Enterprise cloud security firm Qualys is the latest victim of a data breach after zero-day vulnerabilities in its Accellion File Transfer Appliance server were used to steal sensitive business documents.
The cybercriminals behind the hacks shared screenshots of files belonging to the company’s customers on a publicly accessible data leak website operated by the CLOP ransomware gang.
Qualys CISO, Ben Carr said they “identified unauthorized access to files hosted on the Accellion FTA server” located in a demilitarized zone environment that is isolated from the rest of the internal network.
“Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access,” Carr added. “The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform.”
Last month, FireEye’s Mandiant threat intelligence team provided details of four zero-day flaws in the FTA application that were taken advantage of to mount an extortion campaign involving deploying a web shell called DEWMODE on target networks to obtain sensitive data and sent extortion emails to threaten victims into paying bitcoin ransoms.
Two of the flaws (CVE-2021-27101 and CVE-2021-27104) were corrected by Accellion on December 20, 2020, the other two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) were and fixed on January 25.
Qualys stated it received an “integrity alert” to a possible compromise on December 24, after it applied the initial hotfix on December 22. The company said an investigation into the incident is ongoing.
“The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution,” Mandiant said in a security assessment of the FTA software.
Mandiant’s source code analysis uncovered two additional flaws in the FTA software, both have been rectified in a patch (version 9.12.444) released on March 1 CVE-2021-27730: An argument injection vulnerability (CVSS score 6.6) accessible to authenticated users with administrative privileges, and CVE-2021-27731: A stored cross-site scripting flaw (CVSS score 8.1) accessible to regular authenticated users.
The FireEye-owned subsidiary is tracking the activity and the extortion scheme with overlaps identified between the two groups and previous attacks carried out by a financially motivated threat actor named FIN11.
It is still unknown what connection, the two clusters may have with the operators of Clop ransomware.