Yesterday, LockBit, a ransomware-as-a-service (RaaS) hacker organization, published on its site a post about their most recent attack, which hit the multi-national consulting company Accenture. According to LockBit, the database of Accenture has been breached by the threat actors, who are now offering selling its contents on their site.
According to Accenture’s annual report for 2020, 91 of the Fortune Global 100 are clients of the firms, as well as three-quarters of Fortune Global 500. Among its clients are Cisco, Google, Alibaba, and other major companies. Currently, Accenture is valued at $42.3 billion and is one of the biggest technology consultation firms worldwide. It around 569, 000 employees and operates within 50 countries.
In the aforementioned post on its Dark Web site, the LockBit gang invites interested parties to purchase databases stolen from Accenture and it takes a jab at the supposedly bad security of the company.
Security Affairs reports that a ransom clock on LockBit’s site indicated the time that was left until a folder named W1 that contained looted Accenture PDF documents would be made publicly available if Accenture doesn’t pay the requested ransom of $50 million.
The news of the ransomware attack arrived late last night (Wednesday) Eastern Time. One of the first to report the attack was Eamon Javers, who tweeted about it, stating that the stolen databases would be made public within the next hours.
Stolen data restored via backups
In a statement by Accenture that addressed the attack, the company reported that, though the hackers have indeed managed to infiltrate the company’s network, Accenture was able to contain and isolate the attack by isolating the compromised servers. According to the company, all data targeted by the attack has been restored thanks to exhaustive backups and there was no harm done to Accenture or its clients.
Tony Bradley from Cybereason explains that the LockBit operation is similar to other RaaS groups such as REvil and DarkSide which operate on the basis of hired services. Interested parties pay the RaaS group to use their Ransomware with the RaaS actors not being directly in charge of the attack. If the attack is successful, the creators of the Ransomware get paid a percentage of whatever amount of money has been gained through the attack.
Bradley further notes that these days LockBit seems to be getting hired more and more frequently, which is likely the result of both REvil and DarkSide getting shut down.
A wallpaper shown on systems infected by the LockBit ransomware now urges any willing insiders of the targeted companies to assist the hacker group, promising them millions of dollars if they cooperate.
Was it an insider job?
Researchers at Cyble suggested in a tweet the possibility of the attack being an insider job since it seems to be a common practice for LockBit to hire employees of the companies it targets to help with upcoming attacks.
According to Cyble, LocBit claims to have looted over 6TB of company info and that the ransom required by the hackers is $50 million. The hackers themselves suggest that the attack was an insider job, made possible by a current employee of the compromised firm.
Accenture has confirmed that the attack by this attack has compromised at least one CTI (computer telephony integration) vendor and that it is presently informing its customers about the incident. A tweet by the Hudson Rock intelligence company states that at least 2,500 computers in the firm and its partners have been compromised in the attack.
Last week, the Australian Cyber Security Centre (ACSC) issued a warning about the recent rise of LockBit attacks on Australian businesses and organizations that has been noticed in the past month. The attacks seem to function on the basis of double-extortion, keeping the stolen files hostage as well as threatening to publicly share them on the Internet if the demanded sum isn’t paid on time.
The ACSC also reports that the recent LockBit attacks have been exploiting the known CVE-2018-13379 vulnerabilities in Fortinet’s FortiProxy and FortiOS products, which allows the hackers to gain access to certain vulnerable networks.
Back in April, FBI’s CISA (Cybersecurity and Infrastructure Security Agency) issued a warning about APT (Advanced Persistent Threat) actors have been successfully exploiting the aforementioned flaw in order to infiltrate companies’ and organizations’ networks and then move laterally and/or perform cyber reconnaissance.
It’s not a zero-day attack
The vice-president of the Shared Assessments risk-management company, Ron Bradley, has stated that this attack highlights why it is crucial that firms and organizations take timely precautionary measures towards securing their networks with all available means. These attacks by LockBit don’t exploit zero-day flaws but rather vulnerabilities that have been publicly known for some time. Nevertheless, the fact that the attacks were still successful shows that installing the latest security patches and implementing good security habits is still being overlooked, which inevitably leads to such successful hacking attempts.
The CEO of the security firm Vectra, Hitesh Sheth, has stated that all companies and organizations (especially bigger ones, with many partners) worldwide need to be prepared for this type of attack. He continues that, though Accenture claims to have been able to contain the attack and prevent serious damage, it’s yet to be seen what the real consequences would be, since it’s difficult for a third party to assess the situation.