Cyberthreat update from Acronis CPOCs: Week of March 1, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as ransomware strikes on major companies and vulnerabilities in popular business applications. Here’s a look at some of the most recent breaking news and analyses:

Kia Motors America hit by DoppelPaymer ransomware

Auto manufacturer Kia Motors America experienced major outages to internal and customer-facing systems after a ransomware attack by the DoppelPaymer gang.

With more than 955 dealerships throughout the U.S., over 3,000 employees, and an estimated $1.3 billion in annual revenue, Kia Motors America is an undeniably high-value target. The company denies that this outage was the result of a ransomware attack, though a ransom note addressed to their parent company (Hyundai Motor America) was made available via the DoppelPaymer leak site. The note indicates that the DoppelPaymer gang demanded a ransom of 404 Bitcoin (currently worth roughly $20 million), to be raised to 600 Bitcoin if the payment is not made promptly.

DoppelPaymer follows a rapidly-growing trend in ransomware, where data is both encrypted and exfiltrated, with the threat of public leakage used as additional leverage over the victim. Acronis Cyber Protect’s advanced heuristic engine detects this sort of malicious behavior and blocks ransomware threats — both know and unknown — before they can encrypt your systems.

Singtel, Jones Day fall victim to CL0P ransomware

An unknown vulnerability in a file-sharing application from Accellion has been exploited by attackers to gain access to the data of around 50 companies, including Singaporean telecom conglomerate Singtel and international law firm Jones Day.

Singtel and Jones Day both had sensitive data published by the CL0P ransomware group on their underground site. Singtel reported that 129,000 customer records — including customers’ National Registration Identity Card (NRIC) numbers — were stolen. The only data of theirs published so far are some staff members’ credit card details.

It’s currently unclear if CL0P compromised these companies directly, if the group is responsible for the Accellion breach, or if they merely acted as data breach negotiators for another entity. Either way, this situation is part of a growing trend amongst ransomware groups to focus on data theft and double blackmail. Acronis Cyber Protect detects and blocks CL0P ransomware with its AI-powered behavioral heuristics, preventing the loss of sensitive data.

French national cybersecurity agency ANSSI discovers origin of Sandworm attacks

ANSSI, France’s national cybersecurity agency, has recently linked a series of attacks spanning four years to the hacking group known as Sandworm, an elite state-backed espionage group.

The point of entry in these attacks appears to be Centreon, an IT resource monitoring platform. ANSSI discovered that older versions of this software were responsible for allowing web shells and Exaramel backdoors to be installed on vulnerable targets.

Sandworm has been active since the early 2000s, and is best known for creating the NotPetya ransomware, which has caused billions of dollars in damages against major targets — including Russian integrated energy company Rosneft, FedEx subsidiary TNT Express, and the PyeongChang 2018 Winter Olympics organizing committee.

Sandworm was successful in these campaigns because the tools they employed were not detected. Acronis Cyber Protect features a built-in behavioral detection engine that recognizes malicious behaviors and halts attack chains.

Microsoft releases patches to fix problematic updates

Microsoft has released two new servicing stack updates — KB5001078 and KB5001079 — after recent updates caused problems for some users.

Updates issued on February’s Patch Tuesday included KB4601392 and KB4601390, which contained bugs that can freeze the cumulative update process at 24% and prevent the installation of further hotfixes. The issued impacted users of Windows 10 (both 32-bit and 64-bit) as well as Windows Server 2016.

Microsoft’s newest updates must be applied first before the monthly patch can be successfully installed. If the faulty monthly update was already applied, users will need to manually revert the affected components.

Acronis Cyber Protect can automatically create backups of entire workloads before patches are applied, enabling quick rollback to a working state if any issues should arise with updates.

SHAREit and Accellion highlight file-sharing vulnerabilities

Filesharing platforms SHAREit and Accellion have recently been tied to security vulnerabilities and breaches.

Multiple, severe vulnerabilities have been found in popular Android-based platform SHAREit, which has already been banned in India over privacy and national security concerns. These vulnerabilities include susceptibility to remote code execution and the ability to steal sensitive data. Android users have collectively installed SHAREit over a million times from Google Play.

Palo Alto-based Accellion's file-sharing app was hacked in December, and victims now include Jones Day — an international law firm and one of the largest in the U.S., with more than $2 billion in gross revenue — and Singapore-based telecom conglomerate Singtel. Jones Day now admits that the attackers stole data from them.

Acronis Cyber File Cloud is a fast and secure data-sharing solution that comes packed with rich mobile functionality. Acronis actively engages with the HackerOne bug bounty program to ensure protection from vulnerabilities like those of SHAREit and Accellion.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.