A Qualys booth established up at a trade good. (Thomas Springer, CC0, by using Wikimedia Commons)
Cloud security company Qualys stated that stick to up investigations have verified that the info breach it endured in late 2020 and early 2021 was confined to customer data housed on 3rd-party support company Accellion’s file transfer technique. Even so, the organization also shared intelligence that the attackers behind the incident are engaging in a tactic to make the uncovered data set look additional voluminous than it in fact is.
In a comprehensive update posted on the Qualys site April 2, CISO Ben Carr explained that an independent, third-party forensic business has confirmed the company’s initial determination that the attack did not jump from Accellion’s file transfer equipment server to Qualys’ much larger corporate network.
“The forensic business concluded the threat actor did not transfer from the Accellion FTA server into any Qualys ecosystem and that Qualys’ present security guidelines would not have allowed any this kind of access in between the Accellion FTA server and Qualys’ corporate and creation environment,” Carr wrote.
When the Clop ransomware group proceeds to leak stolen information from Qualys on line in phases, Carr explained every little thing published so far has been from the primary pool of affected facts identified by incident responders. He also explained that subsequent investigations with Accellion and Mandiant, the corporation is assured that they have a comprehensive record of buyers with information on the Accellion server at the time of the incident.
“So far, we have witnessed no evidence to propose that the danger actor has posted any further info,” wrote Carr. “If that improvements, we will look into additional and arrive at out to afflicted prospects.”
Nevertheless, the firm appears to still be investigating some elements of the incident. For occasion, the hackers posted a amount of email addresses that “in several cases” appear to have been taken from the FTA server even although there was not a corresponding file current at the time of the attack.
Qualys believes that in some situations, the group may well be attempting to pad its numbers to make it show up as if they stole far more data than they basically did by combining file names from a person shopper with email addresses from a further.
“According to evaluation and insight from our 3rd-party forensic industry experts, this seems to be a new tactic used by this risk actor team, which we desired to inform the broader security neighborhood about,” Carr wrote. “We also engaged an supplemental forensic company who thoroughly analyzed the info for any signals of data about personal buyers, beyond business make contact with facts, this sort of as names, usernames, business email addresses, position titles, and workplace addresses. Their evaluation did not uncover any evidence of more information about particular person end users on the server.”
While other victims of the hack have described incidents exactly where the hackers immediately emailing prospects, Qualys is not conscious of any evidence that this has occurred with their shoppers.
Qualys is just just one of lots of firms afflicted by the compromise of Accellion. Victims include oil large Shell, powerhouse law organization Jones Day, Michigan-dependent Flagstar Lender, the national grocery keep chain Kroger and quite a few federal government and academic businesses. The update from Qualys arrives a week soon after their CEO and chair of the board, Philippe Courtot, resigned from the business, citing health and fitness good reasons related to COVID-19.
From the April 01, 2010 Issue of SC Media
Some elements of this short article are sourced from: