Qualys Data Breach

Cybersecurity firm Qualys is the latest victim of a cyber attack, the company was likely hacked by threat actors that exploited a zero-day vulnerability in their Accellion FTA server. A set of cybercriminals belonging to the Clop Ransomware group claimed responsibility for a breach of Qualys, a major cloud computing security vendor. As proof of the access to data, an extortion site maintained by hackers on the dark web has leaked documents claiming to contain information on Qualys customers of about 19,000 clients, including major financial firms like Capital One and Experian.

Technical Details

The wave of attacks began in mid-December 2020, threat actors exploited multiple zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software to deploy a shell dubbed DEWMODE on the target networks.

The attackers exfiltrated sensitive data from the target systems and then published it on the CLOP ransomware gang’s leak site. It has been estimated that the group has targeted approximately 100 companies across the world between December and January. Further, Qualys CISO Ben Carr added that the incident hadn’t affected Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform.

FireEye pointed out that despite FIN11 hackers publishing data from Accellion FTA customers on the Clop ransomware leak site, they did not encrypt systems on the compromised networks. In response to the wave of attacks, the vendor has released multiple security patches to address the vulnerabilities exploited by the hackers and the company is also going to retire legacy FTA server software by April 30, 2021.

Mitigation Strategy

An organization should always be well prepared for the forthcoming incidents that may approach possessing harmful instincts such as cyber-attacks. To tackle those attacks at the initial level, following are certain points that needs to be followed by any organization so as to reduce the risk of loss from the occurrence of any undesirable event.

1. Users should follow the best practices to defend against the malware and create an effective backup strategy by following the 3-2-1 rule:
–   Adopt strong passwords throughout the network.
–   Consider network segmentation to separate important processes and systems from the wider access network.
–   Increase awareness of how ransomware spreads, i.e., through spammed emails and attachments.
–   Monitor and audit network traffic for any suspicious behaviors or anomalies

2. Deploy IAM, limit privileged users, and implement MFA.

3. Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.

4. If noticed any kind of activity (new process initiated, any files have been deleted automatic), take an appropriate action.

5. Keep your operating system and software up to date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring      these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.

Preventive Measures

An organization’s ability to rapidly respond to and recover from an incident begins with the development of an incident response capability. An organization’s response capability should focus on being prepared to handle the most common attack vectors (e.g., spearphishing, malicious web content, credential theft).
In general, organizations should prepare for those attacks for a longer run by keeping the following key pointers in consideration:

– Block the IOCs.
– Enable E-mail filtering for .exe attachment files.
– Set remote access restrictions.
– Configure PowerShell to execute only signed scripts.
– Configure Windows to show file extensions and keep the macros disabled.
– To ensure that recovery from a ransomware or sabotage attack is possible, all data must be regularly backed up and a good backup strategy adopted.
– Implement endpoint security with active monitoring.
– Encrypt all sensitive organizational information.
– Upgrade your systems with the latest security patches.

Conclusion

Ransomware has been around for a few years now and we are starting to see instances of this type of malware that break the mold and forge a new direction. Clop differs from other ransomware in many significant ways — from its capabilities to the heart of the ransomware attack itself, gaining entry.

It will be interesting to see if other ransomware begins to use exploit kits as infection vectors like Clop or if this practice remains the exception to the rule. The Financial Services Information Sharing and Analysis Center (FS-ISAC), a clearinghouse for financial threat information whose members include big banks, encourages all financial institutions to follow published procedures to assess and maintain the security of their systems and to continually monitor for signs of any anomalous activity.