back to article Qualys hit with ransomware: Customer invoices leaked on extortionists' Tor blog

Infosec outfit Qualys, its cloud-based vuln detection tech, and its SSL server test webpage, have seemingly fallen victim to a ransomware attack. Files appearing to originate from Qualys were dumped online this afternoon on the Tor blog of the Clop criminal extortionists. While Qualys declined to comment immediately, a …

  1. Anonymous Coward
    Anonymous Coward

    Man, that's a bummer

    If only Qualys had some sort of vulnerability reporting tool which would help them identify potential weaknesses in their IT infrastructure. I suppose kicking them on that point is a little too easy. If only Qualys provided more accessible hooks into other tools so that the Qualys scan reports could be directly converted into action rather than being fed into incomprehensible spreadsheets which must then be deciphered by hapless operations teams.

    1. -tim

      Re: Man, that's a bummer

      Their wonderful PCI-DSS scanning tool doesn't even know about IPv6. The requirements are clear, if a protocol was on, it must be scanned. IPv6 is on by default on all modern systems so it must be scanned even if it was turned off.

  2. Muppet Boss

    Clop means a bedbug in Russian. Coincidence I think not, rather I think they humbly define their place in a food chain as parasitic pests. If so, spot on.

    1. CommentScanner

      ... yeah, or someone that wants to appear as Russian and got them blamed. Right? Spot on.

    2. stiine Silver badge

      re: clop in Russian

      Clop, in English, is the sound of a shoe hitting the floor, which seems much more relevant if its the other shoe...

  3. Anonymous Coward

    So, Qualys

    is the company that thinks its scanner should have unrestricted root access to the systems it scans. So, you know, it can check them for vulnerabilities, including, in due course if not already, a 'vulnerability' invented by some bad actor who has got control of Qualys, the 'checking' for which will conveniently cause a compromise on the systems being checked. On all the systems being checked, everywhere. Which is probably every *nix system in every bank.

    Because that will never happen, right? Qualys is so secure you should just trust them with root access to all your systems because that will be just fine. And, well, if it did happen it wouldn't be very bad: does it matter so much if all the money is sucked out of your bank account? Of everyone's bank account?

    Well, either the world just dodged a bullet, or it didn't but we don't know yet. Either way I hope Qualys just dies.

    (I'm kind of annoyed that I was about 10% of the way through a blog posting on this though: couldn't they have waited so I could have said 'I told you so' at least?)

    1. tip pc Silver badge

      Re: So, Qualys

      You’ve clearly had contact with our security team who rammed qualys through requiring lots of unpicking of our security posture to get it to work.

      Stupidly the same security idiots have done the same with successive security crap too so we now have loads of crap with access to core infrastructure with privileged accounts some of which hard coded with no password rotation which wasn’t a thing before.


      The other thing is default routes for cloud access.

    2. Anonymous Coward
      Anonymous Coward

      Re: So, Qualys

      Count me among those wishing that overpriced POS a painful death. On top of the excessive privileges it demands to run, the quality of their reports is awful. Even their online database gives poor descriptions of the vulnerabilities it finds, and most of the times you'll end up fixing them by feel rather than under their guidance.

  4. ecofeco Silver badge



    1. quxinot

      Re: LOL

      Has a company, once attacked, ever stated "Wow, this is really bad! Our junk got spread to the four corners of the world!" instead of "No production stuff, customer stuff, or anything that we can be made to look bad or get sued over got stolen"?

      I mean really. It's like expecting a politician to not lie. We know better, we just don't know when the full extent will be published (probably 6-12 months from now).

      Doubly damning from a security firm, of course. First getting pwned, and second either lying or being unaware of the scope.

  5. Aaiieeee
    Thumb Down

    Having had to use Qualys vuln scanning in 2018-2019 I can firmly say I do not like it at all. I can't comment on its ability to report vulns but administering it is not fun.

    There seems to be a built-in assumption that networks are static and hosts don't come and go, like they do in reality. You can't throw a subnet at it and have it figure out what’s there and what vulns might be present; no, you have to map the network and then assign hosts to consume a licence. Decommissioned a device? You must manually remove the licence from it; it won't get aged out.

    This breach doesn't change anything for me.

  6. Anonymous Coward
    IT Angle

    Preferred alternative?

    Earlier in the comments Qualys has been noted as insecure to install, overpriced and produces hard to understand reports. Presumably there is something better? What do you recommend ?

    [Icon: it's a question about IT. :-) ]

    1. Anonymous Coward
      Anonymous Coward

      @2+2=5 - Re: Preferred alternative?

      At my workplace, we're happy with Tenable solutions but it's up to you to see if it suits your needs.

  7. Anonymous Coward
    Anonymous Coward

    New heights of PR BS

    “Both the December Exploit and the January Exploit demonstrate a high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software, likely obtained through extensive reverse engineering of the software.”

    Now this is a carefully crafted statement for "we're a bunch of inept clowns and the security of our product was PoS". I see a trend here. Claim that a powerful state-actor (usual favorite vilains) that can afford to spend an inordinate amount of ressources did it. An adversary so powerful that nobody could resist no matter how good are our products. That will deflect public attention from your incompetence towards the harsh environment and the grave danger posed by foreign hackers.

    Let's be clear here, it was nothing but plain old SQL injection flaw in the FTA web interface, an XSS flaw in FTA’s file manager a blind SQL injection and command injection flaw in FTA’s administrative interface and an unauthorized upload vulnerability. Looks like those brilliant devs at Accelion can't be bothered to visit the OWASP Top 10.

    1. Claptrap314 Silver badge

      Re: New heights of PR BS

      I've not read about the exploit to this detail. I would very much like a link.

  8. Missing Semicolon Silver badge

    So the Accellion FTA is hopelessly insecure?

    "Reverse Engineering" is merely acquiring the source code the hard way. If the software is not secure if the bad actor has the source code, it's not secure at all. The only thing that should let you in is the keys. Otherwise it's just security-by-obscurity, and so not secure at all.

    If you are using this stuff, time to quietly replace it with something that is actually secure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like