Cybersecurity firm Qualys is the latest victim to have suffered a data breach after a zero-day vulnerability in their Accellion FTA server was exploited to steal hosted files.
In December, a wave of attacks targeted the Accellion FTA file-sharing application using a zero-day vulnerability that allowed attackers to steal files stored on the server.
Since then, the Clop ransomware has been extorting these victims by posting the stolen data on their ransomware data leak site.
As Accellion FTA devices are standalone servers designed to be outside the security perimeter of a network and accessible to the public, there have been no reported attacks on these devices leading to internal systems compromise.
Before today, the known victims extorted by Clop include Transport for NSW, Singtel, Bombadier, geo-data specialist Fugro, law firm Jones Day, science and technology company Danaher, and technical services company ABS Group.
Qualys the latest victim to be extorted
Yesterday, the Clop ransomware gang posted screenshots of files allegedly belonging to the cybersecurity firm Qualys. The leaked data includes purchase orders, invoices, tax documents, and scan reports.
As reported by Valery Marchive of LegMagIT and confirmed by BleepingComputer, Qualys had an Accellion FTA device located on their network.
The Accellion FTA device was located at fts-na.qualys.com, and the IP address used by the server is assigned to Qualys. Qualys has since decommissioned the FTA device, with Shodan showing it was last active on February 18th, 2021.
It is unknown if Clop sent ransom notes to Qualys regarding the attack, but other victims have received them in the past, according to a report by Mandiant.
It is still unclear if the Clop ransomware gang performed the attacks on Accellion FTA devices or is partnering with another group to share the files and extort victims publicly.
Clop has in the past sent emails to journalists, including BleepingComputer, about new Accellion FTA victims posted to their site.
BleepingComputer has contacted Qualys before publication and are awaiting an official statement.
Source – Bleepingcomputer.com