Stolen data used to launch more effective BEC attacks
New research from Accenture shows that data stolen in ransomware and other cyberattacks is being weaponized in order to carry out business email compromise (BEC) attacks.
Underground forums have sets of credentials for sale for as little as $10 that provide access to genuine corporate email accounts, making malicious emails seem genuine.
Over the year to July, Accenture's Cyber Threat Intelligence (ACTI) team says it's observed over 4000 corporate and government victims with data posted to leak sites. This includes financial data, personal employee and client information, and communication documentation. Over 90 percent of these victims on dedicated leak sites have incurred subsequent data disclosures of varying degrees.
The Accenture team notes, "The emergence of vast quantities of leaked data enhances a BEC actor's ability to target an organization by strengthening the BEC attack chain while also undermining traditional defenses. ACTI assesses that the utility of dedicated leak site data has historically been limited by the difficulty of interacting with large quantities of poorly stored data. This has been cumbersome, time-consuming, and costly for actors, thereby creating a natural barrier for widespread abuse of the data, until now. ACTI found that several groups are making their dedicated leak site data more accessible by moving away from Tor domains and toward publicly accessible sites."
The 'Industrial Spy' marketplace even operates a working search function. The researchers discovered that threat actors can search for specific file types such as employee data, invoices, scans, contracts, legal documents, email messages, and more. Similarly the 'ALPHV' ransomware group has created an indexed and searchable database of its leaks.
You can find out more, along with advice on guarding against attacks, on the Accenture blog.