Cyberthreat update from Acronis CPOCs: Week of December 7, 2020

Cyberthreat update from Acronis CPOCs: Week of December 7, 2020

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as high-profile ransomware strikes and the latest cyberthreat arrivals. Here’s a look at some of the most recent breaking news and analyses:

Acronis Cyberthreats Report 2020 is now available

Acronis recently published this year’s annual Cyberthreats Report, covering current statistics and trends in the cyberthreat landscape — as well as predictions for what next year will bring.

In 2020, over 1,000 companies had their data exfiltrated and leaked in ransomware attacks. Acronis expects continued increases in this double-extortion tactic throughout next year, as it remains highly profitable. The notorious Maze group was responsible for about half all successful ransomware strikes against major targets in the first half of the year. In November, they announced their retirement, but over 50 new ransomware families have already appeared in their wake.

The average lifespan of a malware sample — before it’s replaced by a new variant — is down to just 3.4 days. Thirty-one percent of global companies report that they were attacked at least once per day in 2020. These are clear indications that automation is driving an increase in threat evolution and attack frequency.

Acronis Cyber Protect offers AI-based, multilayered threat protection that efficiently blocks new threats without the risk of data loss.

Chip manufacturer Advantech faces $14 million ransom

IoT chip manufacturer Advantech has confirmed that they’ve been hit with a ransomware attack by the Conti gang. Advantech is one of the world’s leading manufacturers of IT products and solutions, with over 8,000 employees in 92 major cities and an annual revenue of over $1.7 billion.

Conti has demanded a ransom of 750 bitcoin, currently worth around $14 million. In an effort to increase the pressure on Advantech to pay up, the ransomware gang has released 3 GB of stolen data — representing around 2% of the total volume — on their data leak site.

Advantech has thus far refused to comment on whether they will pay the ransom, but with data leaked and operations halted, the damage is already done. Conti's Ryuk-like ransomware and other malware variants can easily be stopped with Acronis Cyber Protect’s leading heuristic engine before encryption and exfiltration begins.

Delaware County, PA pays ransom after DoppelPaymer attack

Delaware County, PA was hit by the DoppelPaymer ransomware and has chosen to pay the $500,000 ransom demand, as they are insured against ransomware attacks.

Files encrypted in the cyberattack include databases for police reports, payroll, purchasing, and other data. Emergency services, prosecution evidence, and the Bureau of Elections were not affected by the attack. The attack was detected quickly, and the county took systems offline to stop further spread of the ransomware. Further details are unavailable, pending an FBI investigation.

The anti-ransomware capabilities in Acronis Cyber Protect stop malware variants like DoppelPaymer before they cause extensive damage, while integrated backup features can automatically authenticate and restore any encrypted files in seconds.

OceanLotus releases macOS backdoor

OceanLotus, formally known as APT32, has released a new backdoor for Macs that uses multi-stage malware payloads and improved anti-detection techniques. The group has been active since at least 2013, and has launched attacks on media outlets, research organizations, and even construction companies.

The new OceanLotus backdoor is spread through a .zip archive with two files, one being a fake Word document, and the other being a malicious shell script. The document file utilizes an unexpected three bytes between the '.' and 'doc' in the file extension, which cannot be seen when looking at the file name, but causes the system to open the malicious app bundle as a default action.

Once run, the backdoor collects system information, including processor and memory information, serial numbers, and MAC addresses; encrypts the data; and sends it to a command and control (C&C) server. Once connected to the C&C server, the backdoor can receive additional commands, like running commands in Terminal and retrieving additional malware.

Acronis Cyber Protect uses URL filtering to block access to known malicious domains, and provides Active Protection to prevent malware from running on macOS and other systems.

Over 2 million phishing websites registered by Google in 2020

Google has registered a record-breaking 2.02 million phishing domains in 2020, according to Atlas VPN. This equates to an average of 46,000 new malicious websites per week, and is an increase of nearly 20% over last year.

Data suggests that this activity skewed higher near the beginning of the year, with around 500,000 sites registered between February and May — in the early stages of the COVID-19 pandemic. This was likely a response to a rapid increase in internet usage and pandemic-related panic at the time.

Still, while it may be tempting to dismiss this flood of new phishing threats as specific to 2020, such domain registrations have been trending upwards at an average of nearly 13% per year since 2015. Acronis Cyber Protect’s built-in URL filtering capabilities can recognize and stop browser interactions with malicious websites.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.