Cyberthreat update from Acronis CPOCs: Week of October 26, 2020

Cyberthreat update from Acronis CPOCs: Week of October 26, 2020

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as new online threats to watch out for and successful cyberattacks against major corporations. Here’s a look at some of the most recent breaking news and analyses:

Software AG compromised by Clop ransomware

German tech giant Software AG is facing disruptions after being hit by Clop ransomware. The ransomware group has demanded a payment of $20 million, one of the largest demands in ransomware history.

After negotiations failed, Clop began leaking sensitive data — including employee ID scans, passports, emails, financial documents, and internal network information — via a leak site on the dark web. Software AG has recently recanted initial statements that customer data had not been stolen.

Software AG is one of the world's largest tech firms, with offices in 70 countries and over 10,000 enterprise customers. The AI-based threat detection capabilities in Acronis Cyber Protect can recognize and prevent both known and unknown ransomware variants before they can impact your systems — or the clients who rely on them.

Emotet trojan returns disguised as Windows update

After a brief pause on the global stage, the Emotet trojan has been spotted in a phishing email campaign, disguised as a fake Windows update.

Since August of this year, the Cybersecurity and Infrastructure Security Agency (CISA) has recorded over 16,000 alerts related to Emotet activity targeting U.S. state and federal organizations. The Department of Homeland Security is warning that Emotet is one of the most prevalent cyberthreats today.

The group behind Emotet has used many types of lures in the past, trying to entice victims into downloading and opening malicious email attachments. The latest iteration has a new trick: once the email's attachment — which appears to be a Windows update — is downloaded and opened, it prompts the victim to “enable content” and allow macros to execute Emotet's payload.

As with other phishing attempts, this campaign relies on well-crafted emails to trick victims into accidentally exposing their system or network to malware. The advanced heuristics in Acronis Cyber Protect block Emotet and other malware variants before they can cause harm.

French IT consulting firm hit by Ryuk ransomware

Sopra Steria, a $5 billion IT company, is the most recent victim of the Ryuk ransomware. While the company has not provided any details beyond confirmation of the attack itself, multiple sources report that their Active Directory infrastructure and several servers were encrypted.

Ryuk was one of the most active ransomware groups last year, collecting around $3 million in ransoms per month. The group went silent for a while, but popped up again with a series of new attacks in September.

The attack vector used in this particular attack is unclear at this time, but Ryuk tends to rely on spear phishing email campaigns that distribute malicious documents. Once opened by the victim, these deploy a Cobalt Strike payload and move laterally, ultimately taking over the network and domain controller. Generally, the attackers also attempt to terminate any local security tools and delete data backups before beginning encryption.

Acronis Cyber Protect effectively blocks Ryuk and other ransomware variants without any data loss. It also features sophisticated self-defense capabilities to protect itself — and your backups — from tampering by cybercriminals.

Zoom introduces end-to-end encryption to improve security

Zoom is adding end-to-end encryption to its video conferencing service, now available as a technical preview to both free and paid users.

After exploding in popularity in the early stages of the COVID-19 pandemic, Zoom received considerable scrutiny when it was discovered that malicious actors could join calls without authorization, and even use the service to spread malware. The company was already using 256-bit GCM encryption on its app clients, but data in-transit has been unencrypted until now.

The addition of end-to-end encryption is the first step in a four-step process that Zoom is undertaking to improve overall security. Acronis Cyber Protect’s patch management capabilities ensure that Zoom and the other business-critical applications you rely on are up-to-date and safeguarded against modern cyberthreats.

Office 365 and Facebook credentials stolen in phishing campaign

In an attempt to collect user credentials, recent phishing campaigns are directing victims to fake login pages for Facebook as well as office and collaboration applications like Office 365 and Zoom. These attacks began in the second week of October, increasing considerably on October 15.

These phishing attacks are using redirect chains to send users to multiple websites — some to avoid security checks, others to check the screen size — before landing on fake login pages. In addition to stealing credentials, malicious links on some of the pages are even using JavaScript to install additional malware, including the Cryxos trojan.

The number of potential victims affected by Facebook phishing alone is currently more than 450,000. Acronis Cyber Protect blocks access to malicious URLs — like the ones used in these attacks — while also preventing malware from running on your systems.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.