Before MOVEit and GoAnywhere, Cl0p's playbook was born on a 20-year-old Accellion box
The Accellion FTA breaches of late 2020 are where Cl0p's mass-data-theft-and-extortion model started. Four CVEs in a legacy file-transfer appliance, exploited to steal data from dozens of organizations. The product was already two decades old and on its way out.
The Cl0p extortion campaigns that hit MOVEit (90+ million people) and GoAnywhere didn’t come from nowhere. The model, find a managed file-transfer product, exploit it at scale, steal the data, and extort the victims without bothering to encrypt, was forged on the Accellion File Transfer Appliance (FTA) in late 2020 and early 2021. Four vulnerabilities, CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104, were chained by the group Mandiant tracked as UNC2546 to breach the FTA appliances of dozens of organizations, including major retailers, universities, banks, and law firms. The stolen data showed up on Cl0p’s leak site. It was the dress rehearsal for everything that followed.
The bugs and the box
The four CVEs are a mix of SQL injection (27101), OS command execution (27102, 27104), and server-side request forgery (27103), chained to achieve unauthenticated access and code execution on the FTA, then to deploy a web shell (DEWMODE) used to exfiltrate the files passing through it. CISA lists them with the ransomware flag.
The detail that matters most: the Accellion FTA was a roughly 20-year-old product already at end of life. Accellion had been steering customers to its newer Kiteworks platform, and FTA was on a deprecation path. So the breaches landed on a legacy file-transfer appliance that organizations kept running because it still worked and migrating was a project nobody scheduled, exactly the profile of the EOL edge devices and legacy software that fill this catalog.
The lessons it set in motion
- Managed file-transfer appliances are a category target. Accellion proved the thesis Cl0p then ran with: MFT products concentrate many organizations’ sensitive data, they’re internet-facing, and they have exploitable bugs. The crew industrialized it across product after product. If you run any MFT software, assume it’s on a target list.
- Data-theft extortion doesn’t need ransomware. The Accellion victims weren’t encrypted; their data was stolen and they were extorted with the threat of publication. This “exfiltrate and extort” model, now standard, means your defenses can’t just focus on stopping encryption.
- End-of-life infrastructure is where these campaigns land. A 20-year-old appliance on a deprecation path is exactly the kind of forgotten, unpatchable system attackers hunt. The breaches were partly a failure to retire dead software on schedule.
What to do
- Retire Accellion FTA (and any end-of-life MFT) immediately. It’s been deprecated for years; if you somehow still run it, decommission it and migrate. No further security is coming for a dead product.
- Inventory and minimize your MFT footprint. Know every file-transfer appliance and service you run, keep them patched and off the open internet, and reduce how many you operate.
- Map where your sensitive data flows, including through vendors’ MFT. As MOVEit later made unavoidable, your data sitting in a third party’s file-transfer system is your exposure; minimize what you send and how long it persists.
- Defend against exfiltration, not just encryption. Monitor for large outbound data flows from file-transfer systems, and assume the extortion model is theft-based.
- Assume breach on any FTA that was exposed in the 2020-2021 window and treat the data it handled as compromised for notification purposes.
The reframe is to recognize Accellion as the origin point of a now-dominant attack model and to act on what it taught. Cl0p learned on a forgotten 20-year-old appliance that managed file transfer is a data goldmine, and they’ve been mining the category ever since. Retire your dead MFT, minimize and map your data flows, and defend against exfiltration. We track the file-transfer entries as one continuous story, because Accellion was chapter one and the campaign never ended.
Sources
Share
Related field notes
-
The catalog is full of cheap routers and cameras for one reason: they're botnet feedstock
Scroll the KEV catalog and you hit a wall of command-injection bugs in D-Link, TP-Link, DrayTek, ASUS, Netgear, and IP-camera firmware. They're not separate stories. They're the same story: internet-exposed consumer gear that gets conscripted into IoT botnets, and the fix is almost always the same.
-
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
-
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016. They're there because the software is still running somewhere. For most of these, the fix isn't a patch, it's removing a runtime you stopped needing years ago.
One email, every weekday morning.
You're in. Check your inbox.