{"id":7369,"date":"2021-08-19T09:34:14","date_gmt":"2021-08-19T16:34:14","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7369"},"modified":"2023-04-20T02:29:47","modified_gmt":"2023-04-20T09:29:47","slug":"securin-analysis-accenture-attacked-by-lockbit-2-0-ransomware","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/securin-analysis-accenture-attacked-by-lockbit-2-0-ransomware\/","title":{"rendered":"Securin Analysis: Accenture attacked by LockBit 2.0 Ransomware"},"content":{"rendered":"

On Aug 11, 2021, Accenture, a multinational IT Consulting and Services company, became the latest victim of LockBit 2.0 Ransomware. Our researchers investigated the vulnerabilities that LockBit exploits to compromise their targets and here is our analysis.<\/strong><\/p>\n

Accenture\u2019s ransomware attack came to light when a senior correspondent from CNBC noticed a post from Lockbit offering to sell their data. LockBit claims to have stolen 6 TB worth of Accenture\u2019s data and has set the ransom amount to $50 Million. While the official sources from Accenture have maintained that they have contained the attack, the data has been restored from backup.<\/p>\n

LockBit hit back by posting 2300 files that contained corporate communication data and has hinted that more will follow. Here\u2019s a screengrab of some files that were released by Lockbit.<\/p>\n

Recent LockBit Activities<\/h2>\n

LockBit 3.0<\/strong>:\u00a0 The LockBit ransomware group just released its latest ransomware-as-a-service offering, LockBit 3.0, and along with it a first for the Dark Web: a bug-bounty program. According to screen grabs of messages shared by LockBit actors, the bounty program offers rewards for PII on high-value targets, security vulnerabilities, and more.<\/p>\n

Mandiant is aware of LockBit claims:<\/strong> Mandiant is looking into claims made by the LockBit ransomware group claiming they penetrated the company’s network and stole data. The ransomware gang said today that the 356,841 files they purportedly took from Mandiant will be posted online on a new page on their data leak website. LockBit has yet to reveal any files it claims to have stolen from Mandiant’s computers, as the file listing on the leak website is empty.<\/p>\n

The LockBit Switch: <\/strong>The Cybercrime group Evil Corp now uses LockBit ransomware on targets’ networks to evade sanctions imposed by OFAC.<\/p>\n

Foxconn Hit by LockBit: <\/strong>Yet another victim to the list. Foxconn electronics manufacturer confirmed that one of its Mexico-based production facilities was hit by a ransomware attack in late May. Operators of the LockBit ransomware gang claimed responsibility, but no further information was provided by the company.<\/p>\n

French Ministry of Justice Targeted: <\/strong>On January 27, 2022, the French Ministry of Justice<\/a> reported that cybercriminals had breached their systems, stolen sensitive files, and were threatening to post them on their public-facing victim-shaming site. The threat actor encrypted files using LockBit 2.0 ransomware.<\/p>\n

Researchers discovered that the governmental department had not patched their BIG-IP instances. As a result, it is believed that the threat actors exploited CVE-2021-22986<\/a> in this attack. CVE-2021-22986 is, a critical unauthenticated remote code execution vulnerability in the iControl REST interface affecting both BIG-IP and BIG-IQ products. F5 had released patches<\/a> for the vulnerability in March 2021.<\/p>\n

We urge organizations to patch any instances of the vulnerability on their F5 products to avoid the possibility of a ransomware attack.<\/p>\n

On October 18, 2021, Accenture released its company\u2019s financial report for the fourth quarter and full fiscal year where they finally confirmed<\/a> that data was encrypted and stolen during the Lockbit 2.0 ransomware attack in August 2021. However, Accenture has not publicly acknowledged any data breach due to the ransomware attack and has therefore not filed any data theft investigation.<\/p>\n

LockBit 2.0 ransomware had previously claimed to have stolen 6TB of files from Accenture systems and demanded $50 million in ransom.<\/p>\n

