Security Research

On Sunday, May 2, сybercriminal group N3TWoRM attacked the computer networks of the international clothing network H&M in Israel and threatened to release customer data.

In the latest incident that illustrates the overlap of the traditional economy and infrastructure with the digital realities of modern business, one of the largest pipelines in the U.S. was forced to shut down this past weekend after being hit by a ransomware group. Managed by Colonial Pipeline Co., the 5,500-mile pipeline runs across 14 states between Houston, TX and New York Harbor, and provides around 45% of all fuel for the U.S. East Coast.

DearCry ransomware uses the recently disclosed zero-day ProxyLogon vulnerabilities to hack into Microsoft Exchange servers. Its file encryption scheme leaves no chance of decryption without the correct key, and data overwriting techniques may complicate recovery. The first DearCry attack was discovered on March 9, 2021.

In February 2021, the public was shocked by the news of the hacking of Bombardier, a giant in the aerospace industry. During the investigation of the incident, analysts established that the threat group TA505, using the Cl0p ransomware, were responsible for the attack.

Autor: Peter Hale, Date: 2. December 2020 Those who do not learn anything from history are doomed to repeat it. Nobody wants to repeat 2020. Thus, the experts of our worldwide Acronis CPOC network (Cyber ​​Protection Operation Centre) have summarized their research results and observations from the past year in the Acronis Cyberthreats Report 2020

While OSAMiner has been around since 2015, and known since at least 2018, a newly discovered version of OSAMiner has remained hidden from researchers by cleverly concealing one run-only AppleScript inside of another run-only AppleScript. Run-only scripts do not contain human-readablez code and are notoriously difficult to fully decompile. Some IoCs have been able to be identified in these campaigns but a full analysis was not previously available, leaving some of the critical files in these campaigns lurking in the dark. This has changed with a couple of recently developed tools to aid in decompiling AppleScripts. Using these tools, we can now get a better view at the internals of the files in this cryptojacking campaign, as well as a broader view of the files associated with the malware.

You don’t have to work in cybersecurity to be aware of the recent discovery that a sophisticated state actor had potentially compromised tens of thousands of private companies and government institutions in the Americas, Europe, and the Middle East. The means was a software supply-chain: attackers breached the software distribution infrastructure of tech vendor SolarWinds, embedding malware in its popular Orion network management tool. When customers downloaded the latest Orion product update, the malware surreptitiously spread throughout their organizations, in many cases finding and forwarding sensitive data to external servers controlled by the attackers. Now comes news that SolarWinds was not the only victim of this Advanced Persistent Threat (APT) attack. Cybersecurity vendor Malwarebytes disclosed earlier this week that it had also been victimized by the same threat actors.

While its current name may be fairly new, Ranzy Locker is simply the latest evolution in a line of ransomware variants that began with MedusaLocker. Many of its details have since changed, including a shift in encryption algorithms from AES-256 to Salsa20. The distribution vectors for Ranzy Locker remain somewhat unclear, though spam campaigns have been indicated as one method.

The success of the massive SolarWinds supply-chain attack presents an urgent new cybersecurity challenge to every business. We plumb the tactics used in the SolarWinds breach and show how Acronis defends against it and similar attacks.

Following reports that SolarWinds’ Orion business software was compromised and used in a supply-chain attack by SUNBURST malware. The distributed malware then used elevated credentials gained by compromising network traffic management systems to target FireEye, a cybersecurity firm, and several U.S. government agencies. Details of the attack are available from the Cybersecurity and Infrastructure Security Agency (CISA). While not affected by this event, Acronis wants to reassure partners and customers that we have a strict, secure software development life cycle (SDLC) in place, which we continuously strengthen, to ensure our solutions are safe, secure, and reliable.

The threat of a large-scale ransomware attack once again grabbed headlines in the mainstream press as the U.S.’s Federal Bureau of Investigations, Department of Homeland Security, and Department of Health and Human Services warned that cybercriminals were targeting American healthcare providers. The alert, which was issued Wednesday, warned that there was “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” focused on “data theft and disruption of healthcare services.” The warning comes as hospitals, medical facilities, and healthcare workers around the country are faced with spiking cases of COVID-19. The timing is no accident, as cybercriminals are leveraging the need for these healthcare providers to have access to their data and systems.

WastedLocker ransomware was supposedly used by the Evil Corp group, which is known to have delivered Dridex banking malware to attack at least 31 U.S.-based corporations since May 2020. Here we provide an in-depth analysis of WastedLocker, which employs numerous defensive evasion techniques such as digital signing, DLL side-loading, auto-elevation and alternate data streams .