Cyber Incident Victim: American Bureau of Shipping
Date:
Dec 2020
Location:
United States of America
Summary
The American Bureau of Shipping was among multiple organizations compromised via exploitation of zero-day vulnerabilities in Accellion's legacy File Transfer Appliance, leading to unauthorized data exfiltration. Attackers linked to the Clop ransomware gang and FIN11 threat group deployed a novel DEWMODE web shell to steal sensitive files without deploying ransomware, instead conducting an extortion campaign by threatening public release of stolen data unless payments were made. The breach involved SQL injection and command execution vulnerabilities enabling initial access and data extraction from compromised systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-December 2020, threat actors exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to breach approximately 100 organizations globally, including the American Bureau of Shipping’s technical services subsidiary ABS Group. The attackers, identified as the Clop ransomware gang and the financially motivated FIN11 threat group, combined vulnerabilities CVE-2021-27101 (SQL injection), CVE-2021-27102 (OS command execution), CVE-2021-27103 (SSRF), and CVE-2021-27104 (OS command execution) to gain unauthorized access. They deployed a new web shell called DEWMODE on compromised Accellion devices, enabling them to extract files directly from MySQL databases and list stolen files with metadata via an HTML interface. Unlike typical Clop ransomware operations, the attackers did not deploy file-encrypting malware but instead exfiltrated sensitive data for extortion purposes. Mandiant tracked the exploitation activity as UNC2546 and the subsequent extortion campaign as UNC2582, noting overlaps with prior FIN11 operations. The attackers stole 73 GB of data from Singaporean telecom Singtel alone, though ABS Group’s specific data volume was not disclosed.
By late January 2021, victims including ABS Group began receiving extortion emails threatening public release of stolen data on Clop’s leak site unless ransoms were paid. Accellion patched the vulnerabilities and urged customers to migrate to its modern Kiteworks platform, while Mandiant investigators confirmed FIN11’s involvement through infrastructure overlaps, including an IP address assigned to Fortunix Networks L.P. historically linked to FIN11 malware operations. The breach impacted multiple high-profile organizations beyond ABS Group, including Kroger, the Reserve Bank of New Zealand, and the Washington State Auditor’s Office, exposing sensitive institutional and personal data. Mandiant highlighted the collaboration between Clop and FIN11 in this campaign, building on their prior joint ransomware activities in 2020. Incident response efforts focused on containment through patching and system migrations, though the attackers’ use of zero-days complicated initial detection. The operation represented a strategic shift toward pure data theft and extortion without encryption, leveraging Accellion’s legacy systems as a high-value target.