Qualys says Accellion hackers did not breach production systems

Cybersecurity firm Qualys said today that the attackers who breached its Accellion FTA server didn’t infiltrate the company’s production and corporate environments.

A third-party forensic firm hired to investigate if the hackers moved laterally into Qualys’ network found no evidence of lateral movement from the hacked file-sharing appliance.

Qualys also noted that the investigation found that the company’s “existing security rules would not have allowed any such access between the Accellion FTA server and Qualys’ corporate and production environment.

“As previously noted, the impact on Qualys and our customers is contained to the Accellion FTA server,” said Ben Carr, Qualys Chief Information Security Officer.

“We continue to be confident that there is no impact from this incident on the Qualys production environments (shared platforms and private platforms), codebase, customer data hosted on the Qualys Cloud Platform, Qualys Agents or Scanners.”

According to Qualys, its platforms are fully functional as the attack didn’t result in any downtime or operational impact.

These findings independently confirm our conclusion that the impact on Qualys and our customers is contained to those files stored on the Accellion FTA server at the time of the incident. These findings also confirm that this incident did not involve any additional attack vectors beyond the vulnerability used to infiltrate the Accellion FTA server. – Qualys

The Clop ransomware gang posted screenshots of files allegedly stolen from Qualys’ Accellion FTA server after breaching the server in December 2020. The leaked data included invoices, purchase orders, tax documents, and scan reports.

Qualys said that the affected Accellion FTA servers were shut down, and the company switched to alternative solutions for support-related file transfers.

While Qualys made no mention of a ransom note received from Clop, the ransomware gang’s other victims have received them in the past, according to a FireEye Mandiant report.

It is still unclear if the Clop ransomware gang is behind the Accellion attacks it published on its data leak site or partnering with another group to share the files and extort the victims.

A joint statement published by Mandiant and Accellion shed more light on these attacks, linking them to the FIN11 cybercrime group.

BleepingComputer has reported breaches affecting multiple companies and organizations following attacks targeting Accellion FTA.

Besides the one on cybersecurity firm Qualys server, we also reported about attacks on the supermarket giant Kroger, the Reserve Bank of New Zealand, Singtel, QIMR Berghofer Medical Research Institute, the Australian Securities and Investments Commission (ASIC), and the Office of the Washington State Auditor (“SAO”).

Five Eyes members also issued a joint security advisory in February about ongoing attacks and extortion attempts targeting orgs that use vulnerable Accellion File Transfer Appliance (FTA) versions.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s