Cyber Incident Victim: Danaher
Date:
Dec 2020
Location:
United States of America
Summary
A global cyberattack exploiting multiple zero-day vulnerabilities in Accellion's legacy File Transfer Appliance impacted numerous organizations, including Danaher, through data theft and extortion. Threat actors associated with the Clop ransomware gang and FIN11 group deployed a novel DEWMODE web shell to steal sensitive files without deploying encryption malware, instead issuing ransom threats to publish stolen data unless payments were made. The attackers leveraged SQL injection and command execution flaws to compromise systems, with forensic evidence linking infrastructure to previous FIN11 phishing operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-December 2020, threat actors exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to breach approximately 100 organizations globally, including Fortune 500 science and technology corporation Danaher. The attackers, identified as the Clop ransomware gang and financially motivated group FIN11, combined vulnerabilities CVE-2021-27101 (SQL injection), CVE-2021-27102 (OS command execution), CVE-2021-27103 (SSRF), and CVE-2021-27104 (OS command execution) to gain unauthorized access. They deployed a previously unseen web shell called DEWMODE to extract files directly from the FTA’s MySQL database, listing stolen files with metadata on an HTML interface. Unlike typical Clop operations, the attackers did not deploy file-encrypting ransomware but instead exfiltrated sensitive data for extortion purposes. Among the confirmed victims were supermarket chain Kroger, telecommunications provider Singtel, the Reserve Bank of New Zealand, and Danaher, though the specific nature of stolen data from each organization was not disclosed. The attackers maintained access until at least late January 2021, when victims began receiving extortion emails threatening public data leaks unless ransoms were paid.
FireEye Mandiant investigators tracked the technical exploitation as UNC2546 and the subsequent extortion campaign as UNC2582, noting operational overlaps with FIN11’s historical phishing activities. Forensic analysis revealed that IP addresses used for DEWMODE communications were linked to Fortunix Networks L.P., a network previously associated with FIN11 malware distribution. Some victim organizations had also experienced prior FIN11 compromises, strengthening the connection. Accellion released patches for all four vulnerabilities and accelerated efforts to migrate customers from the legacy FTA platform to its Kiteworks solution. Mandiant assessed the FIN11 linkage as compelling but stopped short of full attribution due to insufficient evidence. The incident resulted in confirmed data theft from multiple entities, with Clop claiming responsibility for exfiltrating 73GB of Singtel’s data alone. No public data leaks or ransom payments were reported in connection with Danaher as of the article’s publication date.