Cybersecurity firm Qualys announced a “limited” number of their customers had been impacted by a data breach caused by an exploited Accellion FTA zero-day vulnerability on Qualys customer support systems.
Attackers infiltrated Qualys systems running Accellion FTA used to transfer customer support files. However, the company said the impact was minimal since the FTA servers were not connected to their Qualys Cloud Platform and were segregated in a DMZ from the rest of the network.
“Qualys has confirmed that there is no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform. All Qualys platforms continue to be fully functional and at no time was there any operational impact,” Ben Carr, Chief Information Security Officer, of Qualys wrote in a blog post on Wednesday, March 3.
Late last month, cyber attackers were recently spotted exploiting Accellion File Transfer (FTA) appliance 0-day vulnerabilities to steal data and threaten their victims with extortion attempts.
Starting in mid-December 2020, FireEye’s Mandiant cybersecurity team previously discovered unknown threat actors they called UNC25346 exploiting multiple vulnerabilities to install a web shell dubbed DEWMODE.
Back to the recent event. The Qualys IT team did confirm they had patched and added more monitoring on the affected Accellion FTA server on December 22, 2020. However, the firm received an integrity alert just two days later and subsequently shut the FTA server down. Qualys then notified affected customers of the incident.
“Qualys and Accellion conducted a detailed investigation and identified unauthorized access to files hosted on the Accellion FTA server. Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access. The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform,” Ben Carr added.
Qualys has engaged FireEye and added they are “strongly committed to the security of its customers and their data, and we will notify them should relevant information become available.”
FTA vulnerabilities
Four Accellion FTA vulnerabilities have been reserved and subsequently patched by Accellion:
- CVE-2021-27101: SQL injection via a crafted Host header
- CVE-2021-27102: OS command execution via a local web service call
- CVE-2021-27103: SSRF via a crafted POST request
- CVE-2021-27104: OS command execution via a crafted POST request.
Three of the four vulnerabilities are rated Critical and sport a CVSS score of 9.8.
Moreover, FireEye confirmed the SQL injection vulnerability CVE-2021-27101 was likely used as the primary intrusion vector in the attacks.