Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/4/2021
11:35 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Qualys Is the Latest Victim of Accellion Data Breach

Security vendor confirms attackers exploited a previously disclosed vulnerability in the enterprise firewall technology to breach its network.

Qualys has become the latest known victim of a data breach at enterprise firewall vendor Accellion that has affected numerous companies including, most notably, retail giant Kroger, law firm Jones Day, and the state of Washington.

In a statement late Wednesday, Qualys confirmed rumors that had been circulating all day about the company's network having been breached. But it provided few details on the nature of the incident or whether it had become a victim of the Clop ransomware strain, as numerous people reported via Twitter on Wednesday.

Related Content:

Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

Qualys' statement and a blog post — attributed to CISO Ben Carr — merely noted that the company had become the victim of an unspecified security incident involving a previously disclosed vulnerability in Accellion's File Transfer Appliance (FTA). A Securities and Exchange Commission report on the incident that Qualys filed Thursday described the incident as a "data breach" but otherwise provided the same details as in the press release and blog post.

Qualys said it had been using Accellion's FTA to transfer encrypted files associated with its customer support system that had been manually uploaded to its systems. The company claimed that it had deployed the Accellion server in a completely segregated DMZ environment on its network that was separate from systems hosting and supporting the company's core Qualys Cloud Platform.

"Qualys has confirmed that there is no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform," Carr wrote in his blog post. "All Qualys platforms continue to be fully functional and at no time was there any operational impact."

Carr's statement and post, however, made no mention whether attackers had exploited the vulnerable Accellion FTA server to install ransomware on the company's network or whether they had leaked customer data pertaining to invoices, purchase orders, and tax documents. It did note that the "limited number" of customers affected by the breach had been immediately notified about the issue.

Several tweets surfaced on Wednesday from people claiming they had seen files that appeared to belong to Qualys being posted online by the operators of a ransomware strain known as Clop. Some even suggested that data belonging to thousands of customers had been leaked online. Third-party risk assessment firm Black Kite on Wednesday described one of its researchers as tracking new posts on the Clop website showing the ransomware gang was going after Qualys. According to Bob Maley, the company's chief security officer, the activity that Black Kite was able to observe suggested that Qualys was the victim of an Accellion-related third-party breach.

Qualys did not immediately respond to a Dark Reading request seeking clarity on whether the company had indeed been hit by ransomware or if customer data had been leaked online.

Accellion, in two separate releases, the first on Jan. 12 and the second on Feb. 1, disclosed that attackers had exploited multiple zero-day vulnerabilities in its FTA server. The Accellion FTA server is a 20-year-old, near-obsolete technology that many enterprises continue to use, however, to transfer large files. The technology is typically deployed on the DMZ of enterprise networks.

A subsequent FireEye Mandiant investigation of the Accellion breach showed that the attackers had used the vulnerabilities to install what up to that point had been a previously unknown Web shell named DEWMODE on the FTA server. The malware allowed the attackers to exfiltrate data from the networks of enterprise organizations using the Accellion technology to transfer data, FireEye Mandiant reported. 

The security vendor's research uncovered data belonging to several Accellion FTA customers later surfacing on a FIN11 website; FIN11 is an advanced persistent threat actor most recently associated with operating the Clop ransomware strain. FireEye Mandiant described the stolen information as being used as leverage in attempts to extort money from victim organizations. FireEye Mandiant said its investigation showed the initial attack itself was pulled off by a previously unknown group that it is tracking as UNC2546. The extortion attempts, however, appeared to be the work of a separate, previously unknown group that Mandiant is tracking as UNC2582.

So far, several organizations, like Qualys, have publicly disclosed data breaches tied to the Accellion FTA vulnerabilities. Besides Kroger, Jones Day, and the state of Washington, other known victims include the Reserve Bank of New Zealand, Singapore Telecommunications (Singtel), and the government of New South Wales in Australia.

The breach at Accellion has drawn some comparisons to the one that SolarWinds disclosed last December. Both are the latest examples of attackers targeting a trusted third-party vendor to install malware and steal data from a large number of enterprise organizations. Security experts expect such attacks to become increasingly common because they give attackers a way to inflict widespread damage with minimal effort.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...