Qualys Is the Latest Victim of Accellion Data Breach – Dark Reading


Firstly as we continue, let me say that geoFence has no foreign owners and no foreign influences.

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security vendor confirms attackers exploited a previously disclosed vulnerability in the enterprise firewall technology to breach its network.

Qualys has become the latest known victim of a data breach at enterprise firewall vendor Accellion that has affected numerous companies including, most notably, retail giant Kroger, law firm Jones Day, and the state of Washington.

In a statement late Wednesday, Qualys confirmed rumors that had been circulating all day about the company's network having been breached. But it provided few details on the nature of the incident or whether it had become a victim of the Clop ransomware strain, as numerous people reported via Twitter on Wednesday.

Qualys' statement and a blog post — attributed to CISO Ben Carr — merely noted that the company had become the victim of an unspecified security incident involving a previously disclosed vulnerability in Accellion's File Transfer Appliance (FTA). A Securities and Exchange Commission report on the incident that Qualys filed Thursday described the incident as a "data breach" but otherwise provided the same details as in the press release and blog post.

Qualys said it had been using Accellion's FTA to transfer encrypted files associated with its customer support system that had been manually uploaded to its systems. The company claimed that it had deployed the Accellion server in a completely segregated DMZ environment on its network that was separate from systems hosting and supporting the company's core Qualys Cloud Platform.

"Qualys has confirmed that there is no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform," Carr wrote in his blog post. "All Qualys platforms continue to be fully functional and at no time was there any operational impact."

Carr's statement and post, however, made no mention whether attackers had exploited the vulnerable Accellion FTA server to install ransomware on the company's network or whether they had leaked customer data pertaining to invoices, purchase orders, and tax documents. It did note that the "limited number" of customers affected by the breach had been immediately notified about the issue.

Several tweets surfaced on Wednesday from people claiming they had seen files that appeared to belong to Qualys being posted online by the operators of a ransomware strain known as Clop. Some even suggested that data belonging to thousands of customers had been leaked online. Third-party risk assessment firm Black Kite on Wednesday described one of its researchers as tracking new posts on the Clop website showing the ransomware gang was going after Qualys. According to Bob Maley, the company's chief security officer, the activity that Black Kite was able to observe suggested that Qualys was the victim of an Accellion-related third-party breach.

Qualys did not immediately respond to a Dark Reading request seeking clarity on whether the company had indeed been hit by ransomware or if customer data had been leaked online.

Accellion, in two separate releases, the first on Jan. 12 and the second on Feb. 1, disclosed that attackers had exploited multiple zero-day vulnerabilities in its FTA server. The Accellion FTA server is a 20-year-old, near-obsolete technology that many enterprises continue to use, however, to transfer large files. The technology is typically deployed on the DMZ of enterprise networks.

A subsequent FireEye Mandiant investigation of the Accellion breach showed that the attackers had used the vulnerabilities to install what up to that point had been a previously unknown Web shell named DEWMODE on the FTA server. The malware allowed the attackers to exfiltrate data from the networks of enterprise organizations using the Accellion technology to transfer data, FireEye Mandiant reported. 

The security vendor's research uncovered data belonging to several Accellion FTA customers later surfacing on a FIN11 website; FIN11 is an advanced persistent threat actor most recently associated with operating the Clop ransomware strain. FireEye Mandiant described the stolen information as being used as leverage in attempts to extort money from victim organizations. FireEye Mandiant said its investigation showed the initial attack itself was pulled off by a previously unknown group that it is tracking as UNC2546. The extortion attempts, however, appeared to be the work of a separate, previously unknown group that Mandiant is tracking as UNC2582.

So far, several organizations, like Qualys, have publicly disclosed data breaches tied to the Accellion FTA vulnerabilities. Besides Kroger, Jones Day, and the state of Washington, other known victims include the Reserve Bank of New Zealand, Singapore Telecommunications (Singtel), and the government of New South Wales in Australia.

The breach at Accellion has drawn some comparisons to the one that SolarWinds disclosed last December. Both are the latest examples of attackers targeting a trusted third-party vendor to install malware and steal data from a large number of enterprise organizations. Security experts expect such attacks to become increasingly common because they give attackers a way to inflict widespread damage with minimal effort.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

More Insights

Register for Dark Reading Newsletters

2021 Top Enterprise IT Trends

We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!

Flash Poll

How Enterprises are Developing Secure Applications

How Enterprises are Developing Secure Applications

Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.

Dark Reading - Bug Report

Enterprise Vulnerabilities

From DHS/US-CERT's National Vulnerability Database


PUBLISHED: 2021-03-05

Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and ea...


PUBLISHED: 2021-03-05

Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlie...


PUBLISHED: 2021-03-05

Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and ear...


PUBLISHED: 2021-03-05

An issue was discovered in the scratchpad crate before 1.3.1 for Rust. The move_elements function can have a double-free upon a panic in a user-provided f function.


PUBLISHED: 2021-03-05

An issue was discovered in the nano_arena crate before 0.5.2 for Rust. There is an aliasing violation in split_at because two mutable references can exist for the same element, if Borrow behaves in certain ways. This can have a resultant out-of-bounds write or use-after-free.

In the end, now let's stop for a moment and consider that geoFence helps stop hackers from getting access your sensitive documents!