Qualys Is the Latest Victim of Accellion Data Breach

Security vendor confirms attackers exploited a previously disclosed vulnerability in the enterprise firewall technology to breach its network.

Qualys has become the latest known victim of a data breach at enterprise firewall vendor Accellion that has affected numerous companies including, most notably, retail giant Kroger, law firm Jones Day, and the state of Washington.
In a statement late Wednesday, Qualys confirmed rumors that had been circulating all day about the companys network having been breached. But it provided few details on the nature of the incident or whether it had become a victim of the Clop ransomware strain, as numerous people reported via Twitter on Wednesday.
Qualys statement and a blog post — attributed to CISO Ben Carr — merely noted that the company had become the victim of an unspecified security incident involving a previously disclosed vulnerability in Accellions File Transfer Appliance (FTA). A Securities and Exchange Commission report on the incident that Qualys filed Thursday described the incident as a data breach but otherwise provided the same details as in the press release and blog post.
Qualys said it had been using Accellions FTA to transfer encrypted files associated with its customer support system that had been manually uploaded to its systems. The company claimed that it had deployed the Accellion server in a completely segregated DMZ environment on its network that was separate from systems hosting and supporting the companys core Qualys Cloud Platform.
Qualys has confirmed that there is no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform, Carr wrote in his
blog post
. All Qualys platforms continue to be fully functional and at no time was there any operational impact.
Carrs statement and post, however, made no mention whether attackers had exploited the vulnerable Accellion FTA server to install ransomware on the companys network or whether they had leaked customer data pertaining to invoices, purchase orders, and tax documents. It did note that the limited number of customers affected by the breach had been immediately notified about the issue.
Several tweets surfaced on Wednesday from people claiming they had seen files that appeared to belong to Qualys being posted online by the operators of a ransomware strain known as Clop. Some even suggested that data belonging to thousands of customers had been leaked online. Third-party risk assessment firm Black Kite on Wednesday described one of its researchers as tracking new posts on the Clop website showing the ransomware gang was going after Qualys. According to Bob Maley, the companys chief security officer, the activity that Black Kite was able to observe suggested that Qualys was the victim of an Accellion-related third-party breach.
Qualys did not immediately respond to a Dark Reading request seeking clarity on whether the company had indeed been hit by ransomware or if customer data had been leaked online.
Accellion, in two separate releases, the first on
Jan. 12
and the second on
Feb. 1
, disclosed that attackers had exploited multiple zero-day vulnerabilities in its FTA server. The Accellion FTA server is a 20-year-old, near-obsolete technology that many enterprises continue to use, however, to transfer large files. The technology is typically deployed on the DMZ of enterprise networks.
A subsequent FireEye Mandiant
investigation
of the Accellion breach showed that the attackers had used the vulnerabilities to install what up to that point had been a previously unknown Web shell named DEWMODE on the FTA server. The malware allowed the attackers to exfiltrate data from the networks of enterprise organizations using the Accellion technology to transfer data, FireEye Mandiant reported.
The security vendors research uncovered data belonging to several Accellion FTA customers later surfacing on a FIN11 website; FIN11 is an advanced persistent threat actor most recently associated with operating the Clop ransomware strain. FireEye Mandiant described the stolen information as being used as leverage in attempts to
extort money
from victim organizations. FireEye Mandiant said its investigation showed the initial attack itself was pulled off by a previously unknown group that it is tracking as UNC2546. The extortion attempts, however, appeared to be the work of a separate, previously unknown group that Mandiant is tracking as UNC2582.
So far, several organizations, like Qualys, have publicly disclosed data breaches tied to the Accellion FTA vulnerabilities. Besides Kroger, Jones Day, and the state of Washington, other known victims include the Reserve Bank of New Zealand, Singapore Telecommunications (Singtel), and the government of New South Wales in Australia.
The breach at Accellion has drawn some comparisons to the one that
SolarWinds disclosed
last December. Both are the latest examples of attackers targeting a trusted third-party vendor to install malware and steal data from a large number of enterprise organizations. Security experts expect such attacks to become increasingly common because they give attackers a way to inflict widespread damage with minimal effort.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Qualys Is the Latest Victim of Accellion Data Breach