- Access to Acronis Cloud instance used by 43 US-based companies on sale.
- Companies are clients (mostly law firms) of Decypher Technologies.
- Access could reveal business practices and IP.
- Potential account takeovers.
- Implement a strong password policy.
- Enable MFA.
- Monitor for anomalies in user accounts that could indicate possible account takeovers.
Analysis and Attribution
Information from the Post
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising access to a direct storage access instance used by 43 companies.
- The actor mentions that the storage portal belongs to Decypher Technologies and is likely to be an Acronis backup cloud instance.
- All the companies are US-based clients of Decypher Technologies.
- Most of the compromised entities are law firms.
- The portal is being used to store confidential documents and the actor claims that over 300 computers are connected to the cloud instance.
- The actor also mentions that 2FA was not enabled on the cloud instance.
- Since, the actor is willing to include a middleman in the transaction, it can be inferred that the advertisement is legitimate.
[caption id="attachment_21536" align="alignnone" width="848"]
Threat actor’s advertisement on the forum[/caption]
List of Compromised Entities Mentioned in the Post
|Academy Services, LLC
|Amp the Cause
|Robert Singer assoc (RSA)
|Aspen Valley Land Trust
|Balcomb & Green
|Blanton, Bill & Cindy
|Coastal Risk Consulting
|Rampart Energy Company
|Critical Care and Pulmonary Consultants (CCPC)
|Setterfield & Bright
|Flame Out Fire Protection
|Timbers Bachelor Gulch
|High Mark Communications
|Isberian Rug Company
Information from the Samples
- The samples provided, although with no direct evidence, helps us assess with moderate confidence that an Acronis Backup Storage instance has been compromised.
- The threat actor, with the access, is equipped with read-only privileges and has full access to the 300+ workstations.
- Law firms (mentioned in the company list above) occupy the most storage on the cloud.
- The biggest backup file size is 17 TB.
Also Read Web Shell Access to UAE Based Cloud & IT Service Provider, Bamboozle
Information from a Sensitive Source
A sensitive source in contact with the threat actor has ascertained that:
- A weak password was set on the Acronis Backup which could possibly have been taken advantage of.
- Data stored on the backup cloud includes case files and evidence (attributed to the law firms).
Threat Actor Activity and Rating
|Threat Actor Profiling
|Low (Multiple complaints and concerns on the forum)
|F4 (F: Reliability Unknown; 4: Possibly True)
Impact & Mitigation
- The access could be used to gain initial access to the company’s infrastructure.
- Commonly used passwords or weak passwords could lead to brute force attacks.
- It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
- This information can be aggregated to further be sold as leads/ document leaks on cybercrime forums, for financial gain.
- Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
- Patch vulnerable and exploitable endpoints.
- Do not store unencrypted secrets in .git repositories.
- Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Scan repositories to identify exposed credentials and secrets.
- Monitor cybercrime forums for the latest tactics employed by threat actors.
Also Read 30 Million Records from Alleged T-Mobile Breach for Sale
[caption id="attachment_21537" align="alignnone" width="903"]
Backup description from each connected workstation[/caption]
[caption id="attachment_21538" align="alignnone" width="801"]
Backup information from storage drives on the cloud[/caption]