Cloud-based security provider, Qualys, has been hit by an extortion campaign. The details have been emerging over the last few days, with initial reports claiming the company had been hit by ransomware. It is now known that Qualys suffered a breach, but it was against a third-party product. It was affected by a zero-day exploit against Accellion FTA.
A blog from Ben Carr, Chief Information Security Officer, Qualys, has provided more detail on what happened. In it, Carr writes: “There is no impact on the Qualys production environments (shared platforms and private platforms), codebase, customer data hosted on the Qualys Cloud Platform, Qualys Agents or Scanners. All Qualys platforms continue to be fully functional, and at no time was there any operational impact.”
How did Qualys lose data?
Qualys uses the Accellion FTA (File Transfer Appliance) to transfer files as part of its customer support system. Ironically, the Accellion FTA is supposed to encrypt all files that are being uploaded. In this case, the zero-day exploit allowed attackers to access the file and steal the encryption key. It then allowed them to exfiltrate and decrypt that data on their own server.
Carr writes: “Accellion FTA devices are standalone, black box appliance servers designed to be hosted outside of our production environment. Qualys had deployed the Accellion FTA server in a segregated DMZ environment, completely separate from systems that host and support Qualys products for occasional use to transfer information as part of our customer support system.
“Qualys chose the Accellion FTA solution for encrypted temporary transfer of manually uploaded files. There was no connectivity between the Accellion FTA server and our production customer data environment (the Qualys Cloud Platform). The Accellion FTA product is a third-party system fully managed by Accellion.”
Accellion patched the zero-day vulnerability in December 2020. Qualys applied it to the server one day later. After a further alert, the server was shut down two days later, and an investigation started. This led to an unspecified number of Qualys customers being alerted that some data had been lost.
How did the attack take place?
The chain of events that compromised the server will come as no surprise. It includes a SQL injection attack, a stolen key and the ability to install a web shell (DEWMODE) on the server. A list of filenames is stolen from the FTA’s onboard MySQL server, and download requests are made for those files. As the encryption key has already been stolen, accessing the data becomes simple. To prevent detection, the attackers cleaned up after themselves.
Mandiant has published its own blog on the attacks against the Accellion FTA server. It lists four CVEs that track this attack in addition to the DEWMODE web shell.
CVE-2021-27101 – SQL injection via a crafted Host header
CVE-2021-27102 – OS command execution via a local web service call
CVE-2021-27103 – SSRF via a crafted POST request
CVE-2021-27104 – OS command execution via a crafted POST request
Who is behind this?
That is less than clear. The Mandiant blog splits the attack into two phases, and each has been given its own unique UNC (uncategorised) number. To understand what a UNC group is, read this Mandiant blog.
The first attack is attributed to UNC2546. This group is believed to have created the code to exploit the zero-day vulnerabilities and DEWMODE. It launched the attack and exfiltrated the data.
The second is UNC2582. This group has been responsible for monetising the data theft through extortion. Part of that has meant working with the cybercriminals behind the CLOP ransomware. Other companies affected by this attack and based in the US, Singapore, Canada, and the Netherlands have seen their data posted on the CLOP^_-LEAKS website.
In addition to the CLOP ransomware team’s relationship, this same group appears to have had contact with the FIN11 cybercrime group. Mandiant claims to have seen emails sent by UC2582 that have come from email accounts also used by FIN11.
There are also overlaps between UNC2546 and FIN11. It would indicate that there is a sharing of infrastructure between the various groups involved. It is also possible that this is a change of tack by FIN11, and it is responsible for the whole campaign. At present, Mandiant is avoiding any direct attribution.
Could Qualys have prevented this?
That’s a difficult question. It doesn’t own the Accellion FTA server or have access to its source code. As such, it has to rely on Accellion to secure the product. It could be argued that using a product that is almost 20-years old was always going to increase risk. The reality, however, is that any software, no matter how new or how old, is at risk of a vulnerability.
In a canned statement, Ilia Kolochenko, CEO and Chief Architect ImmuniWeb, wrote:
“Qualys’s response to the incident is a laudable example of transparent and professional handling of a security incident. Under the integrity of currently disclosed circumstances, I see absolutely no reason for panic. The very nature of the incident suggests that the number of affected customers and other third parties is likely very limited. Moreover, sensitive data, such as vulnerability reports or customer passwords, are almost certainly unaffected. Thus, I’d definitely refrain from labeling the attack as a “breach” but rather a security incident. A third-party investigation will likely shed light on the situation and hopefully will bring even more assurance to Qualys customers.
“The ongoing attacks against Accellion FTA servers are exploiting 0day vulnerability on a server hosted outside of organizational premises, and thus are hardly detectable or preventable. Many more companies and organizations will likely fall victim to this sophisticated hacking campaign soon. Moreover, undoubtedly, even more victims have been already silently hacked and are simply unaware of the intrusion. Extorsion and public threats are the last resort for the attackers who fail to rapidly sell the loot for a good price on the Dark Web and go after the victim for a ransom. Similar supply chain attacks are poised to surge in 2021.”
Enterprise Times: What does this mean
There is no question that this is embarrassing for Qualys. Among the documents leaked are invoices and other customer-related materials. Once again, it highlights the problems of third-party components in an organisations infrastructure and the problems of securing things that you do not own.
That Qualys reacted to the incident and informed customers within days of uncovering the attack is to be commended. The publication of the documents also shows that the company has chosen not to give in to demands for money.
However, for many other companies, it will be a different story. They may have lost more damaging documents to the business or be concerned that publication will cost them customers. The problem is, any payment will embolden the attackers and result in more attacks.
For Accellion, the question now is, will this see the end-of-life of Accellion FTA brought forward? At 20-years old, one questions whether there are more horrors hidden in its older code. This is a problem that every vendor faces. As code ages, it gets trusted. That trust is not enough. There has to be a regular and comprehensive testing of all code with no exception.
Extortion rackets are nothing new, and 2020 saw ransomware and extortion be brought together to pressure businesses. Expect 2021 to see a significant increase in stolen documents being released to the public.