Qualys hit with ransomware: Customer invoices leaked on extortionists’ Tor blog

Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack.

Files appearing to originate from Qualys were dumped online this afternoon on the Tor blog of the Clop criminal extortionists.

While Qualys declined to comment immediately, a spokeswoman said the company was aware of the incident and investigating.

While we’re not reproducing those files here because doing so merely fuels the extortionists’ purpose, they appeared to include purchase orders, results of scans of customer appliances and quotations. The nature of the files suggests they were stolen from the admin side of the Qualys business rather than its infosec side.

Ransomware gang specialist Brett Callow, of infosec biz Emsisoft, told The Register: “Entities that have had dealings with Qualys should be on high alert.”

The incident will be hugely embarrassing for Qualys. At the time of writing the precise attack vector was unknown, though Clop has spent the past few months focused on extorting users of Accellion file transfer appliances. In 2016 Qualys itself published research (PDF) into vulns in Accellion devices, though that is no indicator of whether or not the appliances were in use by Qualys itself for their intended purpose.

Jake Moore, security specialist at ESET, opined: “Malicious actors have somewhat matured and now use full-blown extortion tactics to make sure they get what they came for. Going further than simply encrypting data seems so ‘old hat’ now when exfiltrating and selling the data seems that much more lucrative.”

Recent victims of Clop’s Accellion-focused extortion spree include Canadian aerospace firm Bombardier, in the process exposing details of a military-grade radar supplied to various air forces around the world. Others targeted by steal’n’ransom criminals include London ad agency The7stars, German firm Software AG and others.

US infosec behemoth FireEye has theorised that Clop has been acting as a reseller for a second criminal operation which carried out the actual thefts from Accellion appliances during December and January.

Yesterday Accellion published a report from FireEye’s Mandiant breach response tentacle (PDF), which said: “Both the December Exploit and the January Exploit demonstrate a high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software, likely obtained through extensive reverse engineering of the software.”

Emsisoft’s Callow added that the US CISA infosec agency had hinted that the ransomware criminals were making a profit from their extortionist endeavours, pointing to a line in a recent CISA advisory that hinted some victims had paid up to prevent embarrassment or worse.

“In 2020, Clop et el posted data stolen from more than 1,300 companies – including contractors in the military industrial space – while many other organizations will have paid to prevent it being published,” said Callow. “And, of course, as not all groups were stealing data at the start of 2020, we can look forward to even more cases this year.” ®

READ MORE HERE