Data of 43 US Firms Compromised via Access to Acronis Direct Storage Portal

Access to Acronis Cloud instance used by 43 US-based companies on sale.
Updated on
April 19, 2023
Published on
November 3, 2022
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Multiple Motivation: Financial Region: USA Source*: F4

Executive Summary

  • Access to Acronis Cloud instance used by 43 US-based companies on sale.
  • Companies are clients (mostly law firms) of Decypher Technologies.
  • Access could reveal business practices and IP.
  • Potential account takeovers.
  • Implement a strong password policy.
  • Enable MFA.
  • Monitor for anomalies in user accounts that could indicate possible account takeovers.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising access to a direct storage access instance used by 43 companies.
  • The actor mentions that the storage portal belongs to Decypher Technologies and is likely to be an Acronis backup cloud instance.
  • All the companies are US-based clients of Decypher Technologies.
  • Most of the compromised entities are law firms.
  • The portal is being used to store confidential documents and the actor claims that over 300 computers are connected to the cloud instance.
  • The actor also mentions that 2FA was not enabled on the cloud instance.
  • Since, the actor is willing to include a middleman in the transaction, it can be inferred that the advertisement is legitimate.
[caption id="attachment_21536" align="alignnone" width="848"]Threat actor’s advertisement on the forum Threat actor’s advertisement on the forum[/caption]  

List of Compromised Entities Mentioned in the Post

AAA Storage Academy Services, LLC R&H Mechanincal
Amp the Cause Aspen Insulation Robert Singer assoc (RSA)
Aspen Valley Land Trust Babson Farms Ryobi Foundation
Balcomb & Green Black, Betsy Telluride Foundation
Blanton, Bill & Cindy Chamberlin, David TimbersHokuala
Coastal Risk Consulting Colorado Equities Rampart Energy Company
Critical Care and Pulmonary Consultants (CCPC) DecypherAspen Rosebud110
Double Black Evan Zucker Setterfield & Bright
Flame Out Fire Protection Haymax Hotels Timbers Bachelor Gulch
High Mark Communications HudsonFamilyLaw Lumiere Telluride
Isberian Rug Company Judy's Inc Matsuhisa Aspen
Keelty Construction KnappOffice Meisel, Lee
Kyle Felty Legal Graphicworks Matsuhisa Denver
MeninDevelopment Mason Morse

Information from the Samples

  • The samples provided, although with no direct evidence, helps us assess with moderate confidence that an Acronis Backup Storage instance has been compromised.
  • The threat actor, with the access, is equipped with read-only privileges and has full access to the 300+ workstations.
  • Law firms (mentioned in the company list above) occupy the most storage on the cloud.
  • The biggest backup file size is 17 TB.
Also Read Web Shell Access to UAE Based Cloud & IT Service Provider, Bamboozle

Information from a Sensitive Source

A sensitive source in contact with the threat actor has ascertained that:
  • A weak password was set on the Acronis Backup which could possibly have been taken advantage of.
  • Data stored on the backup cloud includes case files and evidence (attributed to the law firms).

Threat Actor Activity and Rating

Threat Actor Profiling
Active since September 2022
Reputation Low (Multiple complaints and concerns on the forum)
Current Status Active
History Unknown
Rating F4 (F: Reliability Unknown; 4: Possibly True)

Impact & Mitigation

Impact Mitigation
  • The access could be used to gain initial access to the company’s infrastructure.
  • Commonly used passwords or weak passwords could lead to brute force attacks.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • This information can be aggregated to further be sold as leads/ document leaks on cybercrime forums, for financial gain.
  • Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
  • Patch vulnerable and exploitable endpoints.
  • Do not store unencrypted secrets in .git repositories.
  • Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Scan repositories to identify exposed credentials and secrets.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
Also Read 30 Million Records from Alleged T-Mobile Breach for Sale



[caption id="attachment_21537" align="alignnone" width="903"]Backup description from each connected workstation Backup description from each connected workstation[/caption]   [caption id="attachment_21538" align="alignnone" width="801"]Backup information from storage drives on the cloud Backup information from storage drives on the cloud[/caption]  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations