Cloud Security Firm Qualys Hit By Accellion Breach

Qualys disclosed that it was hit by a zero-day exploit related to the Accellion breach, but that the attack didn’t compromise its production environments, codebase, or customer data. The cloud security vendor also hired FireEye Mandiant to respond to the breach. Qualys disclosed that it was hit by a zero-day exploit related to the Accellion breach, but that the attack didn’t compromise its production environments, codebase, or customer data. The cloud security vendor also hired FireEye Mandiant to respond to the breach. “All Qualys platforms continue to be fully functional and at no time was there any operational impact,” Qualys CISO Ben Carr wrote in a blog post. The cloud security company said it deployed the Accellion FTA server in a segregated DMZ environment that remained “completely separate from systems that host and support Qualys products for occasional use to transfer information as part of our customer support system.” Carr didn’t detail what data the hackers stole, but said Qualys “immediately notified the limited number of customers impacted by this unauthorized access.” The vendor claims more than 19,000 businesses in 130 countries, including the “majority” of Forbes 100 companies, use its cloud security platform. In January, Qualys confirmed that the SolarWinds attackers targeted its systems. However, “there was no impact on our production environment nor any exfiltrated data,” a spokesperson said in an email to SDxCentral. In December, attackers used a zero-day vulnerability to break into Accellion’s file transfer application (FTA) product to steal customer data. The criminals then sent extortion emails to victims, threatening to make their data publicly available on the dark web unless they paid a ransom. As of Feb. 1, Accellion patched all known vulnerabilities in the 20-year-old product. The vendor also recommended that FTA customers migrate to kiteworks, its enterprise content firewall platform, which Accellion says it built on an entirely different code base. Unlike the massive SolarWinds breach, in which hackers specifically targeted American corporations and government agencies, attackers in the Accellion breach targeted organizations across the United States, United Kingdom, Australia, New Zealand, Singapore. These included U.S. retail giant Kroger, the state of Washington, the Reserve Bank of New Zealand, Singapore Telecommunications (Singtel), and the government of New South Wales in Australia. Late last month, FireEye said its Mandiant threat intelligence team identified UNC2546 as the criminal group behind the Accellion breach. This is the same gang responsible for Clop ransomware. “Mandiant has been working closely with Accellion in response to these matters and will be producing a complete security assessment report in the coming weeks,” the threat research team wrote in a blog post. Mandiant also validated all of Accellion’s FTA patches, and “is currently performing penetration testing and code review of the current version of the Accellion FTA product and has not found any other critical vulnerabilities in the FTA product based on our analysis to date.” FireEye threat researches also discovered the recent SolarWinds breach that hit upwards of 100 U.S. companies and 9 federal agencies. In the wake of the SolarWinds and Accellion breaches, a group of cybersecurity practitioners are calling on public companies to disclose the risks they face from cyber threats, including these types of third-party security risks. A new report, co-authored by SecurityScorecard, National Association of Corporate Directors, Cyber Threat Alliance, Diligent, and IHS Markit, says companies should detail to investors their specific risks including operational disruption, intellectual property theft, loss of sensitive client data, and fraud caused by business email compromises.