Qualys Confirms Unauthorized Access to Data via Accellion Hack
Hours after the Clop ransomware gang published data allegedly stolen from information security and compliance solutions provider Qualys, the company has confirmed being impacted by the recent cyberattack involving Accellion’s FTA product.
Founded in 1999, the California-based firm serves more than 10,000 customers in over 130 countries around the world, including many of the Forbes Global 100 companies.
Data allegedly stolen from the company, including scan results and financial documents, was published on the “CL0P^_- LEAKS” Tor website this week. Maintained by the operators of the Clop ransomware, the portal is used to publish data stolen from victims unwilling to give in to their ransom demands.
Initially, the website would list data exfiltrated during ransomware attacks, but as of late it has been flooded with data stolen from various organizations that were relying on the Accellion FTA file transfer software.
The data was compromised during a December 2020 cyber-attack that Accellion confirmed earlier this year. A total of four zero-day vulnerabilities were identified in the attack, all of which have already been patched.
In a report published a couple of weeks ago, FireEye’s Mandiant researchers linked the attack to the FIN11 cybercrime group, a TA505 spin-off.
“The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution,” Accellion noted in a report detailing Mandiant’s investigation into the incident.
The company also said the attackers likely reverse engineered the file transfer software, which provided them with “a high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software.”
Following the publishing of its data on Clop’s leaks website, Qualys confirmed impact from the Accellion FTA incident, saying that it resulted in “unauthorized access to files hosted on the Accellion FTA server.”
The company also notes that the unauthorized access was limited to the FTA server and that the incident had no “impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform.”
The Accellion FTA server, the company explains, was deployed in a segregated DMZ environment, separated from the production customer data environment. Furthermore, Qualys says it applied the released hotfix immediately after receiving it and completely isolated the FTA server after receiving an integrity alert a few days later.
“We immediately notified the limited number of customers impacted by this unauthorized access,” Qualys says, without providing additional information on the compromised data or the number of affected customers.