The Clop Ransomware group targets vulnerable servers of large companies to access and encrypt sensitive documents and data, followed by demanding a hefty ransom in exchange of decryption keys. The Clop operator runs a leak site called “CL0P^_- LEAKS” hosted on the darkweb for publishing the stolen data of victims that fail to pay the ransom demanded. Multiple incidents of Clop ransomware attacks have been reported, followed by data leak in the darkweb in the evnet that victims fail to pay the ransom. In March 2020, the Clop ransomware breached a UK-based logistics company EV Cargo Logistics and U.S. pharmaceutical company ExecuPharm and leaked a large chunk of their data when the ransom was not paid.
Recently, the Clop ransomware group has targeted the California-based cybersecurity firm Qualys. On March 3, 2021, the data obtained from the attack on Qualys was posted on CLOP’s website. That data contains Qualys’ confidential information, including invoices and purchase orders. Qualys has also confirmed the breach, besides adding that their production environments are intact.
The following is the post by CLOP Ransomware group about Qualys data leak in darkweb.
Qualys is a California-based cybersecurity services company that provides cloud security, compliance, and related services having more than 1200 employees. As of now, only a part of the information is available for download openly. The hack appears to be on one of Qualys’ Accellion FTA servers, whose vulnerability was exploited earlier by CLOP. Accellion FTA servers are standalone devices accessible to the public. However, these stay out of the network security perimeter. CLOP’s recent hacks include a renowned jet maker Bombardier and geo data specialist Fugro.
In their attempt to confirm the Qualys hack, CLOP posted screenshots of their confidential data on their website. Figure 1 displays the purchase order of Qualys as posted by CLOP.
Figure 1: Qualys’ Purchase Order Posted by CLOP
The image below showcases the scan results as posted by CLOP on its website.
Figure 2: Scan Result as posted by CLOP.
Figure 3 displays income tax details posted by CLOP on its website.
Figure 3: Qualys’ Income Tax details
As stated by Qualys, they had shut down the concerned Accellion FTA servers and were investigating the breach.
Technical detailsโฏof the Accellion FTA Vulnerability:
The Accellion FTA is a file transfer application that is used to share files. In mid-December 2020, Accellion was made aware of a zero-day vulnerability in Accellion FTA and released a patch on December 23, 2020. Since then, Accellion has identified several threat actors targeting FTA customers by leveraging the following additional vulnerabilities.โฏ
- CVE-2021-27101โฏโ Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier)โฏ
- CVE-2021-27102โฏโ Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier)โฏ
- CVE-2021-27103โฏโ Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier)โฏ
- CVE-2021-27104โฏโ Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)โฏ
One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Threat actors have exploited this vulnerability to deploy a web shell on compromised systems. The web shell is located on the target system in the fileโฏ/home/httpd/html/about.htmlโฏorโฏ/home/seos/courier/about.html. It allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The clean-up functionality of the web shell helps evade detection and analysis during a post-incident response. โฏ
Cyble recommends the following best practices:
- Update Accellion FTA to version FTA_9_12_432 or later.โฏย
- Consider conducting an audit of Accellion FTA user accounts for any unauthorized changesย and consider resetting user passwords.โฏย
- Deployย automated software update tools to ensure that third-party software on all systemsย runsย the most recent security updates provided by the software vendor.โฏย
- Only useย up-to-date and trusted third-party components for the software developed by the organization.โฏย
- Add additional security controls to prevent access from unauthenticated sources.โฏย
- Use strong passwords and enforce multi-factor authentication wherever possible.ย ย ย
- Regularly monitor your financial transactions. In case of any suspicious activity, contact your bank immediately.ย ย ย
- Turn onย theย automatic software update feature on your devices connected to the Internet, such as computersย and mobile.
- Install authentic anti-virus as well as Internet security software package on your connected devices,ย including PC, laptop, and mobile.ย
- Never share personal and confidential information over the phone, email, orย SMSes.ย ย ย
- Refrain from opening untrusted links and email attachments without verifying their authenticity.ย
- If you are concerned about your exposure on the Dark Web, register atย AmIBreached.comโฏto ascertain exposure.ย ย ย
Aboutย Cybleย
Cybleย is a globalย threat intelligenceย SaaSย provider that helps enterprises protect themselvesย from cybercrimesย andย exposure in theย darkweb.ย Cybleโs prime focusย is to provide organizations with real-time visibility into their digital riskย footprint.ย Backed by Y Combinator as part of the 2021 winter cohort,ย Cybleย hasย alsoย been recognized by Forbes as one of the top 20 Best Cybersecurityย Startupsย To Watch In 2020.ย Headquartered inย Alpharetta, Georgia,ย and withย offices inย Australia, Singapore, andย India,ย Cybleย has a global presence.ย To learn more aboutย Cyble, visitย www.cyble.com.ย
