Cyberthreat update from Acronis CPOCs: Week of April 5, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as ransomware strikes against major corporations and the emergence of novel cyberthreats. Here’s a look at some of the most recent breaking news and analyses:

Electronics corporation Acer suffers REvil ransomware attack

Taiwanese electronics company Acer recently fell victim to a REvil ransomware attack. Some sensitive information, including financial spreadsheets and bank communications, has already been leaked as a result of this attack.

Acer is an undeniably high-value target, with over $8 billion in annual revenue. The cybercriminals are seeking a ransom of $50 million, the largest known demand to date, and have threatened to double this if the ransom is not paid quickly.

While the infection vector has not been confirmed by Acer, it’s possible that a recent Microsoft Exchange Server vulnerability is to blame. Earlier this month, we also saw REvil ransomware being distributed through a Gootloader SEO poisoning campaign.

The advanced behavioral analysis engine in Acronis Cyber Protect blocks REvil ransomware — as well as other known and unknown cyberthreats — before they can harm your data and systems.

Energy giant Shell confirmed as latest victim of Accellion FTA attacks

Multinational energy giant Royal Dutch Shell has joined the long and still-growing list of victims in the recent series of attacks on Accellion’s legacy FTA product.

The Accellion FTA attacks have been attributed to the FIN11 financial crime group, active since 2017, and to the Cl0p extortion gang, who had previously focused on ransomware attacks. At this time, there have been no reports of Cl0p’s own ransomware being used in the Accellion FTA attacks.

Shell, which has 25 subsidiaries — including Jiffy Lube, Pennzoil, and Quaker State — and an annual revenue of more than $180 billion, used Accellion’s solution to securely transfer large files. The company has stated that the attackers gained access both corporate and personal data. Core IT systems were reportedly unaffected by the attack.

Acronis MassTransit offers a fast, easy, and secure file transfer solution that meets the highest security standards and compliance requirements.

Purple Fox malware uses new worm to spread across Windows machines

A new infection method for Purple Fox malware has been discovered in recent weeks, leading to a surge in infections. The malware has evolved to include worm capabilities, allowing it to spread between networked Windows machines and dramatically increase the scale of attacks.

Purple Fox malware has been around since 2018, and includes a rootkit and backdoor capabilities. It’s used as a downloader for other malware strains, and has typically spread through exploit kits and phishing emails. Purple Fox became significantly more active in May of last year, with attack volumes rising around 600% to reach a total of 90,0000.

The AI-driven heuristic engine in Acronis Cyber Protect Cloud detects malicious behaviors in Purple Fox and other malware variants, blocking cyberthreats before they can damage your systems and spread across your network.

CopperStealer malware targets Facebook, Instagram accounts

CopperStealer, a malware variant first observed in 2019, is actively targeting user credentials and cookies to access Facebook and Instagram accounts.

CopperStealer shares similar methods to a known Chinese-based malware by the name of SilentFade, which has caused over $4 million in damages from compromised accounts. The malware is active in more than 150 countries using over 5,000 unique IP addresses. While its main focus is theft of Facebook and Instagram credentials, CopperStealer has also been discovered to deliver modular backdoors like SmokeLoader.

CopperStealer relies on malicious command-and-control servers to deliver additional payloads. Acronis Cyber Protect's built-in URL filter blocks access to these servers, while its advanced heuristic engine detects and stops credential theft and other malicious activities.

Evil Corp switches tactics to evade sanctions

After being sanctioned by the U.S. Treasury Department, the Evil Corp ransomware gang — the group behind the notorious WastedLocker malware — has changed tactics by deploying a new cyberthreat.

Evil Corp is responsible for over $100 million in damages and ransoms, having attacked large companies such as Garmin, Forward Air, and possibly insurance giant CNA. Hades ransomware, Evil Corp's new malware, shares significant code overlap with WastedLocker but adds new obfuscation tactics and additional features.

New cyberthreats are appearing on the scene constantly, which is why threat-agnostic solutions are so critical for effective cyber protection. Acronis Cyber Protect identifies and blocks the malicious behaviors that are common across malware variants — stopping Hades, WastedLocker, and countless others in their tracks.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.