Cyberthreat update from Acronis CPOCs: Week of December 14, 2020

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as ransomware attacks on government facilities and the new vulnerabilities in popular business applications. Here’s a look at some of the most recent breaking news and analyses:

SolarWinds compromised, used to attack 18,000 organizations

IT vendor SolarWinds has been compromised in a massive supply chain attack. Impacted victims include the United States government and many Fortune 500 companies.

Attackers seem to have breached the SolarWinds build environment, injecting malware into the company’s Orion update. This particular backdoor “sleeps” for two weeks, then attempts to disable local security tools before executing commands from a remote server. Since March 2020, as many as 18,000 customers installed this infected update.

Software supply chain attacks like this are tough to detect, as they spread through updates from an actual trusted vendor and are legitimately signed. The full extent of the damage is not yet known, but similar events in the past involving CCleaner, M.E.Doc, Asus, and NetSarang resulted in millions of devices being compromised.

The Indicators of Compromise (IoCs) from this attack have been added to the Acronis Cyber Protection Operations Center (CPOC) monitoring chain. Acronis Cyber Protect blocks backdoors, including Sunburst, before they can damage systems or open communications with remote servers.

Foxconn Mexico hit by DoppelPaymer ransomware attack

The Mexican facility of Foxconn, a global electronics manufacturer with $180 billion in annual revenue and 800,000 employees, was compromised by the DoppelPaymer ransomware.

The attackers successfully encrypted 1,200 servers, deleting 25 TB of backed-up data before exfiltrating 100 GB from the company’s systems. After the demanded ransom — roughly $34 million in bitcoin — went unpaid, this stolen data was published online.

Cybercriminals continue to step up the severity of their attacks, and this one represents one of the highest-value ransoms ever seen. Acronis Cyber Protect uses behavioral heuristics to effectively block known and unknown ransomware variants without data loss, and also protects backups against tampering.

Egregor claims two high-value targets as attacks pick up pace

Egregor ransomware has recently claimed two high-value targets within a week: major retailer Kmart, and the City of Vancouver’s transportation agency TransLink.

While the Egregor gang has only been active since September of this year, they’ve quickly made a name for themselves with successful attacks against Randstad, Cencosud, Crytek, Ubisoft, and Barnes & Noble. The group supplies ransomware-as-a-service, using a 70/30 revenue share model, vastly increasing the number of potential targets.

Though specific ransom numbers have not been disclosed, screenshots from the attack against TransLink suggest “hundreds of millions” in dollars being demanded in exchange for the decryption keys. Acronis Cyber Protect stops Egregor and other cyberthreats in their tracks with multiple layers of AI-driven protection.

Zero-click remote code execution vulnerability discovered in Microsoft Teams

A zero-click remote code execution (RCE) vulnerability in the Microsoft Teams desktop client could have allowed an attacker to steal confidential files, private chats, private keys, and other personal data.

Through this exploit, specifically-crafted messages could be used to execute code on the victim’s computer, simply by viewing the message — no interaction with its contents needed. Research has shown that this vulnerability additionally allowed for stored cross-site scripting, privilege escalation (up to the admin level), microphone/camera access, and keylogging.

Many organizations rely heavily on Microsoft Teams, which has 115 million daily active users. Company networks often host guests who are also active in other Teams networks, making this vulnerability potentially wormable across organizations. Acronis Cyber Protect integrates with Microsoft Teams and can prevent code injection and suspicious operations by Teams processes, keeping users safe from these sorts of attacks.

COVID-19 vaccine distribution targeted in phishing scheme

Targeted phishing emails in countries that include Italy, Germany, Taiwan, and South Korea have been attempting to collect information on the World Health Organization's plans for distributing COVID-19 vaccines to developing countries.

The emails, sent to government officials and manufacturers of critical components, were sent disguised as price quotes — but actually contain malicious HTML attachments prompting victims to enter user credentials for sensitive systems, with which the attackers may be able to get access to confidential data.

These attacks appear to be focused on obtaining information regarding the cold storage and transportation of the vaccine. It remains unclear whether the purpose is to replicate the processes, or impede the WHO's processes directly.

Phishing emails are no match for Acronis Cyber Protect, which features integrated URL filtering capabilities to prevent access to malicious info-stealing websites.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.