    https
  • Search Signature in:

Urls And Parameters

 

 

  • Signature name:

Accellion FTA Exploitation - DEWMODE Web Shell RCE 2

  • Signature pattern:

part="/tmp/", part="csrftoken", rgxp="csrftoken=(11454bd782bb41db213d415e10a0fb3c|bdfd11b1b092b7c61ce5f02ffc5ad55a)"

  • Protocols:
    http
    https
  • Search Signature in:

Urls And Parameters

 

 

  • Signature name:

Accellion FTA Exploitation - DEWMODE Web Shell File Dump

  • Signature pattern:

part="/courier/cache.js.gz”

  • Protocols:
    http
    https
  • Search Signature in:

Url

 

       3. Create a new “HTTP Protocol Signatures” policy that uses the dictionary from step 1 and apply it.



#On-PremisesWAF(formerlySecuresphere)
0 comments
95 views

Permalink