Cyberthreat update from Acronis CPOCs: Week of August 24, 2020

Cyberthreat update from Acronis CPOCs: Week of August 24, 2020Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as newly-discovered business software vulnerabilities and continued ransomware attacks against industry leaders. Here’s a look at some of the most recent breaking news and analyses:

Windows Defender accidentally deletes Citrix files

After a recent signature update, Windows Defender started to mistakenly flag specific Citrix component files as malicious and delete them, breaking the virtualization software’s functionality.

Two Citrix broker services (BrokerService.exe and HighAvailabilityService.exe) were incorrectly identified as Agent Tesla, a well-known trojan with spyware and keylogger functionalities. Citrix quickly became aware of the problem and had to issue workaround advisories to users while waiting on Microsoft to deploy a new signature update.

Situations like this can easily be prevented with Acronis Cyber Protect. In addition to very low out-of-the-box false positive rates, Acronis Cyber Protect can automatically generate organization-specific allow lists from data backups, further minimizing the risk of false positives and enabling easy restoration of any deleted files.

Jack Daniels’ parent company hit by REvil ransomware

The REvil/Sodinokibi ransomware group announced on August 14 that they had compromised the Kentucky-based Brown-Forman — the parent company of whisky brands Jack Daniel’s, Old Forester, The Glendronach, and various other wines and spirits. With a 2020 annual report showing gross profit of over $2 billion and net income of $872 million, Brown-Forman is an undeniably high-value target for any ransomware operator.

The REvil group claims to have stolen 1TB of data, including confidential employee information, financial data, internal communications, and company agreements. Images posted on their leak site indicate that they possess data dating back at least as far as 2009.

The behavior-based ransomware protection included in Acronis Cyber Protect stops REvil and other ransomware variants —both known and unknown — before they can compromise your sensitive data.

Info disclosure vulnerability found in Cisco Webex Meetings desktop app

Cisco has recently patched a security flaw in its Webex teleconferencing client for Windows. If exploited, this vulnerability could allow attackers to open, read, and steal potentially damaging or valuable data.

When the Webex client is configured for automatic login — as it is by default — it opens several memory-mapped files that are not protected against reading or writing. When the user starts a meeting, attackers may be able to gain the user’s access token and impersonate them. Though Cisco has addressed the issue with a new patch, those running outdated versions of the Windows client are still at risk.

Increased use of third-party teleconferencing tools means that organizations are facing heightened exposure to data theft. More than ever before, it’s critical that applications are running the latest patches against bugs and security risks. Integrated patch management capabilities, like those available through Acronis Cyber Protect, can keep your systems up-to-date automatically.

Carnival Cruise Lines hit by ransomware attack

Carnival Corporation, the world’s largest cruise line operator, disclosed that they suffered a ransomware attack on August 15.

In a regulatory filing with the U.S. Securities and Exchange Commission, Carnival stated that the attackers managed to access personally identifiable information (PII) of employees and customers. They did not disclose which ransomware group was behind the attack.

This attack was the latest in a recent streak of high-profile ransomware strikes, highlighting the importance of effective cyber protection. The advanced antimalware heuristics in Acronis Cyber Protect can detect and block both known and unknown strains of ransomware and other cyberthreats.

New phishing scheme uses spoofed COVID-19 webpage, targets government employees

The Cybersecurity and Infrastructure Security Agency (CISA) has indicated that they are tracking an unknown malicious actor who is spoofing the U.S. Small Business Administration (SBA) website as part of a new phishing scheme.

Phishing emails are being sent to recipients in the federal civilian executive branch, as well as state, local, tribal, and territorial governments. These messages include a link — supposedly to some sort of application from the SBA, but which actually directs victims to a spoofed website where a false login form awaits to steal their user credentials.

URL filtering capabilities, such as those included in Acronis Cyber Protect, block access to known malicious websites like this — preventing users from mistakenly handing sensitive data over to cybercriminals.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.