Security News > 2021 > March > Extortion Gang Breaches Cybersecurity Firm Qualys Using Accellion Exploit
Enterprise cloud security firm Qualys has become the latest victim to join a long list of entities to have suffered a data breach after zero-day vulnerabilities in its Accellion File Transfer Appliance server were exploited to steal sensitive business documents.
As proof of access to the data, the cybercriminals behind the recent hacks targeting Accellion FTA servers have shared screenshots of files belonging to the company's customers on a publicly accessible data leak website operated by the CLOP ransomware gang.
Confirming the incident, Qualys Chief Information Security Officer Ben Carr said a detailed probe "Identified unauthorized access to files hosted on the Accellion FTA server" located in a DMZ environment that's segregated from the rest of the internal network.
"The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform."
Last month, FireEye's Mandiant threat intelligence team disclosed details of four zero-day flaws in the FTA application that were exploited by threat actors to mount a wide-ranging data theft and extortion campaign, which involved deploying a web shell called DEWMODE on target networks to exfiltrate sensitive data, followed by sending extortion emails to threaten victims into paying bitcoin ransoms, failing which the stolen data was posted on the data leak site.
The FireEye-owned subsidiary is tracking the exploitation activity and the follow-on extortion scheme under two separate threat clusters it calls UNC2546 and UNC2582, respectively, with overlaps identified between the two groups and previous attacks carried out by a financially motivated threat actor dubbed FIN11.