Cyberthreat update from Acronis CPOCs: Week of May 10, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as newsworthy strikes against major facilities and the latest critical security patches. Here’s a look at some of the most recent breaking news and analyses:

Cybercriminals strike oil: Pipeline offline after attack

The Colonial Pipeline, which stretches across 14 states between Houston and New York and provides 45% of all fuel consumed on the East Coast, was shut down late last week after being hit by DarkSide ransomware.

Infrastructure is increasingly computerized, and a growing target for cyberattacks — sometimes originating from nation-states or other governmental organizations. The DarkSide group has issued a statement about the attack, in which they claim to be motivated not by politics but solely by money.

Colonial Pipeline was shut down as a precautionary measure, in case the attackers had stolen data that could assist them with further attacks, and the pipeline's operators are working with industry experts to restore service. At this time, the attack vector is unknown.

Whether critical infrastructure or business systems, ransomware can be costly even for organizations that don’t pay up. The Active Protection included in Acronis Cyber Protect uses next-generation behavioral detection to identify and block known and unknown malware before such threats can spread across the network and compromise data.

City of Tulsa crippled by ransomware attack

Tulsa, one of the 50 largest US cities with a population of over 400,000, has shut down all computer systems and networks after a ransomware attack.

The city took systems offline as a precautionary measure as soon as ransomware was detected. While emergency services and phone lines remain operational, all official city websites have been affected, and tasks like utility payments must be handled by phone.

At this time, the nature of any stolen data has not been released, but no personal customer information is believed to have been compromised. Both the type of ransomware used in this attack and the amount of money demanded by the attackers are unknown at this time.

Ransomware is costly even for those who don’t pay up, and anyone can fall victim no matter how well they’ve prepared. The Active Protection in Acronis Cyber Protect stops known and unknown ransomware before data can be stolen or files can be encrypted. Disaster recovery capabilities help you to minimize any potential downtime by running protected backups in the cloud, restoring operations within minutes.

Failed driver update leads to unusable computers

A new driver update for ADM SCSI adapters seems to be causing system-disabling problems for many Windows 10 users.

Users of Gigabyte Aorus motherboards with X570 chipset have reported that their computers became unusable after installing driver version, with systems simply displaying an error message of “inaccessible boot device” on startup. Microsoft is working with AMD on a fix, and the faulty update has been temporarily pulled.

It’s generally important to keep systems up-to-date with the latest patches and driver updates, but there’s always a chance that an update will cause compatibility issues. Acronis Cyber Protect can automatically generate full-disk backups before applying patches, enabling a quick rollback should there be any trouble. In the rare event that a problematic update cripples your ability to boot systems, these backups can be run in the cloud, minimizing business continuity interruptions.

Four critical bugs fixed in Microsoft’s May Patch Tuesday

This month’s Patch Tuesday includes fixes for a total of 55 vulnerabilities. While this is only around half the number of fixes introduced in April, four of these vulnerabilities were considered critical, and three addressed zero-day threats which are already being exploited in the wild.

These zero-day vulnerabilities allow privilege escalation through .NET and Visual Studio, security feature bypass in Exchange Server, and a remote code execution (RCE) vulnerability in Microsoft Common Utilities. A total of 32 products — including Microsoft Office, Windows RDP Client, and Internet Explorer, — features, and roles had security updates this month, as well as a number of non-security updates.

These patches come right on the heels of updates from other major software providers, including Adobe, Apple, Cisco, and VMWare. It can be difficult to keep up with so many patches as they are released, but Acronis Cyber Protect makes deploying patches to one or multiple systems simple and quick.

Lemon Duck is souring Exchange servers

The Lemon Duck cryptocurrency-mining botnet is now using ProxyLogon exploits to target Microsoft Exchange servers. Over 60,000 servers are reportedly vulnerable to these tactics.

Lemon Duck has self-propagating capabilities, and delivers a piece of malware that steals resources from victims’ computers to mine the Monero cryptocurrency. Monero continues an upwards price trend, topping out recently at $509 per coin.

The group behind Lemon Duck continues to refine their tactics. They now use Cobalt Strike and have focused on anti-detection capabilities. Acronis Cyber Protect's behavioral engine detects not only Cobalt Strike but also the unique behaviors indicative of cryptojacking, stopping them before your equipment and resources are exploited.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.