Qualys Update on Accellion FTA Security Incident

Ben Carr

Update April 2, 2021 to the March 3 original blog post:

As part of our commitment to keeping customers and the community informed about how we are addressing and resolving the Accellion FTA cyber incident, we are providing the following update to confirm containment of the incident and share investigative findings about this threat actor group that we hope will help the broader security community protect itself against similar threats. Our updates cover:

  1. Verification that the threat actor continues to post data taken from the Accellion FTA server in phases, as expected, but no additional files have been found
  2. Information about email addresses stored on the Accellion FTA server at the time of the incident and tactics being used by the threat actor
  3. Reports that the threat actor may contact affected customers directly in order to give credibility to their tactics
  4. Independent confirmation from a third-party forensics firm that there was no threat actor movement from the Accellion FTA server laterally into any other Qualys environment

As anticipated in our March 11 update, the threat actor has continued to post parts of the data in phases, which our team has cross-referenced with the complete set of files already identified on the Accellion FTA server and our analysis has not revealed any additional files. Based on our investigation with Accellion and FireEye Mandiant, we remain confident that we have a complete list of customers who had files on the Accellion FTA server at the time of the incident, and we have contacted them. If your company has not been contacted, then we have no evidence that your company has files potentially affected. We expect the threat actor will continue to post data, and as the threat actor does, we will continue to carefully check the posted files and email addresses to confirm no additional data is released. So far, we have seen no evidence to suggest that the threat actor has posted any additional data. If that changes, we will investigate further and reach out to affected customers.

We previously noted that a number of email addresses were taken from the Accellion FTA server and posted by the threat actor. We have carefully checked each of those email addresses against the list of affected files. In many cases, it appears the threat actor took these email addresses from the Accellion FTA server even though there was no corresponding file on the server at the time of the incident. The threat actor has also been associating file names from one customer with email addresses from others, presumably to make the data look bigger than it is. According to analysis and insight from our third-party forensic experts, this appears to be a new tactic employed by this threat actor group, which we wanted to inform the broader security community about. We also engaged an additional forensic firm who thoroughly analyzed the data for any signs of information about individual users, beyond business contact information, such as names, usernames, company email addresses, job titles, and office addresses. Their analysis did not find any evidence of additional information about individual users on the server. 

Further, there are reports from other attack victims that the threat actor has been emailing those victims’ customers directly to further the threat actor’s agenda. We do not have evidence that this has happened to Qualys customers, but we wanted to share with the broader community potential tactics being used, and to emphasize that it is important that customers be vigilant to potential direct outreach from the threat actor.

Finally, in addition to working with FireEye Mandiant, we asked another third-party forensic firm to investigate the potential for lateral movement into the Qualys network. The forensic firm concluded the threat actor did not move from the Accellion FTA server into any Qualys environment and that Qualys’ existing security rules would not have allowed any such access between the Accellion FTA server and Qualys’ corporate and production environment. As previously noted, the impact on Qualys and our customers is contained to the Accellion FTA server. We continue to be confident that there is no impact from this incident on the Qualys production environments (shared platforms and private platforms), codebase, customer data hosted on the Qualys Cloud Platform, Qualys Agents or Scanners.  All Qualys platforms continue to be fully functional and at no time was there any operational impact from this incident. 

These findings independently confirm our conclusion that the impact on Qualys and our customers is contained to those files stored on the Accellion FTA server at the time of the incident. These findings also confirm that this incident did not involve any additional attack vectors beyond the vulnerability used to infiltrate the Accellion FTA server.

In light of this incident, we have updated our current Customer Service Portal file transfer service, which has been thoroughly reviewed by our security experts. We have also re-reviewed our security posture and our approach to securing customer data and remain committed to continual process improvements.

Qualys is committed to continuing to keep the security community informed, so we all can take additional actions as needed to protect ourselves and each other. We have shared what we have learned so far about this threat actor with the broader security community, including the appropriate ISACs as well as law enforcement, to help protect against similar threats in the future.

We appreciate the support and understanding from our customers during this incident.

Customers with further questions should reach out to their Technical Account Manager or Qualys customer support.

Update March 11, 2021 to the March 3 original blog post:

Our investigation with FireEye Mandiant into the Accellion FTA cyber incident has progressed, and we want to provide an update on how we are addressing and resolving this matter with our customers.

