According to the ransomware group, LockBit, the customers of the consulting giant have been targeted using credentials obtained during the Accenture breach.
According to the ransomware-as-a-service (RaaS) provider, they claimed to have infiltrated and encrypted the computers of an airport that used Accenture software on Wednesday. According to BleepingComputer, LockBit refuses to name particular businesses that were compromised by Accenture.
Accenture refuted LockBit’s assertions in a statement to CRN.
“We have finished a comprehensive forensic analysis of the documents on the compromised Accenture computers. This assertion is untrue,” Accenture informed CRN on Wednesday. “As we have mentioned, neither Accenture’s operations nor our client’s systems were impacted. We isolated the impacted systems as soon as we found this threat actor present.
Following the Accenture ransomware attack, which was made public on August 11, LockBit claimed to have amassed enough information to compromise some of the clients of the Dublin, Ireland-based business, which is ranked first on the CRN Solution Provider 500 for 2021. According to BleepingComputer, LockBit requested a $50 million ransom payment to halt the leak of six terabytes of data that they had purportedly stolen from Accenture.
LockBit claims to have encrypted the systems and published stolen data from Ethiopian Airlines and Bangkok Airways since infiltrating Accenture. Bangkok and Ethiopian airlines did not immediately respond to requests for comment from CRN, so it is unclear whether they are Accenture clients.
According to BleepingComputer, LockBit claimed on Saturday that it had exposed more than 200 terabytes of data belonging to Bangkok Airways. The Thai airline reported on Thursday that personal information including full names, nationalities, genders, phone numbers, email addresses, physical addresses, passport information, details of previous travel, partial credit card information, and details of special meals may have been accessed by hackers.
In a statement, Bangkok Airways claimed that the incident had no impact on its operational or aeronautical security systems. On August 23, LockBit announced on its dark web leak site that it has disclosed data stolen from Ethiopian Airlines.
According to Brett Callow of Emsisoft Threat Research, the LockBit operators haven’t actually shared any data from Accenture or Ethiopian Airlines despite what their website claims they have done. According to Callow, ransomware gangs like LockBit want to take advantage of the ambiguity that might last for weeks while forensic investigators try to piece together what happened during an attack.
LockBit uploaded data to the New Zealand-based cloud storage and communication platform MEGA in the case of Bangkok Airways, according to Callow. However, when attempting to click on a link, a pop-up message appears that reads, “This link is unavailable as the user’s account has been closed for gross violation of MEGA’s Terms of Service.”
What’s happening “isn’t obvious,” Callow wrote in an email to CRN. It’s possible that little to no data was stolen during the instances, and LockBit’s allegations are just a bluff. Companies dealing with events are dealing with unreliable bad faith actors, or, as a colleague in the sector likes to put it, lying bastards, and [should] approach all of their assertions with mistrust.
Tom Hofmann, Flashpoint’s SVP of intelligence, told The Daily Beast last month that LockBit has a history of listing the names of businesses it alleges are ransomware victims on its own leak site and then removing them from the site without justification. It may be a ruse to get concerned companies to pay under false pretenses because at least some of the company names presented aren’t genuinely victims.
According to Hofmann, “I know of one particular ‘victim’ who contacted us to categorically claim they were not a victim.” “Some of the companies listed on these victim websites have contacted us, claiming they have never been victims,”
According to VX-Underground, which asserts to have the biggest collection of malware source code on the internet, the LockBit ransomware organization briefly published 2,384 Accenture files on August 11. Richard Blech, CEO, and founder of Irvine, California-based encryption technology company XSOC Corp., told CRN last month that he fully anticipates that further information regarding the breadth and gravity of the Accenture attack will yet surface.
More information will be released in the upcoming weeks and months, and it will very probably be worse than what is now anticipated, Blech told CRN on August 13. “I think it will be extremely serious given what they handle and who they work with [at Accenture]. Simply put, there is too much data. It was a significant concession. Even if they decrease it, there are still a lot of files.
The Russian foreign intelligence service (SVR) in May used a government agency’s Constant Contact account credentials in a phishing campaign that resulted in the breach of 3,000 email accounts across 150 organizations. Stolen credentials are frequently used by adversaries to increase their access to additional organizations. If recipients clicked a link in the emails, a dangerous backdoor was delivered.
