Hacker working at night showing suspected ransomware attack

Infosec Firm Qualys Customer Data Leaked in a Suspected Ransomware Attack

Information security and compliance firm Qualys confirmed it was a victim of a data breach associated with the Clop ransomware gang. Qualys confirmed the security incident after clients’ files surfaced on a Tor blog site run by the ransomware operators.

Initially, the company spokeswoman acknowledged the security incident but withheld more information because the incident was under investigation. The company, however, denies experiencing a ransomware attack during the incident.

The California-based infosec firm serves more than 10,000 clients in over 130 countries and is among the Forbes Global 100.

Clop ransomware gang publishes Qualys customer information

Clop ransomware gang published customers’ purchase orders, invoices, quotations, scanned reports, and tax documents on its Tor data leak site. Subsequently, the tech colossus notified its customers of unauthorized access to client information.

“We immediately notified the limited number of customers impacted by this unauthorized access,” the company said.

However, Qualys did not disclose the actual number of clients affected or if that information was available.

Qualys data leak associated with Accellion FTA zero-day exploit

Qualys confirmed that the data leak originated from the Accellion File Transfer Appliance (FTA) used for customer support.

“New information has come out today related to a previously identified zero-day exploit in a third-party solution, Accellion FTA, that Qualys deployed to transfer the information as part of our customer support system.”

The cybersecurity firm added that it deployed the Accellion FTA server “in a segregated DMZ environment, completely separate from systems that host and support Qualys products to transfer information.”

Ransomware attack ruled out of Qualys data breach

Like other companies affected by the Clop ransomware FTA breach, Qualys clarified that it did not experience a ransomware attack.

The tech behemoth said there was “no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform.” It was not clear whether Qualys received a ransom note like other companies affected by the FTA data breach. Similar to a ransomware attack scenario, Clop ransomware sends ransom notes to FTA breach victims, warning of possible online publication of stolen data.

Accellion patched four zero-day vulnerabilities discovered early this year but criminals potentially exploited them beforehand. Accellion explained that the critical vulnerabilities could have allowed attackers to execute arbitrary commands.

“The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution,” Accellion stated.

Accellion also suggested that the attackers reverse-engineered the code to decipher the internal logic of the FTA.

The data breach occurred in December 2020, shortly before Accellion provided a hotfix on December 21 and Qualys IT team applied it on December 22. However, on December 24, the company received an integrity alert, indicating that hackers had already exploited the zero-day vulnerability.

Other Accellion FTA breach victims include German tech firm Software AG, London’s The7stars, Jones Day law firm, Bombardier, Singtel, Fugro, Danaher, ABS Group among others.

None of the companies experienced a ransomware attack associated with the Clop gang data heist.

Although remote code execution vulnerabilities could be a gateway for a ransomware attack, the Clop gang appears disinterested in the opportunity for now.

The gang published data of over 1,300 companies, including defense and space contractors. Some companies’ data was exfiltrated after successful ransomware attacks. However, the gang also doubled up as a data broker for other extortionist syndicates.

Qualys is still investigating the breach with the assistance of FireEye Mandiant researchers. Consequently, additional information about the breach could be available soon.

Ilia Kolochenko, Founder and Chief Architect at ImmuniWeb, praised Qualys for its honesty in disclosing the breach.

“Qualys’s response to the incident is a laudable example of transparent and professional handling of a security incident. Under the integrity of currently disclosed circumstances, I see absolutely no reason for panic.”

He also suggested that very few customers were potentially affected by the breach. He added that sensitive details like user passwords were not leaked. Kolochenko also claims that the leak was just a “security incident” and not a “breach.”

According to Kolochenko, exploits affecting remote servers were difficult to detect and prevent, and many victims were possibly unaware of the unauthorized intrusion.

“The ongoing attacks against Accellion FTA servers are exploiting 0day vulnerability on a server hosted outside of organizational premises, and thus are hardly detectable or preventable. Many more companies and organizations will likely fall victim to this sophisticated hacking campaign soon.”