Qualys Update on Accellion FTA Security Incident

Note: Updated March 4 with additional detail.

New information has come out today, March 3, related to a previously identified zero-day exploit in a third-party solution, Accellion FTA, that Qualys deployed to transfer information as part of our customer support system.

Qualys has confirmed there is no impact on the Qualys production environments (shared platforms and private platforms), codebase, customer data hosted on the Qualys Cloud Platform, Qualys Agents or Scanners. All Qualys platforms continue to be fully functional and at no time was there any operational impact.

Accellion FTA devices are standalone, black box appliance servers designed to be hosted outside of our production environment. Qualys had deployed the Accellion FTA server in a segregated DMZ environment, completely separate from systems that host and support Qualys products for occasional use to transfer information as part of our customer support system. Qualys chose the Accellion FTA solution for encrypted temporary transfer of manually uploaded files. There was no connectivity between the Accellion FTA server and our production customer data environment (the Qualys Cloud Platform). The Accellion FTA product is a third-party system fully managed by Accellion.

The zero-day vulnerability affecting Accellion was discovered by Accellion in another customer’s environment and a hotfix to remediate the vulnerability was released on December 21, 2020. The Qualys IT team applied the hotfix to secure our Accellion FTA server on December 22, 2020. In addition, Qualys further enhanced security measures by deploying additional patches and enabling additional alerting around the FTA server. We received an integrity alert on December 24, 2020 and the impacted FTA server was immediately isolated from the network. Accordingly, Qualys shut down the affected Accellion FTA servers and provided alternatives to customers for support-related file transfer.

Qualys and Accellion conducted a detailed investigation and identified unauthorized access to files hosted on the Accellion FTA server. Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access. The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform.

FireEye Mandiant has covered the details of the Accellion vulnerability in the article, Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion.

As with any security incident, the investigation is ongoing. As a security company, we continue to look for ways to enhance security and provide the strongest protections for our customers. We have engaged FireEye Mandiant, who also worked with Accellion on the wider investigation. Qualys is strongly committed to the security of its customers and their data, and we will notify them should relevant information become available.

Please contact your technical account manager or Qualys Support if you need further information.

This post was first first published on Qualys Security Blog’ website by Ben Carr. You can view it by clicking here