Cyberthreat update from Acronis CPOCs: Week of March 15, 2021

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as malware strikes on financial institutions and newly-discovered cyberthreats. Here’s a look at some of the most recent breaking news and analyses:

Ursnif trojan strikes over 100 Italian banks, compromising login credentials

The Ursnif trojan, also known as Gozi, has successfully attacked over 100 Italian banks and stolen user credentials. One undisclosed payment processor alone had 1,700 sets of credentials compromised.

The group behind Ursnif has been active since 2007 and has a long history of focusing on Italian users. Since first appearing on the scene, Ursnif has been upgraded with spyware, file injectors, and the ability to install backdoors, and it has been known to use anti-detection techniques as well. In the last four years, attackers have used phishing techniques to spread the trojan across Italy, Germany, and Japan.

Ursnif, like many banking trojans, relies on users falling victim to phishing emails. Acronis Cyber Protect not only stops Ursnif’s activities with its advanced heuristic engine, it also blocks phishing domains with built-in URL filtering.

New variant of Ryuk ransomware spreads automatically within networks

ANSSI, the French national cybersecurity agency, recently published a report describing a new variant of the notorious Ryuk ransomware that can spread automatically within a compromised network.

This self-replicating ransomware scans the local network, pinging every possible local IP. When a system is identified, Ryuk duplicates itself on the target and schedules a task to run the remote copy. Ryuk is hardly the first ransomware group to use automatic propagation, but it does reflect a trend in which cybercriminals are now focusing on automation to increase the scale, frequency, and speed of their attacks.

Ryuk is one of the more active ransomware groups, notable for having recently compromised Universal Health Services — a Fortune 500 healthcare services provider — in September 2020. They likely hold the record for the highest ransom successfully extorted, at $34 million. Acronis Cyber Protect Cloud’s Active Protection capabilities block both known and unknown ransomware threats through AI-driven behavioral detection, keeping your data safe from harm.

New ransomware gang hits hard at Ecuador’s finance sector

A new ransomware gang, Hotarus Corp, appears to have compromised both Ecuador's Ministry of Finance and the country’s largest bank, Banco Pichincha.

Banco Pichincha, which has over 5,000 employees and annual sales exceeding $800 million, denies that their customer data was compromised. Hotarus Corp claims to have stolen 31,636,026 customer records and 58,456 sensitive system records, and have released thousands of login names and hashed passwords online as proof. The group has already sold roughly 37,000 stolen credit cards in an auction for $250,000.

Though Ronggolawe is a rare threat — and, unusually, one built with PHP — Acronis Cyber Protect is threat-agnostic. Its behavioral heuristic engine detects Ronggolawe and all types of ransomware, blocking their execution before they can exfiltrate or encrypt business-critical data.

Qualys is the latest victim of Cl0p in Accellion breach

Cloud-based security and compliance provider Qualys is the latest in the ever-growing list of victims that the Clop ransomware group has claimed, after the December breach of Accellion FTA.

Qualys has around 1,500 employees spread across 13 countries, and an annual revenue of more than $350 million. The ransom note left by the Cl0p gang stressed their own website’s high levels of traffic from IT professionals, journalists, and hackers, in an effort to motivate quick action on Qualys’ part.

Months after the initial attack, it is still unclear whether the Cl0p group performed the attacks on the Accellion FTA devices, or if they simply obtained the stolen data and are now using it to exploit the victims. Accellion has released a patch, but is still encouraging users to move away from the legacy file transfer platform.

Acronis Cyber Cloud includes its own file-sharing solution, Acronis Cyber Files Cloud, as well as our industry-leading behavioral and AI-based ransomware protection — keeping your files safe and secure whether they’re on your systems or shared in the cloud.

Google Chrome update fixes 47 security flaws, including zero-day vulnerability

Google has released a patch for a zero-day exploit in their Chrome browser, one which has already been actively exploited in the wild. This comes exactly one month after another zero-day patch for Chrome, the world’s most widely-used web browser, and is one of 47 security fixes rolled out for the browser in this update.

Few details about the latest zero-day vulnerability have been made available, in an effort to give users a chance to update their software before the exploit becomes common knowledge. What is known at this point is that it is a serious object lifecycle issue in audio. Other fixes in this release address buffer overflow issues, a lack of sufficient data validation, and other security flaws.

Acronis Cyber Protect Cloud includes vulnerability assessments that alert you to available updates for common applications, such as Google Chrome. The integrated patch management functionality lets you update these applications from within the web console, with the click of a button.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.