September 26, 2020 — Eric Swotinsky
Malware analysisIncident reportsClient education

Cyberthreat update from Acronis CPOCs: Week of September 21, 2020

Cyber Protect Cloud

Here at Acronis, we’re always monitoring for dangers to your data, deploying updates to handle newly-discovered vulnerabilities, and issuing alerts and recommendations to help you stay protected. Our global network of Acronis Cyber Protection Operations Centers (CPOCs) continue to work around the clock to proactively detect and defend against the latest cyberthreats.

Part of this work includes video updates to inform you of modern hazards in the digital landscape — such as emerging malware variants and weather-related threats to business continuity. Here’s a look at some of the most recent breaking news and analyses:

RDP misused in Dharma ransomware attacks

Iranian threat actors have begun exploiting internet-facing Remote Desktop Protocol (RDP) to target companies with Dharma ransomware. Evidence of these attacks have now been found on the networks of companies in Russia, Japan, China, and India.

Once in the network, the cybercriminals took steps to disable antivirus solutions, scanned the network for available hosts, and abused RDP to move laterally from system to system. The actors then dropped Dharma on each host they accessed, along with a demand of 1-5 Bitcoin — currently valued at approximately $11,000 to $55,000 — to restore the victims’ data.

Each of the affected companies were found to have internet-facing RDP access with default ports in use and weak credentials. Acronis Cyber Protect provides a secure remote access and management solution, protecting your network from internet-facing RDP attacks.

KryptoCibule malware targeting cryptocurrency users

A newly discovered piece of malware has been circulating since at least December of 2018. KryptoCibule installs a cryptocurrency miner on the victim's computer, steals files related to their cryptocurrency wallets, and replaces wallet addresses in the clipboard to hijack payments.

KryptoCibule uses the Tor network to contact its command and control servers, which encrypts the communication. This, in combination with the clipboard hijacker module, makes KryptoCibule one of the most advanced cryptojacking strains to date.

At this point, KryptoCibule has only been observed in the Czech Republic and Slovakia. This appears to be intentional, as it checks for the presence of three antivirus applications, all of which are based in one of these two countries. Acronis Cyber Protect detects and stops unwanted cryptomining before it can slow down your computer or compromise your financial data.

Double hurricane wreaks havoc in Gulf of Mexico

In a first for the Gulf of Mexico, two hurricanes were active at the same time. This phenomenon comes during one of the busiest storm seasons on record.

Hurricane Marco was a Category 1, while Laura made it to Category 4, with sustained winds of up to 150 mph. Marco hit near the mouth of the Mississippi River on Sunday and was downgraded to a tropical storm by Monday night, leaving just two days before Laura made landfall in Louisiana, bringing heavy wind and rains to areas still recovering from Marco.

Due to the unprecedented nature of this event, the behavior of these storms was difficult for meteorologists to predict. Acronis Cyber Protect delivers secure backups and disaster recovery, keeping your data safe and helping you to get you back up and running quickly after any disaster.

DarkSide ransomware latest to use data leak site

Last month, a new ransomware operation named DarkSide began attacking organizations with customized attacks that have already reeled in million-dollar payouts.

Ransom demands so far have been observed to range between $200,000–2,000,000. Interestingly, DarkSide’s operators claim that they only target companies they believe can afford to pay these high ransoms, and that they don’t want to put their victims out of business.

Like many other human-operated ransomware variants, DarkSide breaches victims’ networks and spreads laterally until it gains access to administrator accounts. Acronis Cyber Protect effectively stops ransomware before it can encrypt your files and helps keep you safe.

Tsunami and tornado: double threat in Long Island Sound

In one of the busiest storm seasons on record, Long Island Sound has experienced a tsunami that was caused by a tornado. While this is not unprecedented in the region, it does highlight the need to be prepared for complex disasters that involve more than one type of damage.

Tsunamis are typically caused by seismic activity, but the tsunami in Long Island Sound was a meteorological event, caused by a sudden change in pressure — 4 mbar in just 20 minutes — that resulted in massive water displacement.

The backup and disaster recovery capabilities included in Acronis Cyber Protect keep your data safe in the event of a disaster, and help get your business back up and running with minimal interruption.

# # #

For the latest reports on emerging cyberthreats from Acronis’ cyber protection experts, subscribe to the Acronis YouTube channel and receive our CPOC updates as they’re posted.