Priority: High
Summary
On March 3rd 2021, a group known as Clop leaked files which appeared to originate from vulnerability management provider Qualys. These included documents such as purchase orders and scan reports [1]. Qualys later released a statement explaining that they were aware of the issue and that they believe it relates to a breach of their Accellion FTA in December 2020.
Accellion FTA is a file transfer system which was deployed by Qualys as part of their customer support system to transfer files. This indicates that the data stolen will have involved files uploaded to Qualys through their support system. Qualys has confirmed that their Accellion FTA server was breached in December 2020 and affected a limited number of customers. [3]
Qualys have stated that ‘there is no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform. All Qualys platforms continue to be fully functional and at no time was there any operational impact.’ [2] They have also stated that affected customers were contacted in December. [3]
Background
On March 3rd 2021, Qualys released information regarding a data breach and subsequent loss of data they have suffered [2]. The company received new information about a previously identified zero-day exploit in a third-party solution called Accellion FTA which Qualys deployed to transfer information as part of their customer support system.
The Accellion FTA server was deployed by Qualys in a segregated DMZ environment. It was used as part of their support system in order to exchange files, and is separated from systems that host and support Qualys products. The Accellion FTA product is a third-party system fully managed by Accellion [2]. The zero-day was exploited on a number of Accellion FTA systems in December [4].
Qualys have stated that they co-ordinated with Accellion to perform an investigation into the incident in December, during which they identified unauthorised access to files hosted on the Accellion FTA server. Qualys then notified the customers who had been affected.
The data was released on an extortion site managed by hackers. It is believed that Clop are releasing the data stolen in December, and there is no indication that any more Qualys customers have been affected since. It is unclear if Clop were responsible for the data breach in December, or whether they are acting on behalf of a third party. This attack is indicative of the rising popularity of extortion attacks whereby threat actors do not encrypt customer data, but hold victims to ransom by threatening to release documents they have allegedly stolen.
Qualys have engaged FireEye Mandiant, who also worked with Accellion on the wider investigation, and will continue to provide updates as more information becomes available. [3]
FireEye Mandiant has covered the details of the Accellion vulnerability in the article ‘Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion’ [5].
The following CVEs have since been reserved for tracking the recently patched Accellion FTA vulnerabilities:
- CVE-2021-27101 – SQL injection via a crafted Host header
- CVE-2021-27102 – OS command execution via a local web service call
- CVE-2021-27103 – SSRF via a crafted POST request
- CVE-2021-27104 – OS command execution via a crafted POST request
Additional details covering this vulnerability can be found on the FireEye threat research article.
Detect
The zero-day vulnerability affecting Accellion was discovered by Accellion in another customer’s environment and a hotfix to remediate the vulnerability was released on December 21, 2020. Affected customers were notified.
Qualys have stated that they have notified customers affected by the data breach.
Affected Products
The information released suggests that only customers who uploaded files through Qualys’s support system will have been affected by the Qualys data breach, and these customers should have been notified.
The Accellion FTA device is a purpose-built application designed to allow an enterprise to securely transfer large files and is a third-party system fully managed by Accellion. The product was affected in December 2020, and Accellion have stated that they have patched all known vulnerabilities that were being exploited.
Prevent
Qualys have confirmed that there is no impact on the Qualys production environments, codebase or customer data hosted on the Qualys cloud platform. All Qualys platforms continue to be fully functional and at no time was there any operational impact. Therefore, no prevention action is required for Qualys customers.
React
The zero-day vulnerability has since been patched, therefore there is no further action required from Qualys customers to mitigate the Accellion vulnerability. Qualys applied the hotfix to secure their Accellion FTA server on December 22, 2020.
Any organisations who have directly uploaded data to Qualys through their support system should contact Qualys for further information.
Sources
[1] https://www.theregister.com/AMP/2021/03/03/qualys_ransomware_clop_gang