Qualys has confirmed that the Clop ransomware gang is behind the cyber attack that exploited Accellion exploit.
California-based IT, and compliance solutions provider firm Qualys confirmed that the Clop ransomware gang targeted its cyberinfrastructure using the Accellion FTA exploit.
The company claims that the attackers stole data, including scan results and financial documents, and published it on the “CL0P^_- LEAKS” Tor website. This site is maintained by Clop ransomware operators, who use it to publish stolen data to threaten victims that don’t give in to their ransom demands.
The website usually contains a list of exfiltrated data after every successful ransomware attack. However, lately, it is flooded with data stolen from organizations using the Accellion FTA file transfer software.
Qualys Affected by Accellion FTA Incident
Reportedly, Qualys data was compromised during the infamous December 2020 cyberattack involving Accellion software. During the attack, four zero-day vulnerabilities were identified, all of which are now patched.
Quoting FireEye’s Mandiant researchers’ report, Accellion reported that the FIN11 cybercrime gang perpetrated the attack and that the vulnerabilities were of ‘critical severity’ and were subject to exploitation through unverified remote code execution.
After Clop’s website portal published Qualys’ data, the company confirmed that the Accellion FTA incident impacted it because the attackers gained unauthorized access to the data stored on the Accellion FTA server.
Data Breach only Impacted Accellion FTA Server Data
Qualys has stated that the data breach was limited to the FTA server. The unfortunate incident didn’t impact its product environments, customer data, or codebase hosted on the company’s Cloud Platform.
That’s because the Accellion server was deployed in a separate DMZ (demilitarized zone) environment, and the production customer data environment was not associated with it, stated Qualys Chief Information Security Officer Ben Carr.
Moreover, Qualys revealed that it immediately applied hotfix and isolated the targeted FTA server completely along with notifying the impacted customers; however, it didn’t specify the exact number of affected customers.
“We immediately notified the limited number of customers impacted by this unauthorized access,” Qualys explained.