Enterprise cloud security firm Qualys has become the latest victim to join a long list of entities to have suffered a data breach after zero-day vulnerabilities in its Accellion File Transfer Appliance (FTA) server were exploited to steal sensitive business documents.
As proof of access to the data, the cybercriminals behind the recent hacks targeting Accellion FTA servers have shared screenshots of files belonging to the company's customers on a publicly accessible data leak website operated by the CLOP ransomware gang.
Confirming the incident, Qualys Chief Information Security Officer Ben Carr said a detailed probe "identified unauthorized access to files hosted on the Accellion FTA server" located in a DMZ (aka demilitarized zone) environment that's segregated from the rest of the internal network.
"Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access," Carr added. "The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform."
Last month, FireEye's Mandiant threat intelligence team disclosed details of four zero-day flaws in the FTA application that were exploited by threat actors to mount a wide-ranging data theft and extortion campaign, which involved deploying a web shell called DEWMODE on target networks to exfiltrate sensitive data, followed by sending extortion emails to threaten victims into paying bitcoin ransoms, failing which the stolen data was posted on the data leak site.
While two of the flaws (CVE-2021-27101 and CVE-2021-27104) were addressed by Accellion on December 20, 2020, the other two vulnerabilities (CVE-2021-27102 and CVE-2021-27103) were identified earlier this year and fixed on January 25.
Qualys said it received an "integrity alert" suggesting a possible compromise on December 24, two days after it applied the initial hotfix on December 22. The company didn't say if it received extortion messages in the wake of the breach, but said an investigation into the incident is ongoing.
"The exploited vulnerabilities were of critical severity because they were subject to exploitation via unauthenticated remote code execution," Mandiant said in a security assessment of the FTA software published earlier this week.
Additionally, Mandiant's source code analysis uncovered two more previously unknown security flaws in the FTA software, both of which have been rectified in a patch (version 9.12.444) released on March 1 —
- CVE-2021-27730: An argument injection vulnerability (CVSS score 6.6) accessible only to authenticated users with administrative privileges, and
- CVE-2021-27731: A stored cross-site scripting flaw (CVSS score 8.1) accessible only to regular authenticated users
The FireEye-owned subsidiary is tracking the exploitation activity and the follow-on extortion scheme under two separate threat clusters it calls UNC2546 and UNC2582, respectively, with overlaps identified between the two groups and previous attacks carried out by a financially motivated threat actor dubbed FIN11. But it is still unclear what connection, if any, the two clusters may have with the operators of Clop ransomware.