Qualys hit with ransomware: Customer invoices leaked on extortionists' Tor blog

Updated Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack.

Files appearing to originate from Qualys were dumped online this afternoon on the Tor blog of the Clop criminal extortionists.

While Qualys declined to comment immediately, a spokeswoman said the company was aware of the incident and investigating.

While we’re not reproducing those files here because doing so merely fuels the extortionists’ purpose, they appeared to include purchase orders, results of scans of customer appliances and quotations. The nature of the files suggests they were stolen from the admin side of the Qualys business rather than its infosec side.

Ransomware gang specialist Brett Callow, of infosec biz Emsisoft, told The Register: “Entities that have had dealings with Qualys should be on high alert.”

The incident will be hugely embarrassing for Qualys. At the time of writing the precise attack vector was unknown, though Clop has spent the past few months focused on extorting users of Accellion file transfer appliances. In 2016 Qualys itself published research (PDF) into vulns in Accellion devices, though that is no indicator of whether or not the appliances were in use by Qualys itself for their intended purpose.

• Revealed: The military radar system swiped from aerospace biz, leaked online by Clop ransomware gang
• Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet
• Digital burglars break into the Australian Securities and Investments Commission

Jake Moore, security specialist at ESET, opined: “Malicious actors have somewhat matured and now use full-blown extortion tactics to make sure they get what they came for. Going further than simply encrypting data seems so ‘old hat’ now when exfiltrating and selling the data seems that much more lucrative.”

Recent victims of Clop’s Accellion-focused extortion spree include Canadian aerospace firm Bombardier, in the process exposing details of a military-grade radar supplied to various air forces around the world. Others targeted by steal’n’ransom criminals include London ad agency The7stars, German firm Software AG and others.

US infosec behemoth FireEye has theorised that Clop has been acting as a reseller for a second criminal operation which carried out the actual thefts from Accellion appliances during December and January.

Yesterday Accellion published a report from FireEye’s Mandiant breach response tentacle (PDF), which said: “Both the December Exploit and the January Exploit demonstrate a high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software, likely obtained through extensive reverse engineering of the software.”

Emsisoft’s Callow added that the US CISA infosec agency had hinted that the ransomware criminals were making a profit from their extortionist endeavours, pointing to a line in a recent CISA advisory that hinted some victims had paid up to prevent embarrassment or worse.

“In 2020, Clop et el posted data stolen from more than 1,300 companies – including contractors in the military industrial space – while many other organizations will have paid to prevent it being published,” said Callow. “And, of course, as not all groups were stealing data at the start of 2020, we can look forward to even more cases this year.” ®

Updated to add at 09:20 UTC 4 March 2021

Qualys issued a statement last night to say it had "received new information about a previously identified zero-day exploit in a third-party solution, Accellion FTA, that Qualys deployed to transfer files as part of our customer support system."

It insisted that there was "no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform. All Qualys platforms continue to be fully functional and at no time was there any operational impact."

Speaking of the actions the firm took to remediate, Qualys's CISO, Ben Carr, said: "The zero-day vulnerability affecting Accellion was discovered by Accellion in another customer’s environment and a hotfix to remediate the vulnerability was released on December 21, 2020. The Qualys IT team applied the hotfix to secure our Accellion FTA server on December 22, 2020.

"In addition, Qualys further enhanced security measures by deploying additional patches and enabling additional alerting around the FTA server. We received an integrity alert on December 24, 2020 and the impacted FTA server was immediately isolated from the network.

"Accordingly, Qualys shut down the affected Accellion FTA servers and provided alternatives to customers for support-related file transfer."

He added that the team had "immediately notified the limited number of customers impacted by this unauthorized access."

Carr said the firm had hired FireEye Mandiant, which had worked with Accellion on the wider investigation. FireEye covered the details of the Accellion vulnerability in this article.