Qualys Hacked Using Accellion Zero-day Vulnerability

The Clop Ransomware group targets vulnerable servers of large companies to access and encrypt sensitive documents and data, followed by demanding a hefty ransom in exchange of decryption keys. The Clop operator runs a leak site called “CL0P^_- LEAKS” hosted on the darkweb for publishing the stolen data of victims that fail to pay the ransom demanded. Multiple incidents of Clop ransomware attacks have been reported, followed by data leak in the darkweb in the evnet that victims fail to pay the ransom. In March 2020, the Clop ransomware breached a UK-based logistics company EV Cargo Logistics and U.S. pharmaceutical company ExecuPharm and leaked a large chunk of their data when the ransom was not paid. 

Recently, the Clop ransomware group has targeted the California-based cybersecurity firm Qualys. On March 3, 2021, the data obtained from the attack on Qualys was posted on CLOP’s website. That data contains Qualys’ confidential information, including invoices and purchase orders. Qualys has also confirmed the breach, besides adding that their production environments are intact. 

The following is the post by CLOP Ransomware group about Qualys data leak in darkweb. 

Qualys is a California-based cybersecurity services company that provides cloud security, compliance, and related services having more than 1200 employees. As of now, only a part of the information is available for download openly. The hack appears to be on one of Qualys’ Accellion FTA servers, whose vulnerability was exploited earlier by CLOP. Accellion FTA servers are standalone devices accessible to the public. However, these stay out of the network security perimeter. CLOP’s recent hacks include a renowned jet maker Bombardier and geo data specialist Fugro.  

In their attempt to confirm the Qualys hack, CLOP posted screenshots of their confidential data on their website. Figure 1 displays the purchase order of Qualys as posted by CLOP. 

Figure 1: Qualys’ Purchase Order Posted by CLOP 

The image below showcases the scan results as posted by CLOP on its website. 

Figure 2: Scan Result as posted by CLOP. 

Figure 3 displays income tax details posted by CLOP on its website. 

Figure 3: Qualys’ Income Tax details 

As stated by Qualys, they had shut down the concerned Accellion FTA servers and were investigating the breach.  

Technical details of the Accellion FTA Vulnerability: 

The Accellion FTA is a file transfer application that is used to share files. In mid-December 2020, Accellion was made aware of a zero-day vulnerability in Accellion FTA and released a patch on December 23, 2020. Since then, Accellion has identified several threat actors targeting FTA customers by leveraging the following additional vulnerabilities.  

• CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier)  
• CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier)  
• CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier)  
• CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)  

One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Threat actors have exploited this vulnerability to deploy a web shell on compromised systems. The web shell is located on the target system in the file /home/httpd/html/about.html or /home/seos/courier/about.html. It allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The clean-up functionality of the web shell helps evade detection and analysis during a post-incident response.   

Cyble recommends the following best practices: 

• Update Accellion FTA to version FTA_9_12_432 or later.  
• Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes and consider resetting user passwords.  
• Deploy automated software update tools to ensure that third-party software on all systems runs the most recent security updates provided by the software vendor.  
• Only use up-to-date and trusted third-party components for the software developed by the organization.  
• Add additional security controls to prevent access from unauthenticated sources.  
• Use strong passwords and enforce multi-factor authentication wherever possible.   
• Regularly monitor your financial transactions. In case of any suspicious activity, contact your bank immediately.   
• Turn on the automatic software update feature on your devices connected to the Internet, such as computers and mobile.
• Install authentic anti-virus as well as Internet security software package on your connected devices, including PC, laptop, and mobile. 
• Never share personal and confidential information over the phone, email, or SMSes.   
• Refrain from opening untrusted links and email attachments without verifying their authenticity. 
• If you are concerned about your exposure on the Dark Web, register at AmIBreached.com to ascertain exposure.   

About Cyble 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.