Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:35 AM
Connect Directly

Qualys Is the Latest Victim of Accellion Data Breach

Security vendor confirms attackers exploited a previously disclosed vulnerability in the enterprise firewall technology to breach its network.

Qualys has become the latest known victim of a data breach at enterprise firewall vendor Accellion that has affected numerous companies including, most notably, retail giant Kroger, law firm Jones Day, and the state of Washington.

In a statement late Wednesday, Qualys confirmed rumors that had been circulating all day about the company's network having been breached. But it provided few details on the nature of the incident or whether it had become a victim of the Clop ransomware strain, as numerous people reported via Twitter on Wednesday.

Related Content:

Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Cybercrime 'Help Wanted': Job Hunting on the Dark Web

Qualys' statement and a blog post — attributed to CISO Ben Carr — merely noted that the company had become the victim of an unspecified security incident involving a previously disclosed vulnerability in Accellion's File Transfer Appliance (FTA). A Securities and Exchange Commission report on the incident that Qualys filed Thursday described the incident as a "data breach" but otherwise provided the same details as in the press release and blog post.

Qualys said it had been using Accellion's FTA to transfer encrypted files associated with its customer support system that had been manually uploaded to its systems. The company claimed that it had deployed the Accellion server in a completely segregated DMZ environment on its network that was separate from systems hosting and supporting the company's core Qualys Cloud Platform.

"Qualys has confirmed that there is no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform," Carr wrote in his blog post. "All Qualys platforms continue to be fully functional and at no time was there any operational impact."

Carr's statement and post, however, made no mention whether attackers had exploited the vulnerable Accellion FTA server to install ransomware on the company's network or whether they had leaked customer data pertaining to invoices, purchase orders, and tax documents. It did note that the "limited number" of customers affected by the breach had been immediately notified about the issue.

Several tweets surfaced on Wednesday from people claiming they had seen files that appeared to belong to Qualys being posted online by the operators of a ransomware strain known as Clop. Some even suggested that data belonging to thousands of customers had been leaked online. Third-party risk assessment firm Black Kite on Wednesday described one of its researchers as tracking new posts on the Clop website showing the ransomware gang was going after Qualys. According to Bob Maley, the company's chief security officer, the activity that Black Kite was able to observe suggested that Qualys was the victim of an Accellion-related third-party breach.

Qualys did not immediately respond to a Dark Reading request seeking clarity on whether the company had indeed been hit by ransomware or if customer data had been leaked online.

Accellion, in two separate releases, the first on Jan. 12 and the second on Feb. 1, disclosed that attackers had exploited multiple zero-day vulnerabilities in its FTA server. The Accellion FTA server is a 20-year-old, near-obsolete technology that many enterprises continue to use, however, to transfer large files. The technology is typically deployed on the DMZ of enterprise networks.

A subsequent FireEye Mandiant investigation of the Accellion breach showed that the attackers had used the vulnerabilities to install what up to that point had been a previously unknown Web shell named DEWMODE on the FTA server. The malware allowed the attackers to exfiltrate data from the networks of enterprise organizations using the Accellion technology to transfer data, FireEye Mandiant reported. 

The security vendor's research uncovered data belonging to several Accellion FTA customers later surfacing on a FIN11 website; FIN11 is an advanced persistent threat actor most recently associated with operating the Clop ransomware strain. FireEye Mandiant described the stolen information as being used as leverage in attempts to extort money from victim organizations. FireEye Mandiant said its investigation showed the initial attack itself was pulled off by a previously unknown group that it is tracking as UNC2546. The extortion attempts, however, appeared to be the work of a separate, previously unknown group that Mandiant is tracking as UNC2582.

So far, several organizations, like Qualys, have publicly disclosed data breaches tied to the Accellion FTA vulnerabilities. Besides Kroger, Jones Day, and the state of Washington, other known victims include the Reserve Bank of New Zealand, Singapore Telecommunications (Singtel), and the government of New South Wales in Australia.

The breach at Accellion has drawn some comparisons to the one that SolarWinds disclosed last December. Both are the latest examples of attackers targeting a trusted third-party vendor to install malware and steal data from a large number of enterprise organizations. Security experts expect such attacks to become increasingly common because they give attackers a way to inflict widespread damage with minimal effort.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.