Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.
Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as new ransomware campaigns and severe Exchange Server vulnerabilities. Here’s a look at some of the most recent breaking news and analyses:
Extra-large RansomEXX spree
Ransomware gang RansomEXX recently landed successful attacks on two high-value targets: Taiwanese motherboard maker Gigabyte and Italian luxury fashion house Zegna.
The cybercrime group claims to have stolen 112 GB of data from Gigabyte, and close to 21 GB from Zegna. While Gigabyte has not issued any comments, RansomEXX’s private leak page strongly suggests that the group did indeed pull off a successful attack. Portions of Gigabyte’s infrastructure and websites were offline recently —another likely indicator of a ransomware strike.
RansomEXX has been around since 2018, operating first under the name Defray and then rebranding in 2020. New name or not, their ransomware follows known behavioral patterns, and Acronis Cyber Protect's Active Protection recognizes and stops it before harm can come to your data or systems.
Cryptojacking: Gotta GO fast
Incidents of cryptojacking, which is a heavily under-reported issue, are detected nearly half a million times each month. Researchers have identified a new strain of the Golang crypto-worm — now faster and more efficient by 15%.
The attackers using this particular worm are scanning for vulnerabilities in XML-RPC, a protocol provided by WordPress and Oracle WebLogic Servers. Upon successful exploitation, XMRig is installed along with a worm that spreads it to other sensitive directories.
Cryptojacking degrades system and network performance, and can severely impact your hardware and/or continuity of business operations. Acronis Cyber Protect's Active Protection recognizes the malicious behaviors endemic to cryptojacking and stops them in their tracks.
BlackMatter ransomware expanding to Linux ESXi servers
The BlackMatter ransomware group, which is believed to have emerged from the remnants of the DarkSide gang, has added a module to encrypt Linux VMware ESXi servers. This follows the pattern of other ransomware groups such as REvil, Babuk or RansomExx, all of which have Linux variants as well.
With this latest update, BlackMatter now contains a VMware ESXi library for their ELF 64-bit encryptor, allowing the threat actors to list all VM hosts and shut them down before encrypting their images.
The BlackMatter group is also openly recruiting “initial access brokers” — people who can discretely provide the gang with access to corporate networks. They’re specifically interested in companies with more than $100 million in revenue.
Acronis Cyber Protect uses behavior-based detection to identify and block ransomware threats to users of Windows, macOS, or Linux operating systems, before they can do any harm.
Attackers scanning for vulnerable Exchange servers
A set of three vulnerabilities in Microsoft Exchange Server could be chained, allowing attackers to perform unauthenticated remote code execution. This potential to run arbitrary code and commands on compromised machines has threat actors actively scanning for vulnerable servers.
Two of the three vulnerabilities were fixed as part of the April Microsoft Patch Tuesday, and the third was fixed in May. Despite the availability of patches that address these issues, Exchange honeypots show that attackers have succeeded in exploiting unpatched servers as recently as within the last couple of weeks.
Exchange Server is one of the top email solutions for businesses, with over 400,000 Exchange Servers exposed to the internet. This makes it a valuable target to attackers, especially when they’re motivated by the prospect of running any code they want on these many servers.
The best way to protect against these vulnerabilities is to ensure your Exchange Servers have received the relevant security patches. Acronis Cyber Protect makes this easy, allowing you to select which systems to patch, and which patches to apply, all from a single web console.
# # #
For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.