July 22, 2020 — Eric Swotinsky
Malware analysisIncident reportsClient education

Cyberthreat update from Acronis CPOCs: Week of July 18, 2020

Cyber Protect Cloud

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of new hazards in the digital landscape. Here’s a look at some of the most recent breaking news and analyses:

Multiple high-profile Twitter accounts hijacked to push Bitcoin scam

A group of high-profile Twitter accounts — including those of Barack Obama, Bill Gates, and Elon Musk — were hijacked recently by attackers pushing Bitcoin scam messages. These compromised accounts sent out tweets requesting donations to a specific cryptocurrency wallet, claiming that any money received would be doubled and returned as a charitable gesture.

Twitter reacted by freezing hundreds of accounts, but the attackers had already received over 360 transactions, pocketing upwards of $116,000 in total.

The exact details of the attack are not publicly known, but it appears that Twitter employees were targeted and compromised, and their internal access privileges used to send out the messages. It remains unclear whether the attackers gained access to other data in the process, such as direct messages (DMs) or phone numbers.

Integrated URL filtering capabilities, like those present in Acronis Cyber Protect, can prevent your organization’s users from accessing the kind of fraudulent websites used to collect donations in this attack.

Zero-day Zoom vulnerability could allow the full takeover of Windows PCs

A recently disclosed zero-day vulnerability in Zoom for Windows could allow an attacker to fully take over a victim’s computer. This vulnerability is said to exist in all versions of Zoom installed on Windows 7 (or any older Windows versions), as well as Windows Server 2008 R2.

While Microsoft’s official support for Windows 7 and Windows Server 2008 — ended in January of this year, millions of home and corporate users continue to run this software. Zoom has fixed the issue in version 5.1.3 of their client, but users who have yet to update Zoom on machines running older operating systems remain at serious risk.

Acronis Cyber Protect provides extended security for applications such as Zoom and can prevent exploitation of vulnerabilities like this one — even without a patch installed. Patch management capabilities also help to ensure that you’re using the running the latest protective updates as they roll out.

Microsoft patches over 100 vulnerabilities in July 2020

On Patch Tuesday this month, Microsoft released 123 patches for common vulnerabilities and exposures (CVEs) and one foreign advisory. Of the CVEs, 105 are considered “important” updates, while 18 are considered “critical”.

The most critical patch issued this month was for CVE-2020-1350, a wormable remote execution vulnerability that allows arbitrary code execution on Windows DNS servers and can spread across affected networks. The CVSS score for this vulnerability is 10 — the highest possible severity. Other critical code execution vulnerabilities were found in .NET Framework, SharePoint Server, Visual Studio, and Outlook.

Acronis Cyber Protect’s patch management capabilities can detect unpatched systems and automatically install updates from Microsoft and other software vendors, keeping users safe.

Source code of ArisLocker ransomware appears on the dark web

Threat actors have released the source code of the ArisLocker ransomware on the dark web, enabling would-be attackers around the globe to quickly modify the program and create new variants for sale.

When source code is disseminated like this, it tends to create a race between malicious actors looking to capitalize on the provided foundation, and white-hat researchers hoping to better detect and prevent attacks. While ArisLocker currently uses a relatively weak encryption standard (AES.MODE_ECB), this weakness is likely to be improved upon as new threat actors build on the code’s framework.

This release will inevitably result in the emergence of new, more dangerous ransomware threats. Acronis Cyber Protect’s AI-based machine learning defenses can provide early and effective protection against such attacks.

New AgeLocker ransomware misuses clean encryption tool

Last year, a Google engineer released the first version of a free, lightweight file encryption tool called “age”. Now, a new ransomware threat is misusing this tool for nefarious purposes.

Age uses the elliptic curve algorithm X25519, making brute force decryption impossible with currently available methods. Rather than leaving a ransom note on the users’ systems, as many ransomware variants do, AgeLocker has been delivering notes via email, demanding roughly $65,000 from victims in order to recover their files.

With its advanced behavioral analyses of users’ machines, Acronis Cyber Protect can detect and prevent ransomware from infecting endpoints before encryption begins — regardless of the encryption method used. Any files that are infected can be instantly restored from clean backups.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and get updates from the Acronis CPOCs as they’re posted.