Cloud Cybersecurity Firm Suffer Data Breach at Hands of Extortion Gang


Data Breaches within the cybersecurity world are always linked with a particular brand of Malware – Ransomware. This is not the case with the penetration of cloud cybersecurity firm Qualys. The data breach came at the hands of an extortion gang who have previously been linked with the CLOP Ransomware. In this data heist, no Ransomware was used, however.

The breach was made possible by the gang taking advantage of a zero-day vulnerability within the Accellion File Transfer Application (FTA). Security researchers at FireEye had made it known previously that the Accellion FTA had zero-day vulnerabilities present.

The gang used the vulnerability to access files hosted in a segregated environment. As proof, they shared screenshots on their Dark Web website of the files. The files contain customer information of individuals who use Qualys cloud cybersecurity services. The gang has used the same website previously to sell credentials stolen using the CLOP Ransomware.

Qualys have not publicly stated if they have received an extortion message from the gang yet, though an investigation is on-going.

Accellion Vulnerabilities Leading To The Data Breach

digital lock

Last month, FireEye’s researchers disclosed the details of the four vulnerabilities within Accellions FTA. These vulnerabilities have been used by many other gangs, who have performed a wide range of data heists against several companies and also employed extortion tactics.

The four vulnerabilities are CVE-2021-27101, CVE-2021-27104, CVE-2021-27102, and CVE-2021-27103.

CVE-2021-27101: SQL injection via a crafted Host header
CVE-2021-27102: OS command execution via a local web service call
CVE-2021-27103: SSRF via a crafted POST request
CVE-2021-27104: OS command execution via a crafted POST request

While these were patched by Accellion, a further two exploits were discovered on March 1st; CVE-2021-27730 and CVE-2021-27731.

CVE-2021-27730: An argument injection vulnerability accessible only to authenticated users with administrative privileges, and
CVE-2021-27731: A stored cross-site scripting flaw accessible only to regular authenticated users

Hackers Behind The Data Breach


The group behind the breach has been dubbed as ‘UNC2546‘ by FireEye researchers. The company has been tracking the group since December 2020. UNC2546 has been involved in several data breaches using the zero-day vulnerabilities found in Accellions FTA.

UNC2546 deploy a web shell named DEWMODE to exfiltrate the data. DEWMODE will sit in the FTA and siphon data back to the groups’ control center.

UNC2546 take data and post it on the “CL0P^_- LEAKS” Dark Web website. Another cybercrime group, FIN11, runs the website. The connection between the two has led to speculation that UNC2546 is, in fact, a cell of FIN11.

FIN11 has been active since at least 2016 and has been involved in several ransomware attacks. Notably, they created the infamous CLOP ransomware. Through till 2018, the group targeted the financial, retail, and hospitality sectors. They have always shown interest in financial gain through Ransomware and extortion, hence the ‘FIN’ in their name.

From 2019 onward, FIN11 shifted attention to Point-Of-Sales (POS) attacks. POS malware is a relatively new branch of cybercrime that targets POS card terminals in retail outlets to exfiltrate card information. If a strain of POS malware propagates enough, it can be lucrative to the hackers.

Protection Against Data Breaches

A data breach brought on by zero-day vulnerabilities are common, though in most cases Ransomware, Phishing, and Spyware are the culprits.

It’s important to have the right tools to protect your business and family against Malware attacks like these. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *