Qualys Gets ‘Clopped’ by Accellion-Exploiting Attackers
Breach Notification
,
Cybercrime
,
Fraud Management & Cybercrime
Security Firm Confirms Breach After Clop Ransomware Gang Posts Stolen Customer Data
Cybersecurity firm Qualys has confirmed that its systems were breached by attackers who hacked its Accellion File Transfer Appliance software to steal customer data. The firm is one of a growing number of FTA users that were breached by attackers who discovered zero-day flaws in FTA that they were able to remotely exploit (see: Accellion Attack Involved Extensive Reverse Engineering).
See Also: Illumination Summit: Poker & Cybersecurity: A Game of Skill, Not Luck
Based in Foster City, California, Qualys sells cloud-based IT, security and compliance products and has about 19,000 customers across 130 countries. In a statement released Wednesday evening, the company says it uses FTA solely “to transfer files as part of our customer support system.”
While customer data was stolen, Qualys says that attackers did not breach its “production environments, codebase or customer data hosted on the Qualys Cloud Platform,” and that all of its services remain operational and are functioning normally.
Qualys Update on Accellion FTA Security Incident https://t.co/MdBDfgvXFW
— Qualys (@qualys) March 3, 2021
Qualys issued its statement after the Clop – aka Cl0p – ransomware gang on Wednesday began listing Qualys as a victim on its leaks site and posted six screenshots containing stolen data. The image files are named “Screenshot_70.png” through “Screenshot_75.png.” The site also contains a listing for “files part 1” – apparently the first batch of stolen files – which is spread across three separate zip file archives available for download.
“Want to delete a page or buy data? Write to the email indicated on the homepage,” the gang’s site states. Clop is one of a number of ransomware gangs that run dedicated leaks sites where they can list victims, post extracts of stolen data, and sell or auction data unless victims give in to their extortion demands.
Qualys says the breach was mitigated by its having deployed Accellion in a segregated manner. “Qualys had deployed the Accellion FTA server in a segregated DMZ environment, completely separate from systems that host and support Qualys products to transfer information as part of our customer support system,” Qualys CISO Benn Carr says in a Wednesday blog post.
“Qualys chose the Accellion FTA solution for encrypted temporary transfer of manually uploaded files,” he says. “There was no connectivity between the Accellion FTA server and our production customer data environment – the Qualys Cloud Platform.”
A Qualys spokeswoman tells Information Security Media Group that all affected customers have been notified. She declined to say how many customers were affected pending the conclusion of the ongoing investigation.
Mandiant Investigates
Qualys has retained FireEye’s Mandiant incident response group to investigate the intrusion. Mandiant has been doing the same for Accellion after attackers apparently reverse-engineered FTA and identified multiple zero-day flaws, which they began using in December to steal data from users.
Other Accellion users whose systems were breached by FTA-targeting attackers, and whose data later appeared on the Clop ransomware gangs’ data leaks site, include Australia’s securities regulator ASIC, government agency Transport for New South Wales and QIMR Berghofer Medical Research Institute.
Other victims include the Reserve Bank of New Zealand, Canadian aerospace firm Bombardier, the Office of the Washington State Auditor, the University of Colorado and U.S. grocery chain Kroger.
Timeline of Attacks
On Monday, Mandiant issued its final report on how attackers successfully hacked into FTA, noting that they appeared to have reverse-engineered the software. According to a timeline published by Mandiant, the first known attack against an FTA user occurred on Dec. 16, 2020. The attack triggered an anomaly detector in the Accellion software, instructing the customer to immediately contact Accellion, and the customer did so on the same day. After investigating, Accellion issued an emergency FTA patch to fix the targeted flaws on Dec. 20, and another patch on Dec. 23 that ran the anomaly detector hourly, instead of daily.
Subsequently, attackers retooled, targeting two other zero-day flaws beginning on Jan. 20 in a second attack wave. Accellion was alerted to the attacks on Jan. 22 and advised all customer to immediately stop using FTA. On Jan. 25, it issued a patch fixing the two new flaws, and on Jan. 28, it issued an update causing FTA to run anomaly checks every 10 minutes.
Qualys says it appears to have been hit during the first attack wave, despite applying on Dec. 22, 2020, the patch that had been released less than 48 hours before.
Nevertheless, “we received an integrity alert on Dec. 24, 2020, and the impacted FTA server was immediately isolated from the network,” Carr says. “Accordingly, Qualys shut down the affected Accellion FTA servers and provided alternatives to customers for support-related file transfer.”
Working with Accellion, Carr says Qualys “conducted a detailed investigation and identified unauthorized access to files hosted on the Accellion FTA server,” and then “immediately notified the limited number of customers impacted by this unauthorized access.”
For three years, Accellion has been urging remaining FTA customers to ditch “legacy FTA software” and migrate to its newer product, Kiteworks, which is based on an entirely different code base. The company says Kiteworks is more secure than FTA. Accellion recently announced that it will stop supporting FTA on April 30. Security experts have urged all remaining FTA users to move to a new product before then.
Data Breach Notification
News that information stolen from Qualys had appeared on the Clops data leaks site was first reported by Bleeping Computer on Wednesday.
Shortly thereafter, Qualys responded to a question posted to its Qualys Community customer portal linking to the Bleeping Computer story, which asked: “Was there a breach at Qualys?”
A Qualys employee responded: “We are preparing a response to this, and will communicate to affected customers when it’s ready (today).”
About six hours after the customer posed the question, Qualys released its official statement.
“I’m surprised as to how slow Qualys were in issuing a statement/clarification as to what actually happened,” says Brian Honan, head of cybersecurity consultancy BH Consulting in Dublin, and an adviser to Europol’s European Cybercrime Center.
“Particularly as this news seems to be related to an old breach, I would have expected a PR statement would have been prepared to cover this eventuality. Remember, most people won’t judge a company for being the victim of a crime resulting in a breach but will judge it for how it responds to a breach.”
The value of Qualys’ stock, which trades on the Nasdaq Stock Market, fell about 7% following the news of its breach coming to light.
Hack Attack: Who’s Responsible?
Qualys is the first security firm known to be affected by the Accellion hack. As the recently discovered SolarWinds supply chain attack also demonstrates, security firms are far from immune to attacks targeting their software (see: Yes Virginia, Even Security Software Has Flaws).
Whether the Clop ransomware operators are directly responsible for the Accellion hack remains unclear. But the attacks and discovery of the four zero-day flaws that were targeted “demonstrate a high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software, likely obtained through extensive reverse-engineering of the software,” Mandiant reports.
In other words, the attackers appear to have devoted significant time to studying the nearly 20-year-old software and finding ways to exploit it.
Mandiant says it’s currently tracking three groups that appear to be involved (see: Do Ransomware Operators Have a Russian Government Nexus?).
- UNC2546: A group of hackers tracked by Mandiant; UNC is short for uncategorized, meaning the firm doesn’t yet have enough evidence to classify it as being either APT or FIN, referring to distinct nation-state or financially motivated hacking groups.
- UNC2582: A group using stolen data to extort FTA customers.
- FIN11: A financially motivated group that Mandiant says may have ties to Russia-based TA505 – aka Dudear and Evil Corp – and which has “shifting monetization methods – from point-of-sale malware in 2018, to ransomware in 2019, and hybrid extortion in 2020.” In the final months of 2020, the group also began to deploy Clop ransomware against targets.
“The overlaps between FIN11, UNC2546 and UNC2582 are compelling, but we continue to track these clusters separately while we evaluate the nature of their relationships,” Mandiant says.