| Category:
Adversary Intelligence |
Industry:
Multiple |
Motivation:
Financial |
Region:
USA |
Source*:
F4 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Access to Acronis Cloud instance used by 43 US-based companies on sale.
- Companies are clients (mostly law firms) of Decypher Technologies.
|
- Access could reveal business practices and IP.
- Potential account takeovers.
|
- Implement a strong password policy.
- Enable MFA.
- Monitor for anomalies in user accounts that could indicate possible account takeovers.
|
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising access to a direct storage access instance used by 43 companies.
- The actor mentions that the storage portal belongs to Decypher Technologies and is likely to be an Acronis backup cloud instance.
- All the companies are US-based clients of Decypher Technologies.
- Most of the compromised entities are law firms.
- The portal is being used to store confidential documents and the actor claims that over 300 computers are connected to the cloud instance.
- The actor also mentions that 2FA was not enabled on the cloud instance.
- Since, the actor is willing to include a middleman in the transaction, it can be inferred that the advertisement is legitimate.
[caption id="attachment_21536" align="alignnone" width="848"]
Threat actor’s advertisement on the forum[/caption]
List of Compromised Entities Mentioned in the Post
|
| AAA Storage |
Academy Services, LLC |
R&H Mechanincal |
| Amp the Cause |
Aspen Insulation |
Robert Singer assoc (RSA) |
| Aspen Valley Land Trust |
Babson Farms |
Ryobi Foundation |
| Balcomb & Green |
Black, Betsy |
Telluride Foundation |
| Blanton, Bill & Cindy |
Chamberlin, David |
TimbersHokuala |
| Coastal Risk Consulting |
Colorado Equities |
Rampart Energy Company |
| Critical Care and Pulmonary Consultants (CCPC) |
DecypherAspen |
Rosebud110 |
| Double Black |
Evan Zucker |
Setterfield & Bright |
| Flame Out Fire Protection |
Haymax Hotels |
Timbers Bachelor Gulch |
| High Mark Communications |
HudsonFamilyLaw |
Lumiere Telluride |
| Isberian Rug Company |
Judy's Inc |
Matsuhisa Aspen |
| Keelty Construction |
KnappOffice |
Meisel, Lee |
| Kyle Felty |
Legal Graphicworks |
Matsuhisa Denver |
| MeninDevelopment |
Mason Morse |
|
Information from the Samples
- The samples provided, although with no direct evidence, helps us assess with moderate confidence that an Acronis Backup Storage instance has been compromised.
- The threat actor, with the access, is equipped with read-only privileges and has full access to the 300+ workstations.
- Law firms (mentioned in the company list above) occupy the most storage on the cloud.
- The biggest backup file size is 17 TB.
Also Read Web Shell Access to UAE Based Cloud & IT Service Provider, Bamboozle
Information from a Sensitive Source
A sensitive source in contact with the threat actor has ascertained that:
- A weak password was set on the Acronis Backup which could possibly have been taken advantage of.
- Data stored on the backup cloud includes case files and evidence (attributed to the law firms).
Threat Actor Activity and Rating
| Threat Actor Profiling |
| Active since |
September 2022 |
| Reputation |
Low (Multiple complaints and concerns on the forum) |
| Current Status |
Active |
| History |
Unknown |
| Rating |
F4 (F: Reliability Unknown; 4: Possibly True) |
Impact & Mitigation
| Impact |
Mitigation |
- The access could be used to gain initial access to the company’s infrastructure.
- Commonly used passwords or weak passwords could lead to brute force attacks.
- It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
- This information can be aggregated to further be sold as leads/ document leaks on cybercrime forums, for financial gain.
|
- Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
- Patch vulnerable and exploitable endpoints.
- Do not store unencrypted secrets in .git repositories.
- Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Scan repositories to identify exposed credentials and secrets.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
|
Also Read 30 Million Records from Alleged T-Mobile Breach for Sale
References
Appendix
[caption id="attachment_21537" align="alignnone" width="903"]
Backup description from each connected workstation[/caption]
[caption id="attachment_21538" align="alignnone" width="801"]
Backup information from storage drives on the cloud[/caption]
