[BreachExchange] Infosec Firm Qualys Customer Data Leaked in a Suspected Ransomware Attack

[Destry Winant]

https://www.cpomagazine.com/cyber-security/infosec-firm-qualys-customer-data-leaked-in-a-suspected-ransomware-attack/

Information security and compliance firm Qualys confirmed it was a
victim of a data breach associated with the Clop ransomware gang.
Qualys confirmed the security incident after clients’ files surfaced
on a Tor blog site run by the ransomware operators.

Initially, the company spokeswoman acknowledged the security incident
but withheld more information because the incident was under
investigation. The company, however, denies experiencing a ransomware
attack during the incident.

The California-based infosec firm serves more than 10,000 clients in
over 130 countries and is among the Forbes Global 100.

Clop ransomware gang publishes Qualys customer information

Clop ransomware gang published customers’ purchase orders, invoices,
quotations, scanned reports, and tax documents on its Tor data leak
site. Subsequently, the tech colossus notified its customers of
unauthorized access to client information.

“We immediately notified the limited number of customers impacted by
this unauthorized access,” the company said.

However, Qualys did not disclose the actual number of clients affected
or if that information was available.

Qualys data leak associated with Accellion FTA zero-day exploit

Qualys confirmed that the data leak originated from the Accellion File
Transfer Appliance (FTA) used for customer support.

“New information has come out today related to a previously identified
zero-day exploit in a third-party solution, Accellion FTA, that Qualys
deployed to transfer the information as part of our customer support
system.”

The cybersecurity firm added that it deployed the Accellion FTA server
“in a segregated DMZ environment, completely separate from systems
that host and support Qualys products to transfer information.”

Ransomware attack ruled out of Qualys data breach

Like other companies affected by the Clop ransomware FTA breach,
Qualys clarified that it did not experience a ransomware attack.

The tech behemoth said there was “no impact on the Qualys production
environments, codebase or customer data hosted on the Qualys Cloud
Platform.” It was not clear whether Qualys received a ransom note like
other companies affected by the FTA data breach. Similar to a
ransomware attack scenario, Clop ransomware sends ransom notes to FTA
breach victims, warning of possible online publication of stolen data.

Accellion patched four zero-day vulnerabilities discovered early this
year but criminals potentially exploited them beforehand. Accellion
explained that the critical vulnerabilities could have allowed
attackers to execute arbitrary commands.

“The exploited vulnerabilities were of critical severity because they
were subject to exploitation via unauthenticated remote code
execution,” Accellion stated.

Accellion also suggested that the attackers reverse-engineered the
code to decipher the internal logic of the FTA.

The data breach occurred in December 2020, shortly before Accellion
provided a hotfix on December 21 and Qualys IT team applied it on
December 22. However, on December 24, the company received an
integrity alert, indicating that hackers had already exploited the
zero-day vulnerability.

Other Accellion FTA breach victims include German tech firm Software
AG, London’s The7stars, Jones Day law firm, Bombardier, Singtel,
Fugro, Danaher, ABS Group among others.

None of the companies experienced a ransomware attack associated with
the Clop gang data heist.

Although remote code execution vulnerabilities could be a gateway for
a ransomware attack, the Clop gang appears disinterested in the
opportunity for now.

The gang published data of over 1,300 companies, including defense and
space contractors. Some companies’ data was exfiltrated after
successful ransomware attacks. However, the gang also doubled up as a
data broker for other extortionist syndicates.

Qualys is still investigating the breach with the assistance of
FireEye Mandiant researchers. Consequently, additional information
about the breach could be available soon.

Ilia Kolochenko, Founder and Chief Architect at ImmuniWeb, praised
Qualys for its honesty in disclosing the breach.

“Qualys’s response to the incident is a laudable example of
transparent and professional handling of a security incident. Under
the integrity of currently disclosed circumstances, I see absolutely
no reason for panic.”

He also suggested that very few customers were potentially affected by
the breach. He added that sensitive details like user passwords were
not leaked. Kolochenko also claims that the leak was just a “security
incident” and not a “breach.”

Qualys said #hackers accessed client data after exploiting the
Accellion FTA server. Clop #ransomware gang published the documents,
but Qualys denied any ransomware attack. #cybersecurity
#respectdataClick to Tweet

According to Kolochenko, exploits affecting remote servers were
difficult to detect and prevent, and many victims were possibly
unaware of the unauthorized intrusion.

“The ongoing attacks against Accellion FTA servers are exploiting 0day
vulnerability on a server hosted outside of organizational premises,
and thus are hardly detectable or preventable. Many more companies and
organizations will likely fall victim to this sophisticated hacking
campaign soon.”