Accenture Confirms LockBit Ransomware Attack

081321 08:42 UPDATE: Accenture sent an internal memo confirming that attackers stole client information & work materials in a July 30 “incident.”

081321 08:42 UPDATE: Accenture reportedly acknowledged in an internal memo that attackers stole client information and work materials in a July 30 “security incident.”

CyberScoop reports that the memo downplays the impact of the ransomware attack. The outlet quoted Accenture’s internal memo: “While the perpetrators were able to acquire certain documents that reference a small number of clients and certain work materials we had prepared for clients, none of the information is of a highly sensitive nature,” it reads. Threatpost has asked Accenture to comment on CyberScoop’s report.

Earlier this week, the LockBit ransomware-as-a-service (RaaS) gang published the name and logo of what has now been confirmed as one of its latest victims: Accenture, a global business consulting firm with an insider track on some of the world’s biggest, most powerful companies.

Accenture’s clients include 91 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. According to its 2020 annual report; that includes e-commerce giant Alibaba, Cisco and Google. Valued at $44.3 billion, Accenture is one of the world’s largest tech consultancy firms, and employs around 569,000 people across 50 countries.

In a post on its Dark Web site, LockBit offered up Accenture databases for sale, along with a requisite jab at what the gang deemed to be Accenture’s pathetic security.

“These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider. If you are interested in buying some databases, reach us.”
—LockBit site post.

LockBit dark-web site screen capture. Source: Cybereason.

Infosec Insiders Newsletter

According to Security Affairs, at the end of a ransom payment clock’s countdown, a leak site showed a folder named W1 that contained a collection of PDF documents allegedly stolen from the company. LockBit operators claimed to have gained access to Accenture’s network and were preparing to leak files stolen from Accenture’s servers at 17:30:00 GMT.

LockBit countdown clock. Source: Cyble.

The news hit the headlines late Wednesday morning Eastern Time, after CNBC reporter Eamon Javers tweeted about the gang’s claim that it would be releasing data within coming hours and that it was offering to sell insider Accenture information to interested parties.

Blessed Be the Backups

Yes, we were hit, but we’re A-OK now, Accenture confirmed: “Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers,” it said in a statement. “We fully restored our affected systems from backup, and there was no impact on Accenture’s operations, or on our clients’ systems.”

According to BleepingComputer, the group that threatened to publish Accenture’s data – allegedly stolen during a recent cyberattack – is known as LockBit 2.0.

As explained by Cybereason’s Tony Bradley in a Wednesday post, the LockBit gang is similar to its ransomware-as-a-service (RaaS) brethren DarkSide and REvil: Like those other operations. LockBit uses an affiliate model to rent out its ransomware platform, taking a cut of any ransom payments that result.

Bradley noted that the LockBit gang is apparently on a hiring spree in the wake of DarkSide and REvil both shutting down operations.

“The wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems – promising payouts of millions of dollars,” Bradley wrote.

Insider Job?

Cyble researchers suggested in a Tweet stream that this could be an insider job. “We know #LockBit #threatactor has been hiring corporate employees to gain access to their targets’ networks,” the firm tweeted, along with a clock counting down how much time was left for Accenture to cough up the ransom.

Cyble said that LockBit claimed to have made off with databases of more than 6TB and that it demanded $50 million as ransom. The threat actors themselves alleged that this was an insider job, “by someone who is still employed there,” though Cyble called that “unlikely.”

Sources familiar with the attack told BleepingComputer that Accenture confirmed the ransomware attack to at least one computer telephony integration (CTI) vendor and that it’s in the process of notifying more customers. According to a tweet from threat intelligence firm Hudson Rock, the attack compromised 2,500 computers used by employees and partners, leading the firm to suggest that “this information was certainly used by threat actors.”

In a security alert issued last week, the Australian Cyber Security Centre (ACSC) warned that LockBit 2.0 ransomware attacks against Australian organizations had started to rise last month, and that they were coupled with threats to publish data in what’s known as double-extortion attacks.

“This activity has occurred across multiple industry sectors,” according to the alert. “Victims have received demands for ransom payments. In addition to the encryption of data, victims have received threats that data stolen during the incidents will be published.”

The ACSC noted (PDF) that it’s recently observed LockBit threat actors actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products, identified as CVE-2018-13379, in order to gain initial access to specific victim networks. That vulnerability, a path-traversal flaw in the SSL VPN, has been exploited in multiple attacks over the years:

In April, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that advanced persistent threat (APT) nation-state actors were actively exploiting it to gain a foothold within networks before moving laterally and carrying out recon, for example.

Known Vulnerability Exploited?

Ron Bradley, vice president of third-party risk-management firm Shared Assessments, told Threatpost on Wednesday that the Accenture incident is “a prime example of the difference between business resiliency and business continuity. Business resiliency is like being in a boxing match, you take a body blow but can continue the fight. Business continuity comes into play when operations have ceased or severely impaired and you have to make major efforts to recover.

“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” Bradley continued. It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.”

Hitesh Sheth, president and CEO at the cybersecurity firm Vectra, said that all businesses should expect attacks like this, but particularly a global consultancy firm with links to so many companies.

“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” he told Threatpost on Wednesday. “It’s too soon for an outside observer to assess damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.”

Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Suggested articles