June 11, 2021 — Eric Swotinsky
Malware analysisIncident reports

Cyberthreat update from Acronis CPOCs: Week of June 7, 2021

Acronis
Cyber Protect Cloud

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as ransomware strikes against U.S. infrastructure and brand-new threats to watch out for. Here’s a look at some of the most recent breaking news and analyses:

Steamship Authority caught in a ransomware storm

Massachusetts' largest ferry service, The Steamship Authority, has been attacked with ransomware. This comes on the heels of other attacks on U.S. infrastructure, including the recent strike against Colonial Pipeline that shuttered normal operation for days.

The Steamship Authority is the regulatory body for all ferries between mainland Massachusetts and the islands of Martha’s Vineyard and Nantucket. Few details are available at this time regarding the value of the demanded ransom, how much data may have been stolen, or how The Steamship Authority plans on recovering from this attack.

Regardless of the ransomware strain or the gang behind it, Acronis Cyber Protect detects and blocks malware with the help of a threat-agnostic behavioral analysis engine powered by machine intelligence — keeping your data safe and ensuring business continuity.

These are not the ransoms you’re looking for

After U.S. sanctions in 2019, the ransomware gang known as Evil Corp has tried hiding its operations with some 'light rebranding' so that their victims can negotiate with them again. Evil Corp is responsible for over $100 million in damages and ransoms, having attacked large companies such as Garmin, Forward Air, and insurance giant CNA.

Recently, researchers have attributed certain cyberattacks — using the novel PayloadBIN malware — to Babuk, another ransomware gang which had previously announced their retirement. It was believed that Babuk had simply faked their retirement. However, after more analysis, it's become apparent that Evil Corp is actually the party behind these attacks.

While uncovering the secret connection behind PayloadBIN and Evil Corp is an important step forward in understanding the cyberthreat landscape, it also establishes that businesses cannot negotiate data recovery for PayloadBIN attacks. Acronis Cyber Protect uses advanced behavioral heuristics to stop both known and unknown types of ransomware before they can encrypt or steal your data.

Seven zero-day bugs fixed in June Patch Tuesday

Microsoft's Patch Tuesday introduced 50 updates this month, including fixes for seven zero-day vulnerabilities — six of which are known to have been exploited in the wild.

Four of the exploited vulnerabilities allowed for privilege escalation, one was an information disclosure vulnerability, and one allowed remote code execution. The one zero-day vulnerability not seen in any active attacks was a denial of service bug in Windows Remote Desktop services.

Of the 50 vulnerabilities patched this month, five are considered by Microsoft to be critical, and the other 45 important. These issues affected Microsoft Office, the Edge browser, Visual Studio, .NET Core, and other popular business applications.

Patch management is quick and easy with Acronis Cyber Protect. A unified management portal allows you to simply select the systems to update and the patches that need installing — then apply them all with a single click.

High pressure in the ransomware pipeline

Amidst the recent shutdown and panic surrounding the Colonial Pipeline ransomware attack, another pipeline-focused business was affected by ransomware: LineStar Integrity Services.

LineStar Integrity Services is a Houston-based company that provides auditing, maintenance, and other services to a variety of customers within the pipeline industry, with an estimated annual revenue of over $171 million. A relatively new ransomware group known as Xing Team stole 70 GB of data, some of which has been published on their leak site. These releases include over 73,000 emails, accounting files, contracts, software code and data, and sensitive HR data — including Social Security numbers and driver's licenses.

While Xing Team is a new cybercime gang and their ransomware has not yet been widely analyzed, Acronis Cyber Protect's Active Protection is threat-agnostic — it identifies and blocks the malicious behaviors that malware relies on, defending data from theft or encryption even by cyberthreats that have never been seen before.

After SolarWinds, Nobelium keeps phishing

Nobelium, the group responsible for the attack against SolarWinds a few months ago, has been conducting a sophisticated phishing campaign — targeting around 3,000 accounts from government organizations, think tanks, and consultant companies. The geographical focus was on the U.S., but recipients in 24 countries have received these malicious emails.

The attackers gained access to a Constant Contact (a legitimate email marketing service) account belonging to the United States Agency for International Development (USAID). Victims’ established trust in this service allowed Nobelium to create a more convincing phishing email, with valid sender and header information.

These emails used the promise of new documents about U.S. election fraud as a lure, and contain a link that ultimately ends at a malicious ISO file. That file contains an LNK file which starts a malicious DLL that is actually a Cobalt Strike backdoor.

Acronis Cyber Protect features URL filtering capabilities that block users from accessing malicious websites, while its advanced anti-malware engine uses behavioral heuristics and machine intelligence to stop backdoors from executing.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.