This campaign is very similar to the vulnerability attacks in the Accellion FTA file sharing solution in December 2020.
Cybercriminals had broken into corporate and government computer systems in order to steal confidential data through two vulnerabilities in a popular file-sharing server. As part of a global malware campaign, hackers have already attacked the office of the Japanese Prime Minister.
The attackers exploited vulnerabilities in the popular FileZen file-sharing network solution from the Japanese company Soliton. This campaign is very similar to attacks through vulnerabilities in the file-sharing software Accellion FTA, discovered by hackers in December 2020.
The victims of the cyberattacks were the Central Bank of New Zealand, the law firm Allens, the University of Colorado, and the Singapore telecommunications company Singtel, etc.
The principle of operation of Accellion FTA and Soliton FileZen is the same. Both products are used to store large files that cannot be sent by email. Users usually upload files to the FileZen server and then receive links to them through the web panel, which they can exchange with colleagues at work.
Like most of these vendors, Soliton provides both a cloud-based version of FileZen and standalone servers that can be installed locally to meet specific data privacy requirements in high-security environments.
According to sources from The Record, cybercriminals discovered a combination of two vulnerabilities, which began to be exploited in January this year. With their help, attackers hacked Internet-connected FileZen installations that had not been protected by a firewall.
Vulnerabilities CVE-2020-5639 and CVE-2021-20655 were patched by the manufacturer in December 2020 and February 2021, respectively. The first of them allows you to download malicious files to the device, and the second allows you to run commands on the OS with administrator privileges. To avoid their exploitation by hackers, users are recommended to install version 4.2.8 or 5.0.3.
According to sources, there is not enough data to link attacks through Accellion FTA and Soliton FileZen. Nevertheless, experts would not be surprised if the attacks on Soliton FileZen were launched by the same cybercriminal group after the attacks on Accellion FTA became known to the general public.