Cyberthreat update from Acronis CPOCs: Week of March 29, 2021

Cyberthreat update from Acronis CPOCs: Week of March 29, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as major vulnerabilities in popular business software and new spins on classic cyberthreats. Here’s a look at some of the most recent breaking news and analyses:

Four Microsoft Exchange Server zero-day vulnerabilities exploited

Four zero-day vulnerabilities in Microsoft’s Exchange email platform have been discovered and exploited by the Hafnium group, with additional threat actors jumping at the opportunity to follow. These exploits have allowed cybercriminals to drop backdoors and web shells in affected systems, setting up further attacks.

As the name indicates, these vulnerabilities were already being actively exploited before Microsoft was made aware of their existence. Patches for the vulnerabilities are now available, as of March 2, and Microsoft is urging any organization running Exchange servers to install the update immediately.

In the U.S. alone, it is thought that at least 30,000 organizations have been affected by these attacks. With more than 63,000 Exchange servers still missing the updates, it is likely there are more to come. The patch management features in Acronis Cyber Cloud alert you to available updates for Exchange Server (and other business-critical software), and make it easy to install these patches automatically.

RedXOR Linux backdoor operated by state-backed actors

A sophisticated new backdoor that targets Linux endpoints and servers has recently been discovered. Called RedXOR, it targets older releases of Red Hat Enterprise Linux, posing as a polkit daemon. The backdoor stores data in a hidden directory before sending it to a command-and-control server disguised as harmless HTTP traffic. Notably, RedXOR shares code with known nation-state-sponsored malware.

While Windows and Apple dominate the market share of personal computer operating systems, Linux runs on over 96% of the world's top 1 million servers. In addition, 90% of all cloud infrastructure operates on some form of the Linux operating system.

In 2020, we saw a record-breaking increase in new Linux-based malware — and there’s no end in sight. Acronis Cyber Protect's advanced heuristic engine protects Linux-based environments and effectively detects RedXOR and its variants.

March Patch Tuesday fixes two zero-day vulnerabilities, other critical flaws

This month's Patch Tuesday brought a total of 89 patches, including fixes for 14 vulnerabilities marked as “critical” and two that were already being exploited by malicious actors.

The majority of the “critical” patches addressed bugs that could lead to remote code execution on affected machines. These flaws were present in DirectX, the Windows Registry, the Windows Codecs Library, Windows Admin Center, Event Tracing, Win32K, and even the Windows Remote Access API. One of the most critical patches fixed an actively-exploited memory corruption vulnerability in Internet Explorer, which can give attackers the same permissions on the victim’s system as any user visiting their website.

Of course, patches are only effective if they’re actually applied. With Acronis Cyber Cloud, keeping systems updated against the latest vulnerabilities is simple. Vulnerability assessment capabilities keep you informed of available updates to critical applications, while patch management features enable automatic patching for one or many machines.

Google reCAPTCHA misused to obtain Microsoft 365 credentials

A recent phishing campaign targeted at least 2,500 senior managers at various companies, many in the financial and IT sectors.

Victims were lured to a phishing website either via a link to a (purported) voicemail message, or a secure document share that can only be viewed online. The provided links used a Google reCAPTCHA as a distraction, helping to add a suggestion of credibility, before finally sending them to a fake Office 365 login page that featured the logo of the victim’s company. The use of reCAPTCHA in this way can hinder automatic detection for many cybersecurity solutions.

The Acronis Cyber Protection Operation Center (CPOC) blocked nearly 700,000 malicious web requests in February 2021, representing an increase of 37% over the previous month. The URL filtering capabilities in Acronis Cyber Protect Cloud prevent users from reaching phishing websites, while anti-malware functionality blocks the execution of malicious attachments that are also often used in phishing scams.

Hacktivism takes root in India with support for farmers

A group of activists dubbed Khalsa Cyber Fauj are spreading ransomware as a show of support for Indian farmers.

Protests regarding three farm acts in India have kicked off the largest protests in history, drawing in over 250 million individuals worldwide. Riots associated with the protest movement have caused millions of rupees in damages and resulted in over 20 deaths to date.

Activists, who have used physical methods like road and border blocks, are now turning towards an open-sourced ransomware called Sarbloh, which is hidden in Word documents. Unlike traditional ransomware, the demanded ransom is not money; rather, the attackers state that they will only decrypt files when lawmakers repeal the farm acts.

Whether a strain of ransomware is new or old, open-source or not, Acronis Cyber Protect’s threat-agnostic anti-malware engine detects the defining behaviors that identify ransomware and blocks it before execution.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.