Qualys, which provides a cloud-based platform for protecting IT and OT workloads, has become the latest firm to be victimized by vulnerabilities in the Accellion FTA file transfer application.
Company CISO Ben Carr said Wednesday it had deployed an Accellion FTA server in a segregated DMZ environment, completely separate from systems that host and support Qualys products to exchange information as part of its customer support system.
However, a “limited number of customers” were impacted by the unauthorized access. It wasn’t clear from the blog if those customers’ data had been copied. Qualys said it chose the Accellion FTA solution for the encrypted temporary transfer of manually uploaded files.
Qualys stressed that access was limited to the FTA server and did not impact any services provided or access to customer data hosted by its cloud platform.
The incident first came to security researchers’ attention earlier this week when the Clop ransomware group posted data allegedly belonging to Qualsys to its website. Last week FireEye posted an analysis that suggests another threat group is using the Clop site as their location for releasing or selling stolen data.
Separately last week, Accellion said it identified two distinct groups of victimized FTA customers. Out of approximately 300 total FTA clients, fewer than 100 were victims of an attack. Within this group, it said, fewer than 25 appear to have suffered significant data theft.
Accellion discovered the vulnerability in December 2020. Qualys says that on Dec. 22, it applied a hotfix released by Accellion for FTA the day before. It also installed additional patches. However, on Dec. 24, an integrity alert on the FTA server was triggered. That server was immediately isolated from the network.
Ilia Kolochenko, the chief architect at ImmuniWeb, said in an email that judging by Qualys’ statement, sensitive data such as vulnerability reports or customer passwords, “are almost certainly unaffected.”
“The ongoing attacks against Accellion FTA servers are exploiting zero-day vulnerability on a server hosted outside of organizational premises, and thus are hardly detectable or preventable. Many more companies and organizations will likely fall victim to this sophisticated hacking campaign soon,” Kolochenko wrote. “Moreover, undoubtedly, even more victims have been already silently hacked and are simply unaware of the intrusion. Extorsion and public threats are the last resort for the attackers who fail to rapidly sell the loot for a good price on the Dark Web and go after the victim for a ransom. Similar supply chain attacks are poised to surge in 2021.”