Extortion Gang Breaches Cybersecurity Firm Qualys Using Accellion Exploit

Business cloud stability organization Qualys has develop into the newest victim to be a part of a extended checklist of entities to have endured a knowledge breach following zero-working day vulnerabilities in its Accellion File Transfer Equipment (FTA) server had been exploited to steal delicate small business files.

As evidence of access to the knowledge, the cybercriminals behind the recent hacks concentrating on Accellion FTA servers have shared screenshots of information belonging to the company’s clients on a publicly accessible information leak web page operated by the CLOP ransomware gang.

Confirming the incident, Qualys Chief Details Protection Officer Ben Carr said a comprehensive probe “discovered unauthorized accessibility to documents hosted on the Accellion FTA server” situated in a DMZ (aka demilitarized zone) ecosystem which is segregated from the relaxation of the internal community.

“Primarily based on this investigation, we right away notified the minimal number of clients impacted by this unauthorized accessibility,” Carr added. “The investigation verified that the unauthorized accessibility was limited to the FTA server and did not effect any companies offered or entry to purchaser knowledge hosted by the Qualys Cloud Platform.”

Last month, FireEye’s Mandiant threat intelligence group disclosed specifics of 4 zero-working day flaws in the FTA software that had been exploited by risk actors to mount a large-ranging data theft and extortion marketing campaign, which included deploying a net shell termed DEWMODE on goal networks to exfiltrate sensitive data, adopted by sending extortion e-mails to threaten victims into shelling out bitcoin ransoms, failing which the stolen details was posted on the facts leak web site.


Even though two of the flaws (CVE-2021-27101 and CVE-2021-27104) were dealt with by Accellion on December 20, 2020, the other two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) had been discovered and mounted previously this calendar year on January 25.

Qualys did not say if it gained extortion messages in the wake of the breach, but stated an investigation into the incident is ongoing.

“The exploited vulnerabilities have been of crucial severity simply because they ended up issue to exploitation via unauthenticated distant code execution,” Mandiant mentioned in a stability assessment of the FTA software program published previously this week.

Also, Mandiant’s source code examination uncovered two far more beforehand mysterious safety flaws in the FTA software program, both equally of which have been rectified in an FTA patch (model 9.12.444) released on March 1 —

  • CVE-2021-27730: An argument injection vulnerability (CVSS score 6.6) accessible only to authenticated buyers with administrative privileges, and
  • CVE-2021-27731: A saved cross-web-site scripting flaw (CVSS score 8.1) accessible only to regular authenticated end users

The FireEye-owned subsidiary is monitoring the exploitation exercise and the comply with-on extortion plan below two independent danger clusters it phone calls UNC2546 and UNC2582, respectively, with overlaps recognized among the two groups and previous assaults carried out by a monetarily enthusiastic menace actor dubbed FIN11. But it is nonetheless unclear what connection, if any, the two clusters may well have with the operators of Clop ransomware.

Fibo Quantum