The Lock Bit ransomware-as-a-service (RaaS) gang has published the name & logo of what’s purportedly 1 of its latest victims: Accenture, the global business consulting firm with an insider track on some of the world’s biggest, most powerful companies.
Lock Bit offered Accenture’s purported databases & made a jab at its supposedly bad security. Accenture says it recovered ok from backups.
Fortune Global 100
Accenture’s clients include 91 of the Fortune Global 100 & more than three-quarters of the Fortune Global 500. According to its 2020 annual report; that includes e-commerce giant Alibaba, Cisco & Google. Valued at $44.3b, Accenture is 1 of the world’s largest tech consultancy firms & employs around 569,000 people across 50 countries.
In a post on its Dark Web site, Lock Bit offered up Accenture databases for sale, along with a requisite jab at what the gang deemed to be Accenture’s pathetic security.
“These people are beyond privacy & security. I really hope that their services are better than what I saw as an insider. If you are interested in buying some databases, reach us.”
—Lock Bit site post.
Ransom Payment Clock
According to Security Affairs, at the end of a ransom payment clock’s countdown, a leak site showed a folder named W1 that contained a collection of PDF documents allegedly stolen from the company. Lock Bit operators claimed to have gained access to Accenture’s network & were preparing to leak files stolen from Accenture’s servers at 17:30:00 GMT.
The news hit the headlines late Wed. morning US Eastern Time, after CNBC reporter Eamon Javers tweeted about the gang’s claim that it would be releasing data within coming hours & that it was offering to sell insider Accenture information to interested parties.
Yes, we were hit, but we’re A-OK now, Accenture confirmed:
“Through our security controls & protocols, we identified irregular activity in one of our environments. We immediately contained the matter & isolated the affected servers,” it explained in a statement. “We fully restored our affected systems from backup, & there was no impact on Accenture’s operations, or on our clients’ systems.”
According to Bleeping Computer, the group that threatened to publish Accenture’s data – allegedly stolen during a recent cyberattack – is known as Lock Bit 2.0.
As explained by Cybereason’s Tony Bradley in a Wed. post, the Lock Bit gang is similar to its ransomware-as-a-service (RaaS) brethren Dark Side & REvil: Like those other operations. Lock Bit uses an ‘affiliate model’ to rent out its ransomware platform, taking a share of any ransom payments that result.
“The wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems – promising pay-outs of millions of dollars,” Bradley wrote.
Cyble researchers suggested in a Tweet stream that this could be an ‘insider job.’ “We know #LockBit #threatactor has been hiring corporate employees to gain access to their targets’ networks,” the firm tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.
Cyble clarified that Lock Bit claimed to have made off with databases of more than 6Tb & that it demanded $50m as ransom. The threat players themselves alleged that this was an insider job, “by someone who is still employed there,” though Cyble called that “unlikely.”
Sources familiar with the attack told Bleeping Computer that Accenture confirmed the ransomware attack to at least 1 computer telephony integration (CTI) vendor & that it’s in the process of notifying more customers.
According to a tweet from threat intelligence firm Hudson Rock, the attack compromised 2,500 computers used by employees & partners, leading the firm to suggest that “this information was certainly used by threat actors.”
In a security alert issued last week, the Australian Cyber Security Centre (ACSC) warned that Lock Bit 2.0 ransomware attacks against Australian organisations had started to rise last month, & that they were coupled with threats to publish data in what’s known as double-extortion attacks.
“This activity has occurred across multiple industry sectors,” according to the alert. “Victims have received demands for ransom payments. In addition to the encryption of data, victims have received threats that data stolen during the incidents will be published.”
Specific Victim Networks
The ACSC noted (PDF) that it’s recently observed Lock Bit threat players actively exploiting existing vulnerabilities in the Fortinet FortiOS & Forti Proxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks. That vulnerability, a path-traversal flaw in the SSL VPN, has been exploited in multiple attacks over the years:
In April, the FBI & the US Cybersecurity & Infrastructure Security Agency (CISA) warned that advanced persistent threat (APT) nation-state players were actively exploiting it to gain a foothold within networks before moving laterally & carrying out recon, for example.
Ron Bradley, VP of 3rd-party risk-management firm Shared Assessments, explained on Wed. that the Accenture incident is “a prime example of the difference between business resiliency & business continuity.
Business resiliency is like being in a boxing match, you take a body blow but can continue the fight. Business continuity comes into play when operations have ceased or severely impaired & you have to make major efforts to recover.
“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” Bradley continued. It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organisations going forward.”
Hitesh Sheth, President & CEO at the cyber-security firm Vectra, stated that all businesses should expect attacks like this, but particularly a global consultancy firm with links to so many companies.
Protocols in Place
“1st reports suggest Accenture had data backup protocols in place & moved quickly to isolate affected servers,” he outlined on Wed.
“It’s too soon for an outside observer to assess damage. However, this is yet another reminder to businesses to scrutinise security standards at their vendors, partners, & providers.
Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate; plan for & recover from attacks that counts.”