Founded in 1999, Qualys was the first company to deliver vulnerability management solutions as applications through the web using a ” software as a service ” (SaaS) model, and as of 2013 Gartner Group for the fifth time gave Qualys a “Strong Positive” rating for these services.
The data breach occurred in December 2020, shortly before Accellion provided a hotfix on December 21 and Qualys IT team applied it on December 22. However, on December 24, the company received an integrity alert, indicating that hackers had already exploited the zero-day vulnerability.
A set of cybercriminals behind a string of recent hacks involving Accellion-made software is now claiming responsibility for a breach of Qualys, a major cloud computing security vendor. Accellion File Transfer Appliance (FTA) is enterprise-grade software used for file transfers.
As proof of the access to data, and extortion site maintained by hackers has leaked documents claiming to contain information on Qualys customers. Attackers affiliated with the extortion site have previously been linked to the Clop ransomware, a file-locking malware that emerged two years ago. This month, thieves claimed responsibility for a series of incidents that have relied on data leaks, rather than ransomware, as an extortion tactic, according to security firm FireEye.
With some 19,000 clients, including major financial firms like Capital One and Experian, Qualys represents an attractive target for extortionists keen on making sensitive data public.
In a statement Wednesday evening, Qualys CISO Ben Carr said the attackers had accessed files hosted on an Accellion server. Qualys “notified the limited number of customers impacted by this unauthorized access,” Carr said, adding that the incident hadn’t affected “Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform.” Carr did not specify which hackers were responsible.
Qualys has hired Mandiant, the incident response arm of security firm FireEye, to respond to the breach, a Mandiant spokesperson said.
Qualys’ cloud platform ingests data from across an organization to provide cyber threat alerts. The firm, which reported $363 million in revenue last year, also counts technology giants Cisco and Microsoft as customers.
The incident follows a disclosure last month from Accellion, another big software vendor, that a criminal hacking group had exploited multiple vulnerabilities in one of its legacy products. Breaches linked to the Accellion flaws have hit a diverse set of victims, from Canadian plane-maker Bombardier to the grocery chain Kroger.
The Accellion incident is only the latest example of cybercriminal groups seeking out key IT providers with a raft of powerful customers for extortion. The hackers behind another strain of ransomware, Maze, claimed responsibility for breaches at two multibillion-dollar IT services firms last year, Cognizant and Conduent.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), a clearinghouse for financial threat information whose members include big banks, said Wednesday that it keeps a close eye on the “third-party risk” that might arise from a breach like that of Qualys.
“FS-ISAC encourages all financial institutions to follow published procedures to assess and maintain the security of their systems and to continually monitor for signs of any anomalous activity,” the analysis center said in a statement.