Qualys & Accellion: The Third-Party Breach Ripple Effect
Written by: Black Kite
To close out the chaos that was 2020, malicious actors wreaked havoc on users of Accellion’s File Transfer Application (FTA). Using a zero-day vulnerability, hackers stole files that had been stored on the decades-old server. Although Accellion declared it was patched following discovery, attacks likely occurred throughout late December and early January.
Unfortunately for FTA users, the attack is becoming more and more similar to the SolarWinds breach, whereas hackers leveraged advanced techniques to gain access into larger organizations through their weaker third parties. As news continues to unfold and the magnitude is assessed, Qualys and Kroger are among the latest third-party breach victims.
What data is at stake for Qualys and many other FTA users?
While Qualys states the breach had minimal impact, the information at risk remains unknown. Although there is no concrete evidence that Qualys data was leaked to the dark web as of this writing, the Black Kite platform identified the presence of the subdomain that hosted Accellion’s FTA (fts-na.qualys.com). It doesn’t resolve to an IP address as of mid-February.
Accellion FTA devices are standalone servers built to live outside the network’s security perimeter and open to the public. Although we’ve yet to indicate ransomware deployment on the victims’ network, the cybercriminal group (dubbed UNC2546, with links to FIN11) has threatened to leverage Clop Leaks, a dedicated leak website to extort ransomware payments.
What is Clop Leaks?
In the first few weeks of the attack, the motivation of UNC2546 was not immediately apparent. Instead, companies were focused on applying hotfixes released by Accellion and/or migrating to Kiteworks. It wasn’t until late January that organizations began to receive threats that involved sharing files on Clop Leaks.
Like other advanced ransomware gangs running in 2021, the group has leveraged the dedicated leak website to extort payments. Extortion emails (such as the one pictured below) request payments in exchange for the safekeeping of their files. Victims who refuse to pay the ransom are threatened with publishing the entire dataset.
Only time will tell for this third-party attack.
It goes without saying: third-party induced attacks come in many shapes and sizes. Oftentimes using ransomware, hackers find a way to monetize each and every vulnerability within the third-party ecosystem. No matter how robust an organization’s cybersecurity program is, it can only be as strong as its weakest link.
From patch management and hacktivist shares to IP reputation and credential management, there were multiple signals that would have indicated an issue on the Black Kite platform. Perhaps the biggest mistake with the Accellion breach, however, is that many companies neglected to consider it a “third party” in the first place.
Despite using the vendor’s products in its own systems, the company wasn’t included in many third-party ecosystems. Therefore, Accellion was left unmonitored: a detrimental error for potentially hundreds of customers. Although only time will tell in this case, this event further emphasizes the importance of knowing which third-party vendors pose the highest risk to your organization.
Want to know which of your vendors are most susceptible to a cyber breach?
Request a free cyber rating