Accellion zero-day claims a new victim in cybersecurity company Qualys

A hotfix was applied, but not before some customer files may have been compromised.
Written by Charlie Osborne, Contributing Writer

Qualys has revealed that a "limited" number of customers may have been impacted by a data breach connected to an Accellion zero-day vulnerability.

The cloud security and compliance firm said on Wednesday that the security incident did not have any "operational impact," but "unauthorized access" had been obtained to an Accellion FTA server used by the company. 

Accellion File Transfer Appliance (FTA) is enterprise-grade software used for file transfers. In December 2020, FireEye's Mandiant discovered that the Clop ransomware group was exploiting previously-unknown vulnerabilities in the legacy software to extort organizations, threatening to leak sensitive data stolen from vulnerable servers unless a ransom was paid. 

Organizations across the US, Singapore, Canada, and the Netherlands were targeted. However, according to Mandiant, ransomware was not deployed in this wave of attacks. 

Qualys is a user of Accellion FTA. The company says that the software was used "to transfer information as part of our customer support system [in] a segregated DMZ environment" but was kept separate from production environments, codebases, and Qualys Cloud. 

A hotfix to patch the vulnerabilities was issued by Accellion on December 21, and Qualys says that its team applied the fix on December 22. 

However, a zero-day vulnerability in the third-party software had already been exploited, and on December 24, the company received an "integrity alert" indicating a potential compromise. 

The impacted server was isolated from its network and an investigation was launched. Qualys found that some customer data contained in the server had been accessed, although the company has not revealed how many customers are involved, or what information was stored. 

Qualys has hired Mandiant, which is also working with Accellion, to investigate. In addition, affected servers have been closed down and alternatives are being offered to customers. 

"As a security company, we continue to look for ways to enhance security and provide the strongest protections for our customers," the company says. "Qualys is strongly committed to the security of its customers and their data, and we will notify them should relevant information become available."

Accellion says it has worked "around the clock to develop and release patches that resolve each identified FTA vulnerability and support our customers affected by this incident."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards