Enterprise cloud safety agency Qualys has change into the newest sufferer to hitch a protracted checklist of entities to have suffered an information breach after zero-day vulnerabilities in its Accellion File Switch Equipment (FTA) server had been exploited to steal delicate enterprise paperwork.
As proof of entry to the information, the cybercriminals behind the current hacks focusing on Accellion FTA servers have shared screenshots of recordsdata belonging to the corporate’s clients on a publicly accessible information leak web site operated by the CLOP ransomware gang.
Confirming the incident, Qualys Chief Info Safety Officer Ben Carr said an in depth probe “recognized unauthorized entry to recordsdata hosted on the Accellion FTA server” situated in a DMZ (aka demilitarized zone) atmosphere that is segregated from the remainder of the interior community.
“Primarily based on this investigation, we instantly notified the restricted variety of clients impacted by this unauthorized entry,” Carr added. “The investigation confirmed that the unauthorized entry was restricted to the FTA server and didn’t affect any companies supplied or entry to buyer information hosted by the Qualys Cloud Platform.”
Final month, FireEye’s Mandiant menace intelligence group disclosed particulars of 4 zero-day flaws within the FTA utility that had been exploited by menace actors to mount a wide-ranging information theft and extortion marketing campaign, which concerned deploying an online shell referred to as DEWMODE on the right track networks to exfiltrate delicate information, adopted by sending extortion emails to threaten victims into paying bitcoin ransoms, failing which the stolen information was posted on the information leak web site.
Whereas two of the issues (CVE-2021-27101 and CVE-2021-27104) had been addressed by Accellion on December 20, 2020, the opposite two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) had been recognized and stuck earlier this 12 months on January 25.
Qualys did not say if it obtained extortion messages within the wake of the breach, however mentioned an investigation into the incident is ongoing.
“The exploited vulnerabilities had been of important severity as a result of they had been topic to exploitation through unauthenticated distant code execution,” Mandiant said in a safety evaluation of the FTA software program printed earlier this week.
Moreover, Mandiant’s supply code evaluation uncovered two extra beforehand unknown safety flaws within the FTA software program, each of which have been rectified in an FTA patch (model 9.12.444) launched on March 1 —
- CVE-2021-27730: An argument injection vulnerability (CVSS rating 6.6) accessible solely to authenticated customers with administrative privileges, and
- CVE-2021-27731: A saved cross-site scripting flaw (CVSS rating 8.1) accessible solely to common authenticated customers
The FireEye-owned subsidiary is monitoring the exploitation exercise and the follow-on extortion scheme beneath two separate menace clusters it calls UNC2546 and UNC2582, respectively, with overlaps recognized between the 2 teams and former assaults carried out by a financially motivated menace actor dubbed FIN11. However it’s nonetheless unclear what connection, if any, the 2 clusters could have with the operators of Clop ransomware.