|Category: Adversary Intelligence||Industry: Multiple||Motivation: Financial||Region: USA||Source*: F4|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising access to a direct storage access instance used by 43 companies.
- The actor mentions that the storage portal belongs to Decypher Technologies and is likely to be an Acronis backup cloud instance.
- All the companies are US-based clients of Decypher Technologies.
- Most of the compromised entities are law firms.
- The portal is being used to store confidential documents and the actor claims that over 300 computers are connected to the cloud instance.
- The actor also mentions that 2FA was not enabled on the cloud instance.
- Since, the actor is willing to include a middleman in the transaction, it can be inferred that the advertisement is legitimate.
|AAA Storage||Academy Services, LLC||R&H Mechanincal|
|Amp the Cause||Aspen Insulation||Robert Singer assoc (RSA)|
|Aspen Valley Land Trust||Babson Farms||Ryobi Foundation|
|Balcomb & Green||Black, Betsy||Telluride Foundation|
|Blanton, Bill & Cindy||Chamberlin, David||TimbersHokuala|
|Coastal Risk Consulting||Colorado Equities||Rampart Energy Company|
|Critical Care and Pulmonary Consultants (CCPC)||DecypherAspen||Rosebud110|
|Double Black||Evan Zucker||Setterfield & Bright|
|Flame Out Fire Protection||Haymax Hotels||Timbers Bachelor Gulch|
|High Mark Communications||HudsonFamilyLaw||Lumiere Telluride|
|Isberian Rug Company||Judy's Inc||Matsuhisa Aspen|
|Keelty Construction||KnappOffice||Meisel, Lee|
|Kyle Felty||Legal Graphicworks||Matsuhisa Denver|
- The samples provided, although with no direct evidence, helps us assess with moderate confidence that an Acronis Backup Storage instance has been compromised.
- The threat actor, with the access, is equipped with read-only privileges and has full access to the 300+ workstations.
- Law firms (mentioned in the company list above) occupy the most storage on the cloud.
- The biggest backup file size is 17 TB.
- A weak password was set on the Acronis Backup which could possibly have been taken advantage of.
- Data stored on the backup cloud includes case files and evidence (attributed to the law firms).
|Threat Actor Profiling|
|Active since||September 2022|
|Reputation||Low (Multiple complaints and concerns on the forum)|
|Rating||F4 (F: Reliability Unknown; 4: Possibly True)|
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia