Acronis Cyberthreats Update, February 2024

Authors:

Alexander Ivanyuk — Senior Director, Technology

Irina Artioli — Cyber Protection Evangelist

Candid Wüest — VP of Product Management

The Acronis Cyberthreats Update covers current cyberthreat activity and trends, as observed by Acronis analysts and sensors. Figures presented here were gathered in January of this year and reflect threats that we detected as well as news stories from the public domain. This report represents a global outlook and is based on more than one million unique endpoints distributed around the world.

1. Over 10 million malicious URLs were blocked at the endpoint by Acronis in January 2024. That’s a 23% decrease compared to December 2023.
2. The number of detected malware attacks in January decreased by 10% compared to December.
3. The most active ransomware groups in January were LockBit, claiming 62 victims, followed by 8Base with 29 and Akira with 26.
4. The top 3 most active malware threats of the month were Remcos, AgentTesla and njRAT
5. Acronis recorded more than 283 data breaches that were reported globally.

The new year has started with several noteworthy cybersecurity events. Researchers reported a new spying campaign by the Sea Turtle cyber espionage group, also known as Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf. Linked to Turkey and active since at least 2017, Sea Turtle has been targeting telecommunication, media, ISPs, IT service providers and Kurdish websites in the Netherlands, utilizing tactics such as DNS hijacking and island-hopping. As part of their sophisticated techniques, Sea Turtle secures initial access through compromised cPanel accounts, utilizing SSH for entry, and incorporates 'SnappyTCP,' an open-source Linux reverse TCP shell, serving as a persistent backdoor.

This revelation adds to the broader landscape of cybersecurity threats targeting service providers, including the active exploitation of zero-day vulnerabilities in Ivanti's Connect Secure VPN and Policy Secure NAC appliances, resulting in more than 1,700 compromised ICS VPN appliances globally and exploitation of another critical security vulnerability (CVE-2023-29357) in Microsoft SharePoint Server.

These attacks highlight the fact that threat actors are leveraging security gaps in exposed services for sustained unauthorized access, employing living-off-the-infrastructure strategies for persistent and malicious activities.

In January, Acronis Cyber Protect blocked 5.8 million malware threats on endpoints, which is 3.5 times higher compared to December.

It’s important to stop malware early in the attack chain — for example, by blocking the malicious emails that deliver them. Nevertheless, many threats do still make it to the endpoint.

The following table shows the percentage of Acronis clients that had at least one malware threat blocked at the endpoint in January. This number has been hovering around 17.9% for this year so far.

This table also shows the top three countries by normalized malware detections in the given month. The higher the percentage, the higher the risk of a workload in that country being attacked by malware.

The aforementioned threats can be detected and mitigated with solutions from Acronis.

Acronis Cyber Protect protects against both known and never-before-seen threats through a multilayered protection approach. This includes behavior-based detection, AI/ML-trained detections and anti-ransomware heuristics, which can detect and block encryption attempts and roll back any tampered files automatically without any user interaction. Additional advanced email security and URL filtering can help you protect against social engineering threats.

Advanced Security + Endpoint Detection and Response (EDR) for Acronis Cyber Protect Cloud brings the visibility needed to understand attacks, while simplifying the context for administrators and enabling efficient remediation of any threats.

Learn more about Acronis’ approach to cyber protection.