January 30, 2021 — Eric Swotinsky
Malware analysisIncident reportsClient education

Cyberthreat update from Acronis CPOCs: Week of January 25, 2021

Cyber Protect Home Office

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as newly-discovered cryptojackers and severe vulnerabilities in popular software. Here’s a look at some of the most recent breaking news and analyses:

MacOS cryptominer evades detection for five years

While the macOS OSAMiner malware has been known about for years, a newly-discovered version may have been circulating undetected for as long as five years.

This new variant appears to avoid detection by embedding one run-only AppleScript inside of another. These scripts don’t contain human-readable code, making them rather difficult to decompile and analyze — and embedding compounds that difficulty.

Apple sold more than 18 million Mac computers in 2019 alone, meaning that tens of millions of computers were left vulnerable to this cryptominer in the years it remained undetected. Cryptominers can eat up processing power, physically stress your systems, and even raise electricity costs, cutting into your bottom line.

The Active Protection capabilities included in Acronis Cyber Protect for macOS stop OSAMiner — both the old and new versions — as well as other malware before they can do any harm to your systems.

DeroHE ransomware strikes IObit forum users

All members of the IObit developer forum recently received a malicious email containing a tempting offer of free software, hosted on the original forum website (forums.iobit.com).

The software package contained the legitimate IObit License Manager tool as well as an unsigned malicious file called IObitUnlocker.dll. This file, in turn, contained the DeroHE ransomware, which executed upon installation as part of a simple supply chain attack.

The DeroHE ransomware adds an exclusion to Windows Defender to bypass detection, and then encrypts all of the user’s files. The group has asked for a ransom of $65,000 from IObit — or $125 from each victim — to be paid in the new cryptocurrency Dero.

Acronis Cyber Protect monitors the data-access behavior of all processes, and blocks both known and unknown ransomware variants before they can encrypt your system.

MrbMiner cryptominer infects thousands of servers

A new family of cryptominers, MrbMiner, has been discovered targeting MSSQL servers.

MrbMiner attempts to brute-force passwords on selected servers. Once it finds success, it begins hijacking processes to mine the Monero cryptocurrency. Cybersecurity researchers quickly tracked the malware back to a domain owned by a legitimate Iran-based software company.

As long as cryptomarkets continue to rise, cryptojacking will continue to evolve and steal resources. Cryptojacking attacks increased 163% last year, and 55% of all businesses — including Tesla and Starbucks — have been affected.

Whether you’re targeted by MrbMiner, Lemon Duck, KingMiner, or any other cryptominer, Acronis Cyber Protect uses behavioral heuristics to stop cryptojacking attacks before they can bog down your systems.

VLC media player fixes remote code execution vulnerabilities

Version 3.0.12 of the popular cross-platform VLC media player includes multiple security fixes, including patches for vulnerabilities that would allow execution of arbitrary code with the same system privileges as the active user.

Remote code execution (RCE) vulnerabilities can lead to anything from the theft of sensitive data, to running or installing malware, or even a full system takeover by the attacker. Specially-crafted media files can be used to trick victims into opening the file with a vulnerable version of VLC Media Player. These files may look legitimate, and even play properly in VLC, while running malicious processes in the background.

Until this patch was issued, these vulnerabilities existed in VLC for as many as 3.5 billion installations across Linux, Mac, and Windows systems — and they still exist in unpatched clients. Acronis Cyber Protect keeps your software up-to-date with its integrated vulnerability assessment and patch management capabilities.

Two large earthquakes strike Indonesia in one week

Indonesia frequently experiences relatively small earthquakes, owing to the nearby meeting of tectonic plates. But earlier this month, two major earthquakes — with magnitudes of 6.2 and 7.0 — were felt in close succession.

The 6.2 magnitude quake hit the Sulawesi province hard, killing 84 people, injuring about 1,000, and displacing more than 40,000 while causing millions of dollars in property damage. Less than one week later, a 7.0 magnitude quake occurred nearly 100km below the ocean’s surface, the depth thankfully sheltering the populace from significant damage or the threat of tsunamis at a time when recovery from the initial quake was still in progress.

It’s not uncommon for earthquakes to lead to more earthquakes, or to cause massive tsunamis in coastal regions like Indonesia. When your systems go down, the disaster recovery capabilities in Acronis Cyber Cloud allow you to failover to the Acronis Cloud, restoring normal business operations in a matter of minutes rather than hours or days.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.