Resecurity Breach Incident Score: Analysis & Impact (RES1767484920)

In this Rankiteo incident briefing, we review the Resecurity breach identified under incident ID RES1767484920.

The analysis begins with a detailed overview of Resecurity's information like the linkedin page: https://www.linkedin.com/company/resecurity, the number of followers: 88523, the industry type: Computer and Network Security and the number of employees: 116 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 752 and after the incident was 665 with a difference of -87 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Resecurity and their customers.

On 21 November 2025, Resecurity disclosed Data Breach issues under the banner "Scattered Lapsus$ Hunters Claims Breach of Resecurity, Resecurity Denies Compromise".

Threat actors associated with the 'Scattered Lapsus$ Hunters' (SLH) claim to have breached the systems of cybersecurity firm Resecurity and stolen internal data.

The disruption is felt across the environment, affecting Honeypot environment (isolated, non-production systems), and exposing Fake data (synthetic datasets, including employee data, internal communications, threat intelligence reports, and client information), with nearly 28,000+ synthetic consumer records, 190,000+ synthetic payment transaction records records at risk.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Isolated honeypot environment, monitoring of threat actor activity, and stakeholders are being briefed through Public statement denying breach of real systems, disclosure of honeypot operation.

The case underscores how Ongoing (threat actor activity still being monitored), teams are taking away lessons such as Effectiveness of honeypots in monitoring and gathering intelligence on threat actors; importance of OPSEC in threat actor operations; challenges in attributing attacks due to overlapping threat actor groups, and recommending next steps like Organizations should consider deploying honeypots for threat intelligence gathering; enhance monitoring of publicly exposed systems; collaborate with law enforcement for threat actor attribution and disruption, with advisories going out to stakeholders covering Resecurity has publicly denied the breach of real systems and clarified the honeypot operation.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (80%), with evidence including probing publicly exposed systems, and attack vector such as Probing publicly exposed systems and Phishing: Spearphishing Link (T1566.002) with moderate confidence (50%), supported by evidence indicating retaliation for alleged social engineering attempts by Resecurity. Under the Credential Access tactic, the analysis identified Compromise Accounts (T1586) with moderate confidence (60%), supported by evidence indicating threat actor accessed honeypot (implied credential use or system access). Under the Collection tactic, the analysis identified Data from Information Repositories (T1213) with high confidence (90%), supported by evidence indicating screenshots of employee data, client details, threat intelligence reports and Data from Local System (T1005) with moderate to high confidence (80%), supported by evidence indicating accessed Mattermost collaboration platform (internal communications). Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating 188,000 automated exfiltration attempts using residential proxy IPs and Exfiltration Over Web Service (T1567) with moderate to high confidence (70%), supported by evidence indicating telegram post teasing further disclosures (implied exfiltration). Under the Command and Control tactic, the analysis identified Proxy (T1090) with high confidence (90%), supported by evidence indicating residential proxy IP addresses used for exfiltration attempts and Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (70%), supported by evidence indicating automated exfiltration attempts (likely HTTP/HTTPS). Under the Defense Evasion tactic, the analysis identified Masquerading (T1036) with moderate confidence (60%), supported by evidence indicating threat actor posed as buyers to obtain database samples (social engineering) and Hide Artifacts: Hidden Files and Directories (T1564.001) with moderate confidence (50%), supported by evidence indicating oPSEC failures (proxy connection failures exposed infrastructure). Under the Impact tactic, the analysis identified Defacement: Internal Defacement (T1491.001) with moderate to high confidence (70%), supported by evidence indicating public claims of breach via Telegram (reputational impact). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.