Cybersecurity agency Qualys is probably going the newest sufferer to have suffered an information breach after a zero-day vulnerability of their Accellion FTA server was exploited to steal hosted recordsdata.
In December, a wave of assaults focused the Accellion FTA file-sharing utility utilizing a zero-day vulnerability that allowed attackers to steal recordsdata saved on the server.
Since then, the Clop ransomware has been extorting these victims by posting the stolen knowledge on their ransomware knowledge leak web site.
As Accellion FTA units are standalone servers designed to be outdoors the safety perimeter of a community and accessible to the general public, there have been no reported assaults on these units resulting in inner programs compromise.
Earlier than right now, the identified victims extorted by Clop embody Transport for NSW, Singtel, Bombadier, geo-data specialist Fugro, regulation agency Jones Day, science and expertise firm Danaher, and technical providers firm ABS Group.
Qualys the newest sufferer to be extorted
Yesterday, the Clop ransomware gang posted screenshots of recordsdata allegedly belonging to the cybersecurity agency Qualys. The leaked knowledge consists of buy orders, invoices, tax paperwork, and scan stories.
As reported by Valery Marchive of LegMagIT and confirmed by BleepingComputer, Qualys had an Accellion FTA machine positioned on their community.
The Accellion FTA machine was positioned at fts-na.qualys.com, and the IP tackle utilized by the server is assigned to Qualys. Qualys has since decommissioned the FTA machine, with Shodan exhibiting it was final energetic on February 18th, 2021.
It’s unknown if Clop despatched ransom notes to Qualys concerning the assault, however different victims have acquired them prior to now, in response to a report by Mandiant.
It’s nonetheless unclear if the Clop ransomware gang carried out the assaults on Accellion FTA units or is partnering with one other group to share the recordsdata and extort victims publicly.
Clop has prior to now despatched emails to journalists, together with BleepingComputer, about new Accellion FTA victims posted to their web site.
BleepingComputer has contacted Qualys earlier than publication and are awaiting an official assertion.
Qualys confirms Accellion FTA breach
In a press release issued tonight, Qualys has confirmed that their Accellion FTA server was breached in December 2020 and affected a restricted quantity of consumers.
Because the server was deployed of their DMZ, which is segregated from their inner community, Qualys’ product surroundings was not compromised.
“New info has come out right now associated to a beforehand recognized zero-day exploit in a third-party answer, Accellion FTA, that Qualys deployed to switch info as a part of our buyer help system.”
“Qualys has confirmed that there isn’t a influence on the Qualys manufacturing environments, codebase or buyer knowledge hosted on the Qualys Cloud Platform. All Qualys platforms proceed to be totally practical and at no time was there any operational influence.”
“Qualys had deployed the Accellion FTA server in a segregated DMZ surroundings, utterly separate from programs that host and help Qualys merchandise to switch info as a part of our buyer help system,” Qualys disclosed in a security incident notice right now.
Qualys states that they’ve shut down the affected Accellion FTA servers and switched to different functions for support-related file transfers.
Right now, Qualys continues to be investigating the breach and has employed Mandiant to help them.