Clop ransomware gang leaks data allegedly stolen from cybersecurity firm Qualys

Pierluigi Paganini March 03, 2021

Cybersecurity firm Qualys seems to have suffered a data breach, threat actors allegedly exploited zero-day flaw in their Accellion FTA server.

Cybersecurity firm Qualys is the latest victim of a cyber attack, the company was likely hacked by threat actors that exploited a zero-day vulnerability in their Accellion FTA server.

A couple of weeks ago, security experts from FireEye linked a series of cyber attacks against organizations running Accellion File Transfer Appliance (FTA) servers to the cybercrime group UNC2546, aka FIN11.

“Starting in mid-December 2020, malicious actors that Mandiant tracks as UNC2546 exploited multiple zero-day vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install a newly discovered web shell named DEWMODE.” reported FireEye. “The motivation of UNC2546 was not immediately apparent, but starting in late January 2021, several organizations that had been impacted by UNC2546 in the prior month began receiving extortion emails from actors threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell.”

The wave of attacks began in mid-December 2020, threat actors exploited multiple zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software to deploy a shell dubbed DEWMODE on the target networks.

The attackers exfiltrate sensitive data from the target systems and then published it on the CLOP ransomware gang’s leak site.

It has been estimated that the group has targeted approximately 100 companies across the world between December and January. 

FireEye pointed out that despite FIN11 hackers are publishing data from Accellion FTA customers on the Clop ransomware leak site, they did not encrypt systems on the compromised networks.

In response to the wave of attacks, the vendor has released multiple security patches to address the vulnerabilities exploited by the hackers. The company is also going to retire legacy FTA server software by April 30, 2021.

Recently other organizations were hit with the same technique, including Transport for New South Wales, and Bombardier.

Now, Clop ransomware operators claimed to have stolen data from Qualys and shared screenshots of stolen files on its leak site as proof of the hack. 


The leaked data includes invoices, purchase orders, tax documents, and scan reports.

According to LegMagIT and BleepingComputer, Qualys was using an Accellion FTA server that was was located at since February 18th, 2021.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GootKit)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment