Cyber Incident Victim: CreditTeam

On or around June 25, 2023, the cybercriminal group known as NoEscape claimed responsibility for a cyberattack targeting the Italian company CreditTeam. The group announced this attack on its dedicated Data Leak Site (DLS), a platform commonly used by threat actors to publicly extort their victims. In their initial post, NoEscape claimed to have successfully exfiltrated 121GB of data from CreditTeam's IT infrastructure. The gang set a public countdown on their site, threatening to publish the stolen data in eight days, specifically at 18:34 on an unspecified date. This tactic is a standard form of pressure used in ransomware and extortion operations to force a victim into paying a ransom. The public nature of the countdown and the threat to release data indicated this was a double-extortion attack, where data is both encrypted and stolen for potential public release.

According to the claims made by NoEscape on their leak site, the scope of the exfiltrated data was extensive and highly sensitive. The gang stated they possessed a wide array of confidential company documents, including financial, fiscal, and internal records belonging to CreditTeam itself. More significantly, the attackers claimed the data trove contained sensitive information pertaining to CreditTeam's clients and other companies it had worked with. The gang specifically alleged to be in possession of client passports and credit card data. They provided a list of example client company domains allegedly impacted, including www.ambrosini.it, www.combustibilicereda.it, www.capoferri.it, www.eredibaitelli.it, and www.bontempiimpiantipec.it. NoEscape further claimed to have data for approximately one hundred companies in total, suggesting a potentially widespread compromise of third-party data due to the attack on CreditTeam. The gang's post included a direct threat, stating that if CreditTeam did not cooperate, not only would the company suffer, but the owners of all these client companies would also be impacted by the data leak.

CreditTeam, the victim company in this incident, is described as a provider of facilitated finance and credit intermediation services aimed at increasing liquidity and business growth for its clients. Its services include obtaining non-repayable grants, tax bonuses, and facilitated financing for micro-SMEs, start-ups, and self-employed professionals. This business model inherently involves the processing and storage of a significant volume of highly sensitive financial and personal data belonging to its clients, which aligns with the type of data the attackers claimed to have exfiltrated. The compromise of such a company poses a substantial risk not only to the primary victim but also to its entire client base, potentially affecting numerous small businesses and individuals.

As of the date of the reporting article, June 26, 2023, there was no public statement or press release from CreditTeam on its official website acknowledging the cybersecurity incident. The absence of an official confirmation from the company left the claims made by the NoEscape gang unverified from the victim's perspective. The reporting source indicated it had reached out to the company, offering space for a statement or updates on the matter, but no such statement was included in the initial reporting. This lack of immediate public response is common in the early stages of a cyber incident as companies conduct internal investigations, assess the damage, and engage with law enforcement and cybersecurity consultants before public communication.

The threat actor involved, NoEscape, operates as a Ransomware-as-a-Service (RaaS) group. The RaaS model involves developers creating ransomware and supporting infrastructure, which is then leased to other affiliates who carry out the attacks. This business model allows for a higher volume of attacks and lowers the barrier to entry for cybercriminals. The group's use of a public data leak site with a countdown timer is a hallmark of the double-extortion tactics prevalent in the modern ransomware landscape. The article provides general background on ransomware, noting it is a type of malware designed to encrypt data and render systems unavailable, with a ransom demanded in cryptocurrency for decryption. It further explains that if the victim refuses to pay, attackers typically follow through with their threat to publish the stolen data.

The potential impacts of this incident are severe due to the nature of the data allegedly stolen. For CreditTeam, the immediate impact includes operational disruption, potential financial losses associated with incident response and recovery, reputational damage, and potential regulatory fines under legislation like the GDPR, given the involvement of personal data. For its clients, whose financial documents, passport details, and credit card information were allegedly exfiltrated, the risks include identity theft, financial fraud, and further targeted phishing or social engineering attacks. The publication of such data on the dark web would make it available to a wide range of malicious actors, amplifying the risk and extending the consequences long after the initial attack. The mention of specific client company names by the attackers also exposes those entities to heightened risk and potential reputational harm by association.

The article concludes by reiterating standard preventive security measures organizations should adopt, though it does not specify any response or mitigation actions taken by CreditTeam itself. These general recommendations include employee security awareness training, maintaining robust and isolated data backup plans, keeping all software and operating systems updated with the latest patches, using and updating antivirus software, applying the principle of least privilege to user accounts, avoiding enabling macros from email attachments, not following unsolicited web links in emails, avoiding direct internet exposure of Remote Desktop Protocol (RDP) by using a VPN, and implementing perimeter security systems like Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF). The general advice also discourages paying ransoms, as there is no guarantee the attackers will provide a functional decryption key or that data recovery operations will be successful. The incident underscores the critical importance of integrating cybersecurity as a fundamental part of business operations rather than a secondary consideration addressed only after a security breach has occurred.