Hacker posts data stolen from Swiss cyber security company Acronis on BreachForums

Swiss data protection and cyber security company Acronis suffered a cyber attack that involved threat actors leaking around 12GB of stolen data on the dark web.

Last week, a hacker going by the name “Kernelware” uploaded a trove of data, allegedly stolen from Acronis, on BreachForums, a popular dark web forum. According to the threat actor, the 12GB file contained various certificate files, command logs, system configurations, system information logs, filesystem archives, scripts, backup configuration data, and more.

Acknowledging the cyber attack, Acronis CISO Kevin Reed said in a LinkedIn post that the data leak was the result of a customer’s credentials being compromised.

“Based on our investigation so far, the credentials used by a single specific customer to upload diagnostic data to Acronis support have been compromised. We are working with that customer and have suspended account access as we resolve the issue.

“We also shared IOCs with our industry partners and work with law enforcement,” Reed said. He also clarified that “no other system or credential” was compromised in the cyber attack.

“There is no evidence of any other successful attack, nor there is any data in the leak that is not in the folder of that one customer,” Reed added.

Liquid Web, one of Acronis’ clients, told Hackread.com that it was notified about a security incident at Acronis but its data was not compromised in the cyber attack.

“Acronis notified us on March 9th that their support server containing Liquid Web information was compromised and data was downloaded. Working with Acronis, we have verified that this server was used for troubleshooting only and no Liquid Web customer credentials, files, or databases were breached,” it said.

Earlier this month, Kernelware gained attention by victimising HDB Financial Services, the non-banking lending arm of India’s largest private bank HDFC Bank and leaking almost 30 GB of personal data associated with the lender’s customers. It also breached the internal network of global technology company Acer and stole around 160GB of data.

Commenting on the targeting of Acronis, Matt Rider, VP of Security Engineering EMEA at Exabeam, said, “Finding an intruder quickly is essential to stopping them in their tracks, yet most organisations struggle to know when legitimate credentials have been compromised. This is because it is impossible to detect abnormal credential use, unless you have already baselined what is normal.

“With the majority (65% according to a recent survey) of security teams prioritising prevention above threat detection, investigation, and response, it’s evident that more needs to be done to assist leaders on how and where to focus their information security efforts. Rapid detection and automated investigation are vital for organisations to ensure they can quickly and efficiently detect malicious behaviour that could signal compromised credentials.

“Security teams, therefore, need to be confident they can identify these intrusions as soon as they occur – accurately assessing the extent of the attack – in order to remediate quickly and comprehensively to keep their data, employees, and customers safe,” Rider added.