Sergey Nivens - stock.adobe.com
The scope of the Accellion FTA breach has now widened to include cloud-based security services supplier Qualys, which has had some of its customer data published to a dark web leak site operated by the Cl0p ransomware gang, as reported by our sister title LeMagIT.
Qualys CISO Ben Carr confirmed the incident in a disclosure blog, saying that the firm had used the legacy file transfer technology in a segregated environment for customer support-related file transfers, and it was at no point connected to its production customer data environment, the Qualys Cloud Platform.
Carr said Qualys had applied the Accellion-supplied hotfix to secure its server on 22 December 2020, a day after it was released, and took steps at that time to further enhance its security, including applying additional patches and setting up new alerts.
On Christmas Eve, it received an integrity alert, at which point it fully isolated the impacted server and provided alternatives for support-related file transfer.
“Qualys and Accellion conducted a detailed investigation and identified unauthorised access to files hosted on the Accellion FTA server,” said Carr. “Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorised access.
“The investigation confirmed that the unauthorised access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform.”
Carr added: “As with any security incident, the investigation is ongoing. As a security company, we continue to look for ways to enhance security and provide the strongest protections for our customers. We have engaged FireEye Mandiant, which also worked with Accellion on the wider investigation.
“Qualys is strongly committed to the security of its customers and their data, and we will notify them should relevant information become available.”
ImmuniWeb’s Ilia Kolochenko commented: “Qualys’ response to the incident is a laudable example of transparent and professional handling of a security incident. Under the integrity of currently disclosed circumstances, I see absolutely no reason for panic.
“The very nature of the incident suggests that the number of affected customers and other third parties is likely very limited. Moreover, sensitive data, such as vulnerability reports or customer passwords, are almost certainly unaffected.
“So, I would definitely refrain from labelling the attack as a breach, but rather a security incident. A third-party investigation will likely shed light on the situation and hopefully will bring even more assurance to Qualys customers.”
Qualys joins a growing number of users of Accellion’s FTA product to have found data stolen via four different vulnerabilities – two found in December 2020 and two in January 2021 – released on Cl0p’s victim-shaming site.
Read more about the Accellion FTA breach
- While Accellion fixed the zero-day vulnerability within 72 hours and said the breach affected ‘less than 50 customers’, the attack’s impact has expanded two weeks after the disclosure.
- Cyber attack victim Jones Day says its data was stolen in a supply chain attack, but the gang holding it to ransom disagrees.
- The governor of New Zealand’s central bank said the organisation must answer questions about its security following a ‘significant’ attack.
But there is still no clear indication of the precise nature of the link between the Cl0p gang and those behind the Accellion attacks, according to Mandiant.
As of 1 March, Mandiant had completed its assessment of the Accellion attacks – which can be downloaded to read in full here.
The firm said all known FTA vulnerabilities had now been fixed following extensive penetration testing and code review, and it had not identified any additional vulnerabilities that were exploited by the attackers – although it did find two new vulnerabilities (since patched) that were accessible only by authenticated users, so there is no evidence that these were exploited.
“Since becoming aware of these attacks, our team has been working around the clock to develop and release patches that resolve each identified FTA vulnerability, and support our customers affected by this incident,” said Accellion CEO Jonathan Yaron.
“I want to thank the Mandiant team for their expert collaboration in investigating this incident and reviewing our software to ensure that all known FTA vulnerabilities have indeed been closed. To better ensure customer security in today’s dynamic threat environment, we have decided to accelerate FTA’s end of life to 30 April 2021 and continue to strongly urge all FTA customers that have not done so already to upgrade to the Kiteworks platform as soon as possible.”
Kolochenko said the supply chain attacks against Accellion users were hard to detect or prevent, and it is likely that more victims will continue to emerge over time.
“Undoubtedly, even more victims have already been silently hacked and are simply unaware of the intrusion,” he said. “Extortion and public threats are the last resort for the attackers who fail to rapidly sell the loot for a good price on the dark web and go after the victim for a ransom. Similar supply chain attacks are poised to surge in 2021.”
Besides migrating away from Accellion FTA as soon as is practical, users can also take steps to protect themselves by temporarily isolating or blocking access to and from systems that host the software, assessing their systems for evidence of any malicious activity that includes the disclosed indicators of compromise, and imaging the system for investigation.
If any malicious activity is found, users should consider auditing FTA user accounts for unauthorised changes and reset user passwords and any security tokens on the system, and, if they have not done so, update FTA to version FTA_9_12_432 or later.
A spokesperson for the National Cyber Security Centre said: “The NCSC is committed to protecting the UK against cyber attacks and, working alongside our allies, we will continue to strengthen our defences to make us the hardest possible target.