Acronis Cyberthreats Update, October 2023

Authors:

Alexander Ivanyuk — Senior Director, Technology

Irina Artioli — Cyber Protection Evangelist

Candid Wüest — VP of Research

The Acronis Cyberthreats Update covers current cyberthreat activity and trends, as observed by Acronis analysts and sensors. Figures presented here were gathered in September of this year and reflect threats that we detected as well as news stories from the public domain. This report represents a global outlook and is based on over 1 million unique endpoints distributed around the world.

• 4.1 million malicious URLs were blocked at the endpoint by Acronis in September 2023. That’s a decrease of 43% compared to August, and 14% less than in September 2022.
• Acronis detected malware attacks on 50,000 endpoints in September, a 18% increase over August.
• Ransomware detections at the endpoint decreased 8% from August to September. The most-active ransomware group in September was LockBit, claiming 75 victims.
• In September, the Endpoint Detection and Response (EDR) pack for Acronis Cyber Protect Cloud detected more than 486,000 incidents, a majority of which were automatically remediated.
• We recorded more than 425 data breaches that were reported globally.

This month we saw several cases that demonstrated the importance of proper configuration and protection of multi-factor authentication systems — which actually should be improving security, not being a breaching point, right?

MGM Resort and Caesars Entertainment casinos, two of the largest operators on the Las Vegas Strip, were hit with social engineering attacks that led to attackers gaining access to Okta authentication servers, and in turn to the casino’s networks. As a result, 6 TB of personal data was stolen, and one of the casinos allegedly paid a hefty $15 million ransom to the BlackCat ransomware group. Both casinos have already received multiple lawsuits from disgruntled customers whose data was leaked.

Software company Retool says the accounts of 27 cloud customers were compromised following a targeted and multi-stage social engineering attack against an IT employee's Okta account. The attack was successful because of a new feature in Google Authenticator that allows users to synchronize their 2FA codes with their Google account. This feature was enabled for the compromised account, enabling cybercriminals to gain access to all 2FA codes used for internal services.

In September, Acronis Cyber Protect blocked 2.6 million malware threats on endpoints, an increase of 56% compared to August. One of the most-active threats this month was Agent Tesla, continuing a trend of info-stealing Trojans. Stolen credentials are often sold on the internet and subsequently used for future attacks.

It’s important to stop malware early in the attack chain — for example, by blocking the malicious emails that deliver them. Nevertheless, many threats still do make it to the endpoint.

The following table shows the percentage of Acronis clients that had at least one malware threat blocked this month. This number has been hovering around 10% for the year so far.

The following table shows the normalized percentage of clients with at least one malware detection in the given month. The higher the percentage, the higher the risk of a workload in that country being attacked by malware.

The aforementioned threats can be detected and mitigated with solutions from Acronis.

Acronis Cyber Protect protects against both known and never-before-seen threats through a multi-layered protection approach. This includes behavior-based detection, AI/ML-trained detections, and anti-ransomware heuristics, which can detect and block encryption attempts and roll back any tampered files automatically, without any user interaction.

The Endpoint Detection and Response (EDR) pack for Acronis Cyber Protect Cloud brings the visibility needed to understand attacks, while simplifying the context for administrators and enabling efficient remediation of any threats.

Learn more about Acronis’ approach to cyber protection.