Threatrix Blog

Enterprise open source security & compliance

NEWS

Extortionists Breach Qualys Using Accellion Exploit

By Kristen Bianchi

March 10, 2021

No comments

Enterprise cloud security firm Qualys is the latest victim of a data breach after zero-day vulnerabilities in its Accellion File Transfer Appliance server were used to steal sensitive business documents.

The cybercriminals behind the hacks shared screenshots of files belonging to the company’s customers on a publicly accessible data leak website operated by the CLOP ransomware gang.

Qualys CISO, Ben Carr said they “identified unauthorized access to files hosted on the Accellion FTA server” located in a demilitarized zone environment that is isolated from the rest of the internal network.

“Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access,” Carr added. “The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform.”

Last month, FireEye’s Mandiant threat intelligence team provided details of four zero-day flaws in the FTA application that were taken advantage of to mount an extortion campaign involving deploying a web shell called DEWMODE on target networks to obtain sensitive data and sent extortion emails to threaten victims into paying bitcoin ransoms.

Two of the flaws (CVE-2021-27101 and CVE-2021-27104) were corrected by Accellion on December 20, 2020, the other two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) were and fixed on January 25.

Qualys stated it received an “integrity alert” to a possible compromise on December 24, after it applied the initial hotfix on December 22. The company said an investigation into the incident is ongoing.

“The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution,” Mandiant said in a security assessment of the FTA software.

Mandiant’s source code analysis uncovered two additional flaws in the FTA software, both have been rectified in a patch (version 9.12.444) released on March 1 CVE-2021-27730: An argument injection vulnerability (CVSS score 6.6) accessible to authenticated users with administrative privileges, and CVE-2021-27731: A stored cross-site scripting flaw (CVSS score 8.1) accessible to regular authenticated users.

The FireEye-owned subsidiary is tracking the activity and the extortion scheme with overlaps identified between the two groups and previous attacks carried out by a financially motivated threat actor named FIN11.

It is still unknown what connection, the two clusters may have with the operators of Clop ransomware.

Share this post

Kristen Bianchi

0 comments

Recent

AI DEVELOPMENT TOOLS OPEN SOURCE COMPLIANCE

Ethical Considerations of AI-Generated Code in Open Source Projects

The integration of AI-generated code into open-source projects represents a groundbreaking shift. This innovation promises enhanced efficiency and the potential to solve complex problems with unprecedented speed. However, it raises significant ethical considerations concerning license compliance and intellectual property (IP) rights. As we stand on the cusp of this new frontier, it's crucial to navigate these waters with a keen sense of ethics and responsibility.

By Kristen Bianchi

April 11, 2024

No comments

AI Code Detection SOFTWARE SUPPLY CHAIN SECURITY

Illuminating the Future of AI Code Compliance

AI promises to revolutionize software development, but its potential must be harnessed responsibly. As digital enterprises increasingly depend on sophisticated software, the imperative to maintain strict quality and security standards has never been more critical.

By Kristen Bianchi

April 8, 2024

No comments

Threatrix Blog

Extortionists Breach Qualys Using Accellion Exploit

Leave a Reply Cancel reply

Recent