Cyberthreat update from Acronis CPOCs: Week of July 12, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as new Trojans to watch out for and ransomware strikes against major organizations. Here’s a look at some of the most recent breaking news and analyses:

Multipass of Madness: New Trojan abuses streaming software

The framework of OBS Studio, an immensely popular piece of streaming software, has been exploited by a new malware variant. This Trojan, dubbed BIOPASS Rat, can stream screen captures of victims’ computers to a server controlled by the attackers.

BIOPASS RAT includes common Trojan capabilities, including remote desktop access, command execution, data exfiltration, and the ability to steal browser and chat data. It does so by misusing the object storage service (OSS) of Alibaba Cloud to host malicious scripts, and to store data taken from victims.

BIOPASS RAT poses as a software update for Adobe Flash Player, Microsoft Silverlight, or another well-known application. The malware is often hidden in malicious JavaScript code on support chat pages of gambling sites.

Acronis Cyber Protect uses on behavioral detection powered by machine intelligence to identify and block even brand-new Trojans like BIOPASS RAT based on the behaviors they exhibit — keeping your data safe.

116 bugs fixed in Microsoft’s July Patch Tuesday

Microsoft has released another round of critical patches in the latest Patch Tuesday release. A total of 116 security holes were patched for the Windows OS and related software this month.

Thirteen of these updates are labeled as “critical” and four address vulnerabilities that are actively being exploited. The PrintNightmare print spooler flaw, which could allow attackers to run arbitrary code with SYSTEM privileges, is among the most recent vulnerabilities patched. Microsoft rushed out a fix for this after the vulnerability was accidentally leaked online.

Patch management is easy with Acronis Cyber Protect. The latest updates for Windows and many other popular business applications can be applied automatically, while administrators gain a detailed view of the IT environment’s security stance and granular control over patching schedules.

Guess it was ransomware: Clothing retailer hit by Darkside

The international clothing retailer Guess has recently begun notifying customers of a data breach following a ransomware attack. With over 1,000 stores worldwide, 14,000 employees, and an annual revenue of over $2.4 billion, Guess is an undeniably high-value target.

The attackers stole an estimated 200 GB of personal and financial information relating to Guess customers. This data includes account numbers, credit and debit card numbers, PINs, security questions, and access codes. The DarkSide gang is most likely behind the attack, and they took credit for it on their leak site back in April.

Ransomware is always evolving, and new variants are developed every day — but they always rely on malicious behaviors that can be recognized. Acronis Cyber Protect identifies and blocks DarkSide and other forms of malware before they can compromise your data.

Grief ransomware has German district in emergency state

The council of Germany’s Anhalt Bitterfeld district has officially declared a state of emergency — or, more precisely, a “cyber catastrophe” — after they fell victim to a Grief ransomware attack. This allows the 158,000 impacted residents to receive federal assistance without delay.

All internal services and systems access for the district’s 900 public servants are currently offline, with only the telephone remaining operational. Officials have said that they expect the outage to last at least one week. It’s unclear if the recent PrintNightmare vulnerability played a role.

The Grief ransomware gang first appeared on the scene in 2021. Like most other current cybercrime groups, they conduct double extortion, and have already published 200 MB of stolen data from this attack.

No matter the party responsible, Acronis Cyber Protect blocks ransomware attacks of all types with threat-agnostic behavioral analysis, preventing operational disruptions and loss of data.

Yes, you can teach an old bot new tricks

Trickbot has moved far beyond its roots as a simple banking Trojan back in 2016. Over the years since, it’s learned some new tricks, and has now has become a favorite initial payload in ransomware attacks after the takedown of the Emotet botnet early in the year.

Trickbot has been the most common malware this year, affecting 7% of businesses globally. This is no surprise considering its popular status among extortion gangs, whose ransom attacks have risen 93% over the past 12 months.

Trickbot is under constant development, which may have helped the gang avoid two takedown attempts by Microsoft and U.S. Cyber Command. The latest improvement is an updated VNC module, now used to communicate with the C&C servers, retrieve attack commands, download additional payloads, and exfiltrate data. It even includes a "viewer tool," which can be used by the attackers to spy on and interact with victims.

Acronis Cyber Protect keeps your systems safe by detecting and blocking Trickbot and other Trojans with its included behavioral detection engine powered by machine intelligence — stopping the malware before any additional payloads can be deployed.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.