Since mid-December 2020, multiple organizations have been victims of Accellion hacks. They confirmed that hackers have exploited zero-day vulnerabilities in File Transfer Appliance (FTA) in order to gain access to sensitive files that have been shared by each organization through it.

One of these organizations is Royal Dutch Shell plc, commonly known as Shell, a multinational oil and gas company with more than 86,000 employees in over 70 countries.

In the 2020 Forbes Global 2000, Royal Dutch Shell was ranked as the 21st-largest public company in the world.

Shell is probably the latest victim to have suffered a data breach after attackers compromised the company’s secure file-sharing system powered by Accellion’s File Transfer Appliance (FTA).

Shell’s network was not affected by the attack

In a statement last week, Shell confirmed that it too was affected by the security incident but it only affected the Accellion FTA appliance used to transfer large data files securely.

As stated by Shell, the data accessed during a “limited window of time” contained some personal data together with data from Shell companies and some of their stakeholders.

“Upon learning of the incident, Shell addressed the vulnerabilities with its service provider and cybersecurity team, and started an investigation to better understand the nature and extent of the incident.

There is no evidence of any impact to Shell’s core IT systems as the file transfer service is isolated from the rest of Shell’s digital infrastructure.”


Previous attacks have included the Clop ransomware gang and FIN11

We don’t know exactly who was behind the data breach, when the incident occurred or when it was discovered by Shell. According to Bleeping Computer, previous attacks have included the Clop ransomware gang and FIN11.

There’s no evidence at the time of writing that any of the stolen data from Shell has been published.

A coordinated announcement from Accellion and Mandiant clarified how the attacks against the Accellion FTA devices took place.

In its press release, Accellion said there were 300 customers using its legacy, 20-years old File Transfer Appliance (FTA). Of these customers, less than 100 were victims of the attacks from Clop and FIN11, and that less “than 25 appear to have suffered significant data theft.

Last year, FIN11 joined the ransomware business and started to encrypt the networks of their victims using Clop.

An American cybersecurity firm has been tracking the recent exploitation of Accellion FTA using multiple zero-days as UNC2546. The following vulnerabilities have been discovered:

  • CVE-2021-27101 – SQL injection via a crafted Host header
  • CVE-2021-27102 – OS command execution via a local web service call
  • CVE-2021-27103 – SSRF via a crafted POST request
  • CVE-2021-27104 – OS command execution via a crafted POST request

BleepingComputer has reported breaches affecting multiple organizations following attacks targeting Accellion FTA, including cybersecurity firm Qualys, the supermarket giant Kroger, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC)Singtel, QIMR Berghofer Medical Research Institute, and the Office of the Washington State Auditor (“SAO”).

The individuals and stakeholders affected by the Shell data security incident have been contacted to address possible risks, but the company didn’t divulge the exact number of impacted entities.

“Cybersecurity and personal data privacy are important for Shell and we work continuously to improve our information risk management practices. We will continue to monitor our IT systems and improve our security. We regret the concern and inconvenience this may cause affected parties. “— Shell


Shell also reached out to relevant data authorities and regulators.

Worldwide Accellion Data Breach Impacted Transport for NSW

Accellion Attackers Stole Data and Breached Companies Running FTA Servers

Leave a Reply

Your email address will not be published. Required fields are marked *