We have identified what we believe is a complete list of customers that had files on the Accellion FTA server at the time of the incident. Using that list, we have notified all customers we believe may have been potentially affected by this incident as well as shared a list of their files that were present on the Accellion FTA server at the time of the incident. Companies who have not received notification at this point should proceed with the understanding that we have no evidence, at this time, to indicate their files were affected by this incident.

As part of this incident, we identified a number of email addresses taken from the Accellion FTA server and posted by the threat actor. We carefully checked each of those email addresses against the exposed files. If a company has not been notified, even if a company email address was posted, we do not believe that company had potentially exposed files. We are working with customers whose files we believe were on the FTA server at the time of the incident to review the content of their files and recommend that they take appropriate mitigating actions like resetting passwords and changing keys as needed.

It appears that this threat actor’s signature approach is to infiltrate, quickly remove files, and drop stolen data in phases. (See this FireEye post for more information about how this threat actor operates.) Given their history, we fully expect the threat actor to post more files taken from the same Accellion FTA server in the future.

We have confirmed the impact on Qualys and our customers is contained to those files stored on the Accellion FTA server. Our investigation has found no additional attack vectors beyond the vulnerability used to infiltrate the Accellion server. Further, based on a thorough analysis by FireEye Mandiant, we have concluded there was no threat actor movement from the Accellion server laterally from the Accellion FTA server into any other Qualys environment. We maintain strict segmentation between our various environments. We continue to be confident that there is no impact from this incident on Qualys systems including Qualys production environments (shared platforms and private platforms), codebase, customer data hosted on the Qualys Cloud Platform, Qualys Agents or Scanners. All Qualys platforms continue to be fully functional and at no time was there any operational impact from this incident.

The entire security community is stronger when we work together, and it’s important—especially when cyberattacks affect a group of companies—that we learn from each other’s experiences. We continue to work with FireEye Mandiant to better understand the techniques used by the threat actor pre and post compromise. We have shared what we have learned so far about this threat actor with the broader security community, including the appropriate ISACs (Information Sharing and Analysis Centers) as well as law enforcement, to help protect against similar threats in the future. As we learn more information, we will continue to keep the security community informed, so we all can take any additional actions to protect ourselves and each other. We appreciate the support and understanding from our customers during this incident.

Customers with further questions should reach out to their Technical Account Manager or Qualys customer support.

Original Post March 3, 2021 including minor update made on March 4:

New information has come out today, March 3, related to a previously identified zero-day exploit in a third-party solution, Accellion FTA, that Qualys deployed to transfer information as part of our customer support system.

Qualys has confirmed there is no impact on the Qualys production environments (shared platforms and private platforms), codebase, customer data hosted on the Qualys Cloud Platform, Qualys Agents or Scanners. All Qualys platforms continue to be fully functional and at no time was there any operational impact.

Accellion FTA devices are standalone, black box appliance servers designed to be hosted outside of our production environment. Qualys had deployed the Accellion FTA server in a segregated DMZ environment, completely separate from systems that host and support Qualys products for occasional use to transfer information as part of our customer support system. Qualys chose the Accellion FTA solution for encrypted temporary transfer of manually uploaded files. There was no connectivity between the Accellion FTA server and our production customer data environment (the Qualys Cloud Platform). The Accellion FTA product is a third-party system fully managed by Accellion.

The zero-day vulnerability affecting Accellion was discovered by Accellion in another customer’s environment and a hotfix to remediate the vulnerability was released on December 21, 2020. The Qualys IT team applied the hotfix to secure our Accellion FTA server on December 22, 2020. In addition, Qualys further enhanced security measures by deploying additional patches and enabling additional alerting around the FTA server. We received an integrity alert on December 24, 2020 and the impacted FTA server was immediately isolated from the network. Accordingly, Qualys shut down the affected Accellion FTA servers and provided alternatives to customers for support-related file transfer.

Qualys and Accellion conducted a detailed investigation and identified unauthorized access to files hosted on the Accellion FTA server. Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access. The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform.

FireEye Mandiant has covered the details of the Accellion vulnerability in the article, Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion.

As with any security incident, the investigation is ongoing. As a security company, we continue to look for ways to enhance security and provide the strongest protections for our customers. We have engaged FireEye Mandiant, who also worked with Accellion on the wider investigation. Qualys is strongly committed to the security of its customers and their data, and we will notify them should relevant information become available.

Please contact your technical account manager or Qualys Support if you need further information.

Show Comments (1)

Comments

Your email address will not be published. Required fields are marked *