Qualys has become the latest known victim of a data breach at enterprise firewall vendor Accellion that has affected numerous companies including, most notably, retail giant Kroger, law firm Jones Day, and the state of Washington.
In a statement late Wednesday, Qualys confirmed rumors that had been circulating all day about the company's network having been breached. But it provided few details on the nature of the incident or whether it had become a victim of the Clop ransomware strain, as numerous people reported via Twitter on Wednesday.
Qualys' statement and a blog post — attributed to CISO Ben Carr — merely noted that the company had become the victim of an unspecified security incident involving a previously disclosed vulnerability in Accellion's File Transfer Appliance (FTA). A Securities and Exchange Commission report on the incident that Qualys filed Thursday described the incident as a "data breach" but otherwise provided the same details as in the press release and blog post.
Qualys said it had been using Accellion's FTA to transfer encrypted files associated with its customer support system that had been manually uploaded to its systems. The company claimed that it had deployed the Accellion server in a completely segregated DMZ environment on its network that was separate from systems hosting and supporting the company's core Qualys Cloud Platform.
"Qualys has confirmed that there is no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform," Carr wrote in his blog post. "All Qualys platforms continue to be fully functional and at no time was there any operational impact."
Carr's statement and post, however, made no mention whether attackers had exploited the vulnerable Accellion FTA server to install ransomware on the company's network or whether they had leaked customer data pertaining to invoices, purchase orders, and tax documents. It did note that the "limited number" of customers affected by the breach had been immediately notified about the issue.
Several tweets surfaced on Wednesday from people claiming they had seen files that appeared to belong to Qualys being posted online by the operators of a ransomware strain known as Clop. Some even suggested that data belonging to thousands of customers had been leaked online. Third-party risk assessment firm Black Kite on Wednesday described one of its researchers as tracking new posts on the Clop website showing the ransomware gang was going after Qualys. According to Bob Maley, the company's chief security officer, the activity that Black Kite was able to observe suggested that Qualys was the victim of an Accellion-related third-party breach.
Qualys did not immediately respond to a Dark Reading request seeking clarity on whether the company had indeed been hit by ransomware or if customer data had been leaked online.
Accellion, in two separate releases, the first on Jan. 12 and the second on Feb. 1, disclosed that attackers had exploited multiple zero-day vulnerabilities in its FTA server. The Accellion FTA server is a 20-year-old, near-obsolete technology that many enterprises continue to use, however, to transfer large files. The technology is typically deployed on the DMZ of enterprise networks.
A subsequent FireEye Mandiant investigation of the Accellion breach showed that the attackers had used the vulnerabilities to install what up to that point had been a previously unknown Web shell named DEWMODE on the FTA server. The malware allowed the attackers to exfiltrate data from the networks of enterprise organizations using the Accellion technology to transfer data, FireEye Mandiant reported.
The security vendor's research uncovered data belonging to several Accellion FTA customers later surfacing on a FIN11 website; FIN11 is an advanced persistent threat actor most recently associated with operating the Clop ransomware strain. FireEye Mandiant described the stolen information as being used as leverage in attempts to extort money from victim organizations. FireEye Mandiant said its investigation showed the initial attack itself was pulled off by a previously unknown group that it is tracking as UNC2546. The extortion attempts, however, appeared to be the work of a separate, previously unknown group that Mandiant is tracking as UNC2582.
So far, several organizations, like Qualys, have publicly disclosed data breaches tied to the Accellion FTA vulnerabilities. Besides Kroger, Jones Day, and the state of Washington, other known victims include the Reserve Bank of New Zealand, Singapore Telecommunications (Singtel), and the government of New South Wales in Australia.
The breach at Accellion has drawn some comparisons to the one that SolarWinds disclosed last December. Both are the latest examples of attackers targeting a trusted third-party vendor to install malware and steal data from a large number of enterprise organizations. Security experts expect such attacks to become increasingly common because they give attackers a way to inflict widespread damage with minimal effort.