CSW discovers a new zero day in ZOHO CRM Lead Magnet!

CSW Analysis: Accenture attacked by LockBit 2.0 Ransomware

Posted on 19th Aug, 2021 | By Sumeetha, Surojoy

{Update September 2021}: On August 23, 2021, Bangkok Airways reported a LockBit 2.0 ransomware attack where 200 GB of files were encrypted. Ethiopian Airlines reported a separate ransomware attack on their network around the same time. The attacks come within a week of the Accenture breach, as a result of which the LockBit ransomware gang also claims to have accessed credentials of both airline companies and that of an airport. Accenture has denied the claims made by LockBit yet again. 

“We have completed a thorough forensic review of documents on the attacked Accenture systems. This claim is false.” 

On Aug 11, 2021, Accenture, a multinational IT Consulting and Services company, became the latest victim of LockBit 2.0 Ransomware. Our researchers investigated the vulnerabilities that LockBit exploits to compromise their targets and here is our analysis.


Accenture’s ransomware attack came to light when a senior correspondent from CNBC noticed a post from Lockbit offering to sell their data. LockBit claims to have stolen 6 TB worth of Accenture’s data and has set the ransom amount to $50 Million. While the official sources from Accenture have maintained that they have contained the attack, the data has been restored from backup. 

“We fully restored our affected systems from backup. There was no impact on Accenture’s operations, or on our clients’ systems.”

LockBit hit back by posting 2300 files that contained corporate communication data and has hinted that more will follow. Here’s a screengrab of some files that were released by Lockbit. 

LockBit shares files

 

Could Accenture have avoided the attack?

Yes. Accenture noticed a Lockbit 2.0 attack on 30 July, when some client files were stolen but chose to ignore it citing that none of the data was sensitive enough to warrant an official warning to partners. It was only after the ransomware attack on 12 August that Accenture issued a warning.


A screenshot of the digital timer on the Lockbit landing page, mentions that it was an insider who helped them compromise Accenture’s systems. Although it is uncertain if this is true or if this was used as a diversion, Accenture was swift to refute the claims and has underplayed the impact created by the ransomware on their systems thereafter.

Accenture Attack
Significantly, it was reported early this month that the LockBit gang was recruiting corporate insiders for millions of dollars to help them breach and encrypt networks.


What is also alarming is that Accenture, being a cybersecurity services provider, chose to delay warning its partners of an impending ransomware attack.


LockBit Ransomware

We investigated the vulnerabilities that LockBit exploits to mount attacks on their targets and found that they use CVE-2018-13379 - a critical vulnerability that exists in FortiOS SSL VPN and has previously known exploits. This weakness allows an attacker on the same network to send malicious service location protocol (SLP) requests to take control of it. 

The vulnerability has a CVSS v3 score of 9.8. Although the vulnerability has no known RCE or PE exploits, it has been exploited by several ransomware in the past, namely, Apostle (November 2020), Cring (January 2021), Pay2Key (2020), and Conti (December 2019).

CSW Ransomware Q2 Index

This vulnerability is also being exploited by seven Advanced Persistent Threat (APT) groups including the newly minted Iran-based APT group, Agrius. These findings were called out in our Ransomware Q2 index update.

We also warned about this vulnerability way back in December 2020 when a threat hacker group named ‘PumpedKicks’ leaked credentials for 50,000 Fortinet VPN devices used in over 140 countries. The group had also published exploits that could be used to compromise CVE-2018-13379.

CVE FortiOS Call out

Following the credential leak, CISA, NSA, and Fortinet had also warned users to mitigate this vulnerability at the earliest.

CVE-2018-13379 has been categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)—a Path Traversal error category that belongs to the OWASP’s top 25 most dangerous software weaknesses. A patch was released in 2019 for the vulnerability.

Accenture Lockbit CVE Infographic

Lockbit Attack Methodology

The LockBit affiliates are well-known for their double extortion technique, where they upload stolen and sensitive victim information to their dark web site LockBit 2.0, while threatening to sell or release the stolen information if their ransom demands are not met. This double extortion method is used to coerce a victim into paying the ransom demanded. The second version of LockBit RaaS was released in June 2021 with an updated built-in information-stealing trojan known as StealBit. 

Lockbit affiliates, as observed by researchers, identify devices that are mission-critical and often include NAS devices, backup servers, and domain controllers. 

Here are details of a typical LockBit attack sequence:
Initial Access:

  • LockBit affiliates send phishing email addresses within the target company. Initial attack vectors are set when they are able to steal partner information. 

  • LockBit affiliates exploit CVE-2018-13379 to obtain valid VPN accounts. They simply append the following code to the vulnerable URL:
    /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession 

  • They also gain credential-based access to Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) by obtaining accounts from brokers.


Propagation:

  • After initial access, the StealBit trojan is injected into the system by a human after which it propagates through the system and infects other hosts on its own, without the need for human oversight. 

  • The trojan performs reconnaissance and continues to spread during the encryption phase. This allows it to cause maximum damage faster than other manual approaches.

  • The new version of Lockbit 2.0 Ransomware is executed by means of a UAC bypass which runs in the background while the device is being encrypted. The ransomware automates the interaction and encryption of Windows domains with Active Directory group policies. It adds a unique approach to interact with the Active Directory to spread rogue malware to local domains by disabling antivirus, making it easier for new malware operators to engage in operations.


Exfiltration:

  • The Lockbit 2.0 actors then begin data exfiltration using publicly available web services. The data packages are usually uploaded to services, including MEGA’s cloud storage platform. 

Accenture Lockbit Attack Methodology

 

IoCs

SHA256:                                                                                                        

ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d    286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f 
76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78            
faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869            
70cb1a8cb4259b72b704e81349c2ad5ac60cd1254a810ef68757f8c9409e3ea6            
ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d            
13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0            
6fedf83e76d76c59c8ad0da4c5af28f23a12119779f793fd253231b5e3b00a1a            
c8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871            
15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a            
0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51            
0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f            
410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677            
e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877            
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335            
1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18            
26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739            
69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997            
0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76            
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770            
5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db            
ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75


Exposure Analysis

Our exposure analysis using Shodan indicates that, on 16 August 2021, there were more than 96,000 Internet-facing Fortinet VPN devices and networks that are potentially vulnerable to these attacks, if they are not patched immediately. 

Internet-facing devices running
Fortinet VPN

Top ports and servers 
 

    


Lockbit MITRE ATT&CK Mapping

Accenture LockBit MITRE ATT&CK Map

Staying Alert

Our ransomware research has identified 266 vulnerabilities associated with ransomware that attackers use to infiltrate and attack their victims. These 266 vulnerabilities need to be at the top of every organization’s remediation plan and must be prioritized for patching. As of today, 134 vulnerabilities are actively trending in the dark web and while any vulnerability associated with ransomware needs to be considered as high-risk exposure, these trending vulnerabilities need to be addressed immediately.

The LockBit ransomware attacks have snowballed since the Accenture attack, with several attacks reported worldwide, in Chile, Italy, Taiwan, and the UK. With ransomware attacks escalating every day, global multi-national organizations such as Accenture need to rethink their cybersecurity strategy. They need to implement an approach where a continuous assessment of vulnerabilities and prioritization for remediation is undertaken to reduce their security debt and lack of cyber hygiene.


CSW’s in-depth research helps organizations become more resilient against ransomware. We recommend organizations get a Ransomware Assessment done to know the gaps, understand the exposures, and become resilient to ransomware attacks in the future.

Test your defense to know how secure you are…