Cybersecurity firm Qualys seems to have suffered a data breach, threat actors allegedly exploited zero-day flaw in their Accellion FTA server.
Cybersecurity firm Qualys is the latest victim of a cyber attack, the company was likely hacked by threat actors that exploited a zero-day vulnerability in their Accellion FTA server.
A couple of weeks ago, security experts from FireEye linked a series of cyber attacks against organizations running Accellion File Transfer Appliance (FTA) servers to the cybercrime group UNC2546, aka FIN11.
“Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE.” reported FireEye. “The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell.”
The wave of attacks began in mid-December 2020, threat actors exploited multiple zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software to deploy a shell dubbed DEWMODE on the target networks.
The attackers exfiltrate sensitive data from the target systems and then published it on the CLOP ransomware gang’s leak site.
It has been estimated that the group has targeted approximately 100 companies across the world between December and January.
FireEye pointed out that despite FIN11 hackers are publishing data from Accellion FTA customers on the Clop ransomware leak site, they did not encrypt systems on the compromised networks.
In response to the wave of attacks, the vendor has released multiple security patches to address the vulnerabilities exploited by the hackers. The company is also going to retire legacy FTA server software by April 30, 2021.
Recently other organizations were hit with the same technique, including Transport for New South Wales, and Bombardier.
Now, Clop ransomware operators claimed to have stolen data from Qualys and shared screenshots of stolen files on its leak site as proof of the hack.
The leaked data includes invoices, purchase orders, tax documents, and scan reports.
According to LegMagIT and BleepingComputer, Qualys was using an Accellion FTA server that was was located at fts-na.qualys.com since February 18th, 2021.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, GootKit)
The post Clop ransomware gang leaks data allegedly stolen from cybersecurity firm Qualys appeared first on Security Affairs.
Focus On: 30 Most Popular Hacking in the 2010S: WannaCry ransomware Attack, ICloud leaks of celebrity Photos, Stuxnet, OurMine, The Shadow Brokers, Vault … Madison data Breach, Guccifer 2.0, etc.
This carefully crafted ebook is formatted for your eReader with a functional and detailed table of contents. The Focus On books are made out of collections of Wikipedia articles regrouping the most informative and popular articles about a specific subject. The Focus On books are a result of a substantial editorial work of selecting and grouping relevant articles together in order to create a valuable source of information about specific subjects. This book does not contain tables, illustrations
Price List: £0.49
Only for today on Amazon: £0.49
It’s time for one of our semi-regular breach/data exposure roundup blogs, as the last few days have brought us a few monsters. If you use any of the below sites, or if you think some of your data has been sitting around exposed, we’ll hopefully give you a better idea of what the issue is.
Seeing so many services be compromised or simply exposed for all to see without being secured is rather fatiguing, and we’d hate for the end result to be hands thrown in the air with a cry of “Why bother!” Without further ado, then, let’s take a look at breach number one.
Something in the region of 139 million users of graphic design service Canva had their data swiped by a hacker known for many other large compromises. Usernames, emails, real names, and cities were amongst the data swiped. A big chunk of users had a combination of password hashes and Google tokens grabbed, too.
There’s some issues with how Canva initially reported this. The “we’ve been hacked” message followed by a short email ramble about free images, led to concerns that many users may have ignored it completely. However, Canva has been quick to deal with the problem at hand and even have—shock and horror in amazement—a good slice of information about it on their status page. In fact, they have even more information on a dedicated update portal.
In a nutshell, Canva states that your login passwords are unreadable, other credentials are similarly secure, your designs are safe, your card details haven’t been grabbed, and you should change your login as a precautionary measure.
Breach number two: Massively-successful news aggregator Flipboard was also caught by an attack according to a statement released on May 28. This attack took place sometime between June 2018 and March 2019. They haven’t said how many accounts were breached, but as with Canva, they were careful to stress that stolen logins would be incredibly difficult to break into thanks to the fact that they didn’t store passwords in plain text. Additionally, they’ve reset everybody’s login credentials as a precautionary security response.
The attackers grabbed the usual collection of valuables: usernames, hashed/salted passwords, some email addresses, and third-party digital tokens. As with the Canva breach, Flipboard has been upfront about the whole fiasco and are being a lot more proactive than many companies faced with similar situations.
Amazingco: exposed data
Next up, we have another example of “utterly unsecured database full of information readily available to someone with a web browser.” This is incredibly common, and a major source of data breaches/leaks. Hacking into servers, exploiting databases, phishing logins from admins? Too much hard work. Criminals need only go looking for wide-open goal areas instead.
In this case, the open goal belonged to an Australian marketing company called Amazingco. 174,000 records were there for the taking, containing everything from names and addresses to phone numbers, event types, and even IP addresses and ports.
We don’t know how long the data was sitting there, and we also don’t know if this information was meant to be sitting on the open Internet, or if someone possibly misconfigured something. What we do know is that this database has now been taken offline.
At this stage, there’s no real way to know if someone up to no good has grabbed it. However, if people with good intentions could find it, then so, too, could bad ones. Customers of Amazingco should practice wariness of attacks, as spear phishing will likely now be the order of the day.
First American Financial Corp: exposed data
Possibly the largest and most damaging of the bunch, our fourth incident is another one where data is freely available to someone sporting a web browser. First American Financial Corp had “hundreds of millions of documents related to mortgage deals, going back to 2003” digitised and ready to view without authentication.
Social security numbers, drivers licenses, account statements, wire transaction records, bank account numbers, and much more were all lurking in the pile. That pile was estimated to weigh in at around 885 million files, and as security researcher Brian Krebs notes, this would be an absolute gold mine for phishers and purveyors of Business Email Compromise scams. The data has now been taken offline, but that’s scant consolation for anyone affected.
What’s the upshot?
Don’t panic, but do be cautious. According to security firm Mimecast, 65 percent of organisations saw an increase in impersonation attempts year over year. Some of the above leaks could be extremely useful to scammers wanting to muscle in on victims, and you never know when someone’s going to try it on. The slightest bit of inattentiveness could lead to a spectacular mishap, and we don’t want that taking place.
The post Leaks and breaches: a roundup appeared first on Malwarebytes Labs.
And using browser privacy extensions may just make matters worse
Boffins from Graz University of Technology in Austria have devised an automated system for browser profiling using two new side channel attacks that can help expose information about software and hardware to fingerprint browsers and improve the effectiveness of exploits.…
Boffins blast boards to boost bits
Bit boffins from Australia, Austria, and the US have expanded upon the Rowhammer memory attack technique to create more dangerous variation called RAMBleed that can expose confidential system memory.…