Bangkok Airways Attack: <\/strong>On August 23, 2021, Bangkok Airways reported<\/a> a LockBit 2.0 ransomware attack where 200 GB of files were encrypted. Ethiopian Airlines reported a separate ransomware attack on their network around the same time. The attacks come within a week of the Accenture breach, as a result of which the LockBit ransomware gang also claims to have accessed credentials of both airline companies and that of an airport. Accenture has denied the claims made by LockBit yet again.<\/p>\n

\u201cWe have completed a thorough forensic review of documents on the attacked Accenture systems. This claim is false.\u201d<\/p>\n

Could Accenture have avoided the attack?<\/strong><\/h2>\n

Yes. Accenture noticed a Lockbit 2.0 attack on 30 July, when some client files were stolen but chose to ignore it<\/a> citing that none of the data was sensitive enough to warrant an official warning to partners. It was only after<\/a> the ransomware attack on 12 August that Accenture issued a warning.<\/strong><\/p>\n

A screenshot of the digital timer on the Lockbit landing page, mentions that it was an insider who helped them compromise Accenture\u2019s systems. Although it is uncertain if this is true or if this was used as a diversion, Accenture was swift to refute the claims and has underplayed the impact created by the ransomware on their systems thereafter.<\/p>\n

\"Accenture
\nSignificantly, it was reported early this month that the LockBit gang was recruiting corporate insiders<\/a> for millions of dollars to help them breach and encrypt networks.<\/p>\n

What is also alarming is that Accenture, being a cybersecurity services provider<\/a>, chose to delay warning its partners of an impending ransomware attack.<\/strong><\/p><\/blockquote>\n

LockBit Ransomware<\/strong><\/h2>\n

We investigated the vulnerabilities that LockBit exploits to mount attacks on their targets and found that they use CVE-2018-13379 – a critical vulnerability that exists in FortiOS SSL VPN and has previously known exploits<\/a>. This weakness allows an attacker on the same network to send malicious service location protocol (SLP) requests to take control of it.<\/p>\n

The vulnerability has a CVSS v3 score of 9.8. Although the vulnerability has no known RCE or PE exploits, it has been exploited by several ransomware in the past, namely, Apostle (November 2020)<\/a>, Cring (January 2021)<\/a>, Pay2Key (2020)<\/a>, and Conti (December 2019)<\/a>.<\/p>\n

\"CSW<\/p>\n

This vulnerability is also being exploited by seven Advanced Persistent Threat (APT) groups including the newly minted Iran-based APT group, Agrius<\/a>. These findings were called out in our Ransomware Q2 index<\/a> update.<\/p>\n

We also warned about this vulnerability way back in December 2020<\/a> when a threat hacker group named \u2018PumpedKicks\u2019 leaked credentials for 50,000 Fortinet VPN devices used in over 140 countries. The group had also published exploits that could be used to compromise CVE-2018-13379.<\/p>\n

\"CVE<\/p>\n

Following the credential leak, CISA<\/a>, NSA<\/a>, and Fortinet had also warned users to mitigate this vulnerability at the earliest.<\/p>\n

CVE-2018-13379 has been categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)\u2014a Path Traversal error category that belongs to the OWASP\u2019s top 25 most dangerous software weaknesses. A patch<\/a> was released in 2019 for the vulnerability.<\/p>\n

\"Accenture<\/p>\n

Lockbit Attack Methodology<\/strong><\/h2>\n

The LockBit affiliates are well-known for their double extortion technique, where they upload stolen and sensitive victim information to their dark web site LockBit 2.0, while threatening to sell or release the stolen information if their ransom demands are not met. This double extortion method is used to coerce a victim into paying the ransom demanded. The second version of LockBit RaaS was released in June 2021 with an updated built-in information-stealing trojan known as StealBit.<\/p>\n

Lockbit affiliates, as observed by researchers<\/a>, identify devices that are mission-critical and often include NAS devices, backup servers, and domain controllers.<\/p>\n

Here are details of a typical LockBit attack sequence:<\/strong>
\nInitial Access:<\/strong><\/p>\n