Canadian airplane manufacturer Bombardier has disclosed a security breach when some of the stolen data was published on a dark web portal operated by the Clop ransomware gang.
According to an initial investigation, an unauthorized party accessed and exfiltrated data by exploiting a vulnerability affecting a third-party file-transfer application, that was running on purpose-built servers isolated from the main Bombardier IT network.
Even though the company did not specify the name of the appliance, it is likely that they are referring to Accellion FTA, a web server that is used by companies to host and share large files which could not be sent through email to customers and employees.
A zero-day was found in the FTA software in December 2020 which was exploited to attack companies worldwide. The threat actors took over systems, installed a web shell, and then stole sensitive data.
Accellion also stated in a press release that 300 of its customers were running FTA servers in which 100 got attacked, and data was stolen from around 25.
Data from some old FTA customers appeared on the leak site hosted on the dark web, where the Clop ransomware gang would list the companies who haven’t paid the ransom.
Bombardier’s name appeared on that list which prompted the airplane maker to go disclose their security breach to the public.
The data shared on the site included design documents for various Bombardier airplanes and plane parts. Even though personal data was not shared, the airplane maker is furious that some of its private intellectual property is now being offered as a free download on the dark web.
According to FireEye security firm, the FTA hacking campaign and extortion efforts are performed by a major cybercrime group which has been tracked as FIN11.
Image Credits : Hurriyet Daily News