UPDATED 16:35 BST with Accenture statement confirming breach.
Accenture, the NYSE-listed consulting multinational, has been hit by a ransomware attack, with the Lockbit group threatening on a dark web site to begin leaking documents by 16:30 BST (August 11, 2021) in a post it later updated, giving the consultancy an additional 24 hours.
“These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider” one of the group’s members said on their .onion site, saying “all available data will be published”. The group briefly published some 2,384 files.
Accenture acknowledged an incident, saying: “Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from back up. There was no impact on Accenture’s operations, or on our clients’ systems.”
It did not comment on the alleged theft of sensitive data.
The company employs over 537,000 people globally, serving 40 industries in five industry groups.
It was not immediately clear which (if any) of its many divisions had been hit and the extent of the claimed breach.
Accenture ransomware incident comes as attacks remain high
The incident comes as Cisco Talos reported that ransomware represented nearly half (46%) of all of its incident response call-outs over the past quarter: triple that of the next most common issue (exploitation of Microsoft Exchange servers), with most attackers continuing to use commercial tools like Cobalt Strike, open source tools like Rubeus, and tools native on victim machines, like PowerShell.
Lockbit boasts on its Dark Web site of having the fastest encryption software. A report by security firm Sophos gives the group grudging respect for its tradecraft, noting that “aside from the initial point of compromise and registry key entries, [their] attacks left little in the way of a file footprint for forensic analysis. The ransomware was pulled down by scripts and loaded directly into memory, and then executed. And the attackers did a thorough cleanup of logs and supporting files when the attack was executed… These highly automated attacks were fast—once the ransomware attack was launched in earnest, LockBit ransomware was executed across the targeted network within 5 minutes, leveraging Windows administrative tools.”
In 2017 Accenture left at least four cloud storage buckets unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients. With aerospace, defence, federal government, banking, energy and software firms among its clients, partners will be hoping that any data stolen during the incident was limited.