Attackers hacked cybersecurity company Qualys through Accellion FTA
Cybersecurity media report that attackers hacked the information security company Qualys through the file-sharing service Accellion FTA. Since December 2020, information security experts have been recording attacks on companies and organizations using the outdated Accellion FTA (File Transfer Application) service.
FireEye analysts linked this activity to the FIN11 hacker group and warned that more than 100 companies had already become victims of cybercriminals.
“Among the approximately 300 FTA clients, fewer than 100 have been targeted by attacks, and less than 25 have been affected by data theft”, – said in Accellion.
FireEye clarified that some of these 25 customers are being blackmailed, and hackers are demanding a ransom from them.
According to the latest experts, as part of this campaign, hackers exploit four vulnerabilities in the FTA (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104), and then install the DEWMODE web shell and use it to stealing files stored on victims’ FTA devices. After that, the attackers blackmail the victims, demanding a ransom and threatening to leak the stolen information into the public domain.
Accellion developers have already released several “waves” of fixes, but each time they emphasized that FTA has long been an outdated product, and urged their customers to migrate to the new Kiteworks platform. The company recently announced that it would finally end support for the FTA on April 30, 2021.
It is noteworthy that the stolen data is published on a website that belongs to the operators of the Clop ransomware, but not a single machine has been encrypted on the networks of the affected companies. That is, they all became victims of hacking and classic extortion, not of ransomware attacks.
It appears that while the Accellion FTA is being phased out, two of the vulnerabilities (CVE-2021-27101 and CVE-2021-27104) were fixed by Accellion in December 2020, but two other issues (CVE-2021-27102 and CVE-2021-27103) were identified and fixed only in January 2021.
As a result, Qualys, which deals with information security, became a new victim of these cybercriminals. Yesterday, screenshots of files allegedly belonging to Qualys were posted on the Clop website. These included purchase orders, invoices, tax documents, and scan reports.
According to Bleeping Computer, Qualys did have an Accellion FTA device on its network, which was located at fts-na.qualys.com. According to Shodan, the device was last active on February 18, 2021 and is no longer in use. But the attackers still managed to compromise the company.
Qualys representatives have already confirmed that their Accellion FTA server was hacked in December 2020 and only a small percentage of customers were affected by the attack. It is also emphasized that the compromised server was deployed in the DMZ, which is separate from the company’s internal network, so the company’s product environment was not affected.
“Qualys confirms that the attack had no impact on the company’s production environments, codebase or customer data hosted on the cloud platform. All Qualys platforms are still fully functional, the incident did not affect their operation in any way”, — the company said in a statement.
Qualys also said that it has already abandoned the use of Accellion FTA, providing customers with alternative ways to transfer files.
It is also worth noting that the four vulnerabilities listed above in Accellion FTA are far from all bugs in this product. Mandiant recently uncovered two more previously unknown flaws in the FTA (CVE-2021-27730 and CVE-2021-27731), which were fixed in patch 9.12.444, released on March 1, 2021.
Let me remind you that recently Antivirus solution provider Emsisoft reported data leak.
