Cloud security and compliance firm Qualys suffered unauthorised access to some of its data after hackers exploited a zero day vulnerability in Accellion's FTA software to infiltrate an FTA server deployed in its DMZ environment.
In a statement released on Thursday, Qualys said that even though hackers infiltrated the Accellion FTA server and accessed data associated with some of its customers, the breach was very limited as the FTA server was deployed in a segregated DMZ environment and was not connected to its production customer data environment.
“Qualys has confirmed there is no impact on the Qualys production environments (shared platforms and private platforms), codebase, customer data hosted on the Qualys Cloud Platform, Qualys Agents or Scanners. All Qualys platforms continue to be fully functional and at no time was there any operational impact,” said Ben Carr, the company's chief information security officer.
Accellion announced in January that Accellion File Transfer Appliance (FTA), a popular yet 20-year-old file-sharing software, was targeted by cybercriminals who exploited zero-day vulnerabilities in the legacy application to steal data associated with around 50 customers. On December 21, a remedy to patch the vulnerabilities was deployed by Accellion FTA and Qualys applied the fix the very next day. The company also enhanced security measures by deploying additional patches and enabling additional alerting around the FTA server.
However, as the third-party software company had already been exploited by then, Qualys received an ‘integrity alert’ on December 24 and immediately isolated the impacted server from its IT network. As a precaution, Qualys temporarily shut down the affected Accellion FTA server and provided alternatives to customers to support file transfers.
Qualys has hired FireEye Mandiant to investigate the security event and notified the limited number of customers impacted by the incident. “We have engaged FireEye Mandiant, who also worked with Accellion on the wider investigation. The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform,” the company added.
Qualys is one of many companies affected by the Accellion breach. Previously, Canadian aircraft manufacturer Bombardier suffered a security breach that compromised information associated with employees, customers, and several suppliers. Based on Bombardier’s statement, there is a possibility that the security breach it suffered could be owed to Accellion’s legacy File Transfer Appliance (FTA) software, critical vulnerabilities in which were exploited by a hacker group to steal data belonging to a large number of organisations.
Commenting on the statement released by Qualys, Ilia Kolochenko, the founder and chief architect of ImmuniWeb SA, said that Qualys’s response to the incident is a laudable example of transparent and professional handling of a security incident.
“The very nature of the incident suggests that the number of affected customers and other third parties is likely very limited. Moreover, sensitive data, such as vulnerability reports or customer passwords, are almost certainly unaffected. Thus, I’d definitely refrain from labeling the attack as a “breach” but rather a security incident. A third-party investigation will likely shed light on the situation and hopefully will bring even more assurance to Qualys customers.
“The ongoing attacks against Accellion FTA servers are exploiting a zero-day vulnerability on a server hosted outside of organisational premises, and thus are hardly detectable or preventable. Many more companies and organisations will likely fall victim to this sophisticated hacking campaign soon,” he added.