Cyberthreat update from Acronis CPOCs: Week of May 3, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as large-scale strikes against major organizations and the emergence of new malware threats. Here’s a look at some of the most recent breaking news and analyses:

QNAP vulnerability leads to $260,000 in ransoms over five days

QNAP Systems, the second-largest provider of network-attached storage (NAS) solutions with a market share of over 36%, has removed a vulnerability that allowed attackers to access QNAP devices using hard-coded credentials in the HBS backup and disaster recovery service.

This vulnerability has already been exploited by the Qlocker ransomware. Cybercriminals used the legitimate archive utility 7-Zip to encrypt files on the NAS devices. The ransom demanded in these attacks was only 0.01 Bitcoins, currently worth about $500. In demanding a relatively low amount, the attackers are hoping that victims will be significantly more likely to pay. The tactic appears to be working, as the cybercriminals have netted $260,000 in just five days, with additional ransom payments still possible.

Attacks like this demonstrate the need for a properly secured backup and disaster recovery solution. Acronis Cyber Protect Cloud’s backup and disaster recovery capabilities are protected against ransomware and other attacks, and are tested for flaws through the HackerOne bug bounty program to ensure that the platform remains vulnerability-free.

Brazil’s court system toppled by REvil ransomware

Last week, employees at the Tribunal de Justiça do Estado do Rio Grande do Su — the court system for the Brazilian state of Rio Grande do Sul — discovered that their files were no longer accessible. The court then posted a warning on Twitter advising their workers to not connect to the intranet or remotely access any internal services, a clear indication of a ransomware strike.

It remains unclear how much data was stolen by the REvil gang in this cyberattack. No data has yet been leaked, but a ransom demand of $5 million has been issued. Brazil's Superior Court of Justice was compromised in a similar attack by the RansomExx group last November.

Any sector — public or private — can easily wind up a target of cybercriminal activity. That’s why it’s so important to have a comprehensive cyber protection strategy that includes both cybersecurity and disaster recovery capabilities. Acronis Cyber Protect integrates cybersecurity with data protection, and allows to boot up backups as virtual machines in the cloud within minutes, minimizing business continuity interruptions.

Is that a RAT in your wallet? Your crypto may not be safe

Threat actor ComplexCodes has been selling a newer version of their WeSteal cryptocurrency theft malware since mid-February of 2021. The group claims WeSteal to be the “world’s most advanced” crypto-stealer and are presenting it as "...the leading way to make money in 2021."

From 2019 to 2020, cryptocurrency theft increased by nearly 40% to $513 million. For as little as $25 per month, ComplexCodes is providing a crimeware-as-a-service package that includes antivirus bypassing, zero-day exploits, and of course, cryptocurrency theft — specifically, the opportunity to steal Bitcoin, Bitcoin Cash, Ethereum, Litecoin, and Monero. ComplexCodes has also released WeControl, which they’re marketing as a RAT/botnet hybrid, enabling control of multiple remote access Trojans across many C&C servers.

Cryptocurrency theft is here to stay, and will likely continue to increase in popularity among cybercriminals. The Active Protection technologies in Acronis Cyber Protect use behavioral analysis to halt info-stealing malware in its tracks — securing you against both known cyberthreats and those never seen before.

New malware observed in worldwide phishing campaign

A massive phishing campaign recently targeted about 50 organizations spanning the globe with well-tailored phishing emails, delivering malware strains that have never been seen before. Interestingly, this attack came from an undocumented threat actor, about whom little is currently known.

About 74% of the attacked organizations were US-based, while the other 26% are located in Europe, the Middle East, Asia, and Australia. Victims span multiple industries, including medical providers, automotive makers, military contractors, and high-tech electronic manufacturers.

Though the malware used in this attack is new — and research into it is underway — the attackers relied on tried-and-true methods for its distribution, including JavaScript-based downloaders and compromised Excel documents. Acronis Cyber Protect's behavioral analysis engine detects and blocks suspicious processes, safeguarding you against both known and unknown cyberthreats.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.