Cyberthreat update from Acronis CPOCs: Week of November 16, 2020

Cyberthreat update from Acronis CPOCs: Week of November 16, 2020

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as successful ransomware strikes against major companies, and the rise in scams driven by the current cryptocurrency bear market. Here’s a look at some of the most recent breaking news and analyses:

Compal Electronics hit by DoppelPaymer ransomware

Taiwanese device manufacturer Compal Electronics, the world’s second-largest original design manufacturer (ODM), has fallen victim to a DoppelPaymer ransomware attack.

Compal initially denied any breach, claiming that service interruptions were simply due to an issue with their internal office automation system. Media sources, however, were able to locate customized ransom notes from the DoppelPaymer group, who were demanding roughly $16 million in Bitcoin for the return of stolen business data — with a discount of roughly $500,000 if the ransom was paid within three days.

Acronis Cyber Protect detects and blocks DoppelPaymer and other ransomware threats with its advanced behavioral heuristics — protecting your critical data from malicious actors.

Capcom, Campari hit by Ragnar Locker ransomware

The Ragnar Locker ransomware group has successfully carried out strikes against videogame giant Capcom and beverage company Campari Group. Ragnar Locker claims to have exfiltrated over 1 TB of data from Capcom — including accounting files, employee and client data, and intellectual property — and is asking for around $11 million in Bitcoin. Campari had 2 TB of data stolen, with $15 million in Bitcoin demanded for its return.

Of particular interest here is Ragnar Locker’s reaction when Campari Group refused to negotiate. The ransomware gang bought Facebook ads to shame Campari for not paying up, suggesting that the company doesn’t place enough value on protecting customer data.

This double attack continues a trend of ransomware gangs becoming both bolder and craftier in their threat campaigns. Acronis Cyber Protect effectively stops Ragnar Locker and other ransomware variants in their tracks.

Cryptocurrency bear market sees increase in scams

Around $300,000 of Ripple (XRP), a digital currency similar to Bitcoin, was stolen recently when attackers used a look-alike domain to pose as the hardware wallet Ledger.

The threat actors were able to create a website that was almost identical to Ledger’s — the only visible difference being the replacement of the “e” in the domain name with the tailed character “ę”. Ledger users received an email directing them to the fake site. When they attempted to sign in through this link, their user credentials were captured.

With Bitcoin and other cryptocurrencies reaching near-record highs, we’re starting to see these sorts of hardware wallet attacks on a near-weekly basis — generally using social engineering tricks to compromise victims. While such tactics can be tough for many traditional defenses to guard against, Acronis Cyber Protect features built-in URL filtering capabilities that block phishing links and other malicious domains.

Fake Microsoft Teams update installs malware

Microsoft recently reported that an attack group bought and place malicious advertisements for the Microsoft Teams collaboration software. These ads lure victims to infected websites that prompt visitors to download an “update” to Teams.

This fake update is actually password-stealing malware — either Bladabindi or Predator — which later downloads the Cobalt Strike backdoor. This can lead to further compromise of systems, even the installation of targeted ransomware.

We are seeing a wave of malware focused on the education sector, which currently relies heavily on Teams and other videoconferencing software due to the COVID-19 pandemic. Acronis Cyber Protect features URL filtering capabilities that block access to malicious websites, as well as patch management tools that ensure only verified, legitimate updates are installed.

112 vulnerabilities fixed in Microsoft’s November Patch Tuesday

Microsoft's most recent security update release includes 112 fixes for vulnerabilities. Of these, 17 are classified as “critical” and 93 are classified as “important.”

Critical vulnerabilities, in this context, are those whose exploitation could allow attackers to execute code without user interaction — for instance, triggering malware installation simply by getting users to visit a malicious website or opening an infected email. One such flaw is a zero-day privilege escalation vulnerability found in the Windows Kernel Cryptography Driver.

While Microsoft has recently released fixes for these and many other vulnerabilities, it’s up to end users to ensure that their systems are patched as quickly as possible. Acronis Cyber Protect makes patching fast and easy by automatically detecting and installing official updates to business-critical applications.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.