Cyberthreat update from Acronis CPOCs: Week of April 19, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as shifting cybercrime tactics and ransomware strikes against major corporations. Here’s a look at some of the most recent breaking news and analyses:

Hoya Corporation falls victim to AstroLocker Team ransomware gang

A new ransomware gang by the name of AstroLocker Team is actively attacking high-value targets, and has just released information regarding their latest victim, Hoya Corporation.

Hoya Corporation is a Japan-based manufacturer of optical products with close to 37 thousand employees and an estimated total revenue — according to AstroLocker Team — of $5 billion. The company has not released any information regarding the attack at this time, but AstroLocker claims to have stolen 300GB of data, including confidential information regarding finances, production, emails, passwords, patient info, and more.

Little is known about AstroLocker Team. Cybersecurity researchers have noted that the group’s attacks on unprotected machines have all the characteristics of the Mount Locker group, except that victims are directed to the AstroLocker support and chat site after a successful attack. Both groups’ websites link to one another; it’s possible that these two cybercriminal gangs are one and the same, or that AstroLocker is a new affiliate member of a ransomware-as-a-service program.

No matter who’s behind a cyberattack, Acronis Cyber Protect's behavioral heuristic engine recognizes malicious processes and stops all types of ransomware in their tracks.

Patch Tuesday delivers over 100 updates, including five zero-day fixes

April's Microsoft Patch Tuesday has arrived, and for the first time this year we’re seeing the arrival of more than 100 patches. Among these are fixes for five zero-day vulnerabilities, and 19 vulnerabilities are considered “critical.” This count does not include the patches for six Chromium Edge vulnerabilities that were recently shared on Twitter.

The zero-day fixes cover vulnerabilities that could allow privilege escalation through the RPC endpoint mapper service, Win32k, and the Azure ms-rest-nodeauth library, as well as a denial-of-service vulnerability, and a bug in the Windows installer that could lead to improper information disclosure. Attackers have already been spotted exploiting the Win32k vulnerability in the wild.

Hot on the heels of the Exchange vulnerabilities earlier this year, we’re also seeing patches for an additional four remote code execution vulnerabilities in Exchange Server, which were discovered by the United States National Security Agency.

The included patch management capabilities in Acronis Cyber Protect Cloud make it simple to automatically apply the latest updates to business-critical software — no matter how many machines you need to protect. In the unlikely event of a bad patch, automated backups allow you to quickly rollback systems to their previous working state.

New study shows most common imitated brands in phishing campaigns

A new study has shed light on the companies whose branding has most often been imitated in phishing campaigns throughout the first quarter of 2021. Not surprisingly, the top ten includes technology firms, financial institutions, and shipping companies.

Microsoft was the most commonly imitated brand, with 39% of all spam campaigns attempting to convince victims that they’re receiving a message from the tech titan. Shipping giant DHL was next, at 18%, followed by Google at 9%, with Roblox, Amazon, and Wells Fargo not far behind. LinkedIn, Apple, and Dropbox round out the top ten with 2% each.

Phishing often uses trusted branding to put victims at ease, and to convince them to submit sensitive information or interact with malicious files. Victims are often directed to websites that discretely capture information or install malware on the victim’s machine. When malware is installed, it’s often in the form of a remote access trojan, which is subsequently used to load additional threats like info stealers and ransomware.

A multi-layered, threat-agnostic, cyber protection solution is the best way to prevent against today's cyberthreats. Acronis Cyber Protect Cloud combines URL filtering — blocking access to malicious websites — with AI-based behavioral detection engines to stop malware and ransomware before damage can be done to your systems.

Ransomware attack leaves Dutch supermarket shelves without cheese

Dutch transport and logistics firm Bakker Logistiek admitted recently to a cyberattack that rendered them unable to meet shipping demands. The incident has left supermarkets — like the Netherlands' largest grocery chain, Albert Heijn — with empty cheese shelves.

Bakker Logistiek is one of the largest logistics services providers in the Netherlands, with an estimated annual revenue of nearly $50 million. The attack left the company without access to their internal systems, and therefore effectively unable to locate products within their massive warehouses or to plan deliveries.

Most details surrounding the attack are still emerging, but it is speculated that on-premises Microsoft Exchange servers allowed cybercriminals to install the new DearCry ransomware on critical infrastructure. At this time, it’s not clear how much money was demanded as a ransom, or whether those demands have been met.

Situations like this highlight how ransomware attacks can have widespread impacts. While the ransomware strain used in this attack is a relatively new one, Acronis Cyber Protect's advanced heuristic engine defends against all forms of ransomware due to its focus on detecting malicious behaviors rather than specific malware variants.

Banking trojan showdown as operators change payloads

A common tactic of malware operators is to change up the payloads being installed on victim computers, which improves the effectiveness of attacks over time and makes it difficult for analysts and researchers to follow malware trends.

A few months ago, the QBot banking trojan was commonly observed as an initial payload in cyberattacks. This trend changed suddenly in February, when IcedID suddenly replaced QBot as the payload served from URLs that had previously been delivering QBot. IcedID has previously been known for delivering ransomware strains like RansomExx, Maze, and Egregor.

After only about a month and a half, the payload from these URLs has switched back to QBot once again. QBot is known for delivering ProLock, Egregor, and DoppelPaymer ransomware. On its return, QBot has been observed to be relying on updated XLM macros in malicious Microsoft Office documents, posing as a DocuSign document.

The advanced heuristic engine in Acronis Cyber Protect Cloud stops not only ransomware, but also trojans like QBot and IcedID, which are often used to install additional forms of malware on your systems.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.