beyond the headlines
March 28, 2023by Ilana Touboul, Ebin Sandler

Threat Actors Sell Cybersecurity Firms' Sensitive Data on the Underground


Security companies position themselves as the defenders of cyberspace, protecting clients from sophisticated attacks and providing security hygiene guidance and best practices. Cybersecurity companies, however, have also been targeted by malicious actors seeking to steal sensitive data, disrupt operations, and compromise security products’ integrity. Indeed, cybercriminals increasingly seek to exploit the valuable content that cybersecurity companies collect and possess, including their customers’ financial data, intellectual property, and personally identifiable information (PII).

Cybercriminals can sell this information, use it to commit identity theft and financial fraud, and leverage it to access victims’ systems. Because cybersecurity companies often have direct access to their clients’ systems, they are prime targets for attackers looking to launch supply chain attacks¹. Threat actors also target cybersecurity companies to compromise their products, designed to detect and prevent cyber-attacks. Using this approach, attackers gain a significant advantage, helping them evade detection and facilitate malicious activities.

The trend of attacks on cybersecurity companies continues to intensify, and over the past two weeks, Cybersixgill observed several threat actors claiming that they breached security companies’ networks and advertising their data for sale to other cybercriminals. With cybersecurity companies generally focused on protecting their clients' networks and data, in-house security may take a backseat to customers’ needs.

Additionally, the constantly evolving nature of cyber threats means that cybercriminals try to stay one step ahead of even the most sophisticated security measures.

This trend highlights the need for cybersecurity companies to invest in cutting-edge technology and regularly assess and update security protocols to stay on top of the threat landscape. Cybersecurity companies must also educate their employees to recognize and respond to suspicious activity before it spirals into a security incident, as the human vector frequently remains the weakest link in the cybersecurity chain.


Cybersixgill collected the following post on a popular cybercriminal forum where a member with an average reputation score advertised sensitive information from one of the top cybersecurity companies in the U.S. This member registered on the forum on that  same day and did not share any subsequent posts.

The forum member claimed that the data was stolen from one of the company’s employees and contained security audits and multiple “files of interest,” including (1) Cobalt Strike² licenses and related files, (2) comprehensive security reports with evidence, (3) corporate emails and passwords, (4) multiple proprietary automation scripts, (5) over 100 Remote Desktop Protocol (RDP)³ files, (6) the company’s main pen-testing sandbox⁴, along with an ESXi⁵ server, and (7) current company documents stored in the company’s Dropbox⁶.The data was advertised with an asking price of $3,000 in Monero or Bitcoin cryptocurrencies only. The forum member offered exclusive access to a single buyer, claiming the original data would be immediately removed from the sellers’ systems following sale. Interested parties were instructed to make contact via private message on the forum only and not on Telegram or any other communication channel.

While the forum member shared only one sample to preserve the confidentiality of the data, the threat actor identified the names of the security company’s customers, including organizations from the e-commerce, healthcare, fintech, entertainment, capital management, and insurance sectors, among others,  both inside and outside the U.S. A forum member who replied to the thread criticized the company for storing valuable documents on Dropbox. Another member commented that some cybersecurity companies store sensitive files on Google Drive, which they characterized as a severe lack of security standards.If the aforementioned data is genuine, its exposure on the underground could inflict significant damage on the company, whose sensitive data, proprietary information, and attack simulation tools may now be exploited by cybercriminals in attacks targeting the company’s customers. The company’s reputation is also affected by this data theft and exposure on a leading cybercriminal forum.

Forum screenshotCybersixgill

Cybersixgill also collected a post on a different cybercrime forum on which a member with an average reputation score advertised a database stolen from a European IT company. The forum member claimed to be a novice and asked for assistance selling the database, surveying the forum for the data’s worth. The database allegedly contains emails, phone numbers, and names of all customers. With such information, cybercriminals could conduct spearphishing attacks and commit fraud using employee data. Based on the country and sector of the affected company, the forum member sought a high price and clearly communicated their financial motive, offering exclusive access to a single buyer.

The forum member offered to prove the data's authenticity and warned potential buyers not to make contact unless they were willing to pay more than €50,000, a much higher price than the forum member initially requested. There were no public replies to the post.

Forum screenshotFigure 2: A cybercrime forum member advertises a database stolen from a European IT company


While cybersecurity companies play a crucial role in protecting information systems and networks, they are not immune from intrusions and cyber attacks. Threat actors are well aware of the value of such cybersecurity companies’ data and seek big payouts on the underground. Beyond the financial, operational, and legal costs, it is challenging for cybersecurity companies that have been breached to represent themselves as reliable partners capable of protecting customers from similar attacks.

All organizations, including cybersecurity companies, must therefore implement effective security measures to prevent attacks and data theft, including the following:

Enable multi-factor authentication (MFA) processes to add another layer of security, making it more difficult for cybercriminals to access corporate devices and accounts.

Create data copies and backups on external servers that are isolated from the business network.

Run the most updated and safest versions of all computing elements and immediately patch all vulnerable products when a vulnerability is disclosed.

Limit access to critical resources to personnel who require it to perform their jobs.

Instruct employees not to click on links or attachments from suspicious emails and implement regular security training to raise employees’ awareness in order to thwart social engineering attacks.

Cybersixgill automatically aggregates data leaks and alerts customers in real time.

1In a supply chain attack, also called a value-chain or third-party attack, a malicious actor infiltrates a system through an outside partner or provider with access to the victim's systems and data.

2Cobalt Strike is a remote access tool that acts as an adversary simulation software for penetration testing, designed to mimic targeted attacks and the post-exploitation actions of advanced threat actors for training purposes.

3Remote Desktop Protocol (RDP) is a network communications protocol developed by Microsoft, which allows users to connect to another computer from a remote location.

4In cybersecurity, a sandbox environment is an isolated virtual machine in which potentially unsafe software code can execute without affecting network resources or local applications.

5ESXi is a type-1 hypervisor (virtualization platform) that allows multiple virtual machines to run on a single physical server. It was developed by VMware and is one of the most widely used hypervisors in enterprise environments.

6Dropbox is a cloud storage and file-sharing platform for storing, synchronizing, and sharing files and folders across multiple devices and platforms.

Learn More

You may also like

March 16, 2023

Researchers Discover Sensitive US Military-Related Email Server Exposed Online

Read more

March 07, 2023

These are the critical differences between underground internet data dumps of logs, credentials, and accounts

Read more

March 03, 2023

Mysterious threat actor advertises data from telecom giant Telus for $50,000

Read more