Cyberthreat update from Acronis CPOCs: Week of July 27, 2020

Cyberthreat update from Acronis CPOCs: Week of July 27, 2020

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of new hazards in the digital landscape. Here’s a look at some of the most recent breaking news and analyses:

Garmin crippled by WastedLocker ransomware

Garmin, one of the world’s largest wearable device companies, has confirmed that the major outage that began on July 24 was due to a WastedLocker ransomware attack. This attack forced Garmin to halt contact center operations, Garmin Connect, and even production lines in Taiwan.

With an estimated $4 billion in annual revenue, Garmin is certainly a high-value target. While the requested ransom amount is not currently known, recent WastedLocker attacks have demanded amounts ranging from $500,000 into the millions.

The advanced AI-based heuristics and behavioral detection of Acronis Cyber Protect can effectively stop WastedLocker and other ransomwares before they can spread and encrypt your files.

Emotet-Trickbot malware duo is back after five months

One of the world’s largest botnet malware strains has reemerged after a five-month dormancy and started a massive new spam campaign.

Malicious messages — claiming to be payment reports, invoices, shipping information, and employment opportunities — are being sent to victims along with a Microsoft Word or Excel document. These documents install the Emotet trojan on the victim’s device using macros enabled in the Microsoft utility.

Emotet, in turn, downloads and executes the information harvesting trojan TrickBot, which exfiltrates valuable data to a remote server. Once this is complete, TrickBot opens a reverse shell to the attacker, who is then able to install ransomware on the compromised device and demand payment.

For users with sensitive data, it’s critical to stay protected against malware like Emotet and TrickBot. The multi-layered antimalware features in Acronis Cyber Protect are tested and proven to defend against these programs and others.

Major Argentine telecom falls victim to ransomware attack

On July 18, Argentina’s largest telecom provider was hit by a ransomware attack — likely by the Sodinokibi group — demanding a $7.5 million ransom. As is typical of many attackers who want to force a quick decision from the victim, this demand was set to double if not paid within 48 hours.

The ransomware allegedly infected over 18,000 workstations, including terminals with highly sensitive data. This data was consequently exfiltrated by the attackers and could be sold or released online.

Sodinokibi and other ransomware strains are effectively blocked by the AI-powered heuristics in Acronis Cyber Protect, while integrated backups allow compromised data to be restored almost instantly.

New phishing campaign abuses enterprise cloud services

A new phishing campaign is exploiting confidence in popular enterprise cloud services — including Microsoft Azure, Microsoft Dynamics, and IBM Cloud — and tricking users into revealing their login information.

Attackers are sending malicious emails that appear to come from the victim’s IT department and mimic a “quarantined” message. The victim is encouraged to open a link in the email to retrieve the important-sounding memo, at which point they are taken to a fake login page that captures their credentials.

URL filtering capabilities, like those enabled by Acronis Cyber Protect, can prevent users from accessing phishing websites and block outgoing traffic to malicious sources — keeping their passwords safe from cybercriminals.

Mac cryptocurrency trading apps bundled with GMERA malware

Multiple websites have been discovered promoting malicious clones of the popular “Kattana” cryptocurrency app for macOS. These cloned apps are bundled with the GMERA malware.

Once installed, the malware connects to a command and control server and opens up a reverse shell back to the attacker. In doing so, it’s able to take screen captures and steal other information from the victim’s system — including browser history, cookies, and cryptocurrency wallets — in an attempt to empty the victim’s cryptocurrency assets.

While popular opinion may hold that “Macs don’t get viruses”, antimalware experts understand that any system is vulnerable if left unprotected. Acronis Cyber Protect’s AI-based detection can prevent ransomware from infecting endpoints before encryption begins — on macOS and other operating systems.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and our CPOC updates as they’re posted.