Acronis Cyber ​​Incidents Digest # 1

Hello, Habr! Starting today, we will publish weekly information security news digests, talk about new hacks and threats, and share our experience in global cybercrime surveillance. In this digest, you will learn about major new hacks and attacks, camouflaging of well-known groups, secrets of successful phishing, and how many Microsoft patches must be installed in June.

First, let’s say a few words about where we get information about threats from. A few years ago, Acronis formed a global network of Cyber ​​Protection Operations Centers (CPOCs). Thanks to the constant monitoring of events taking place in global networks, as well as on workstations and servers of our clients, which number more than 5 million worldwide.

River Transport Operator Comes Under Ransomware Attack

Following the already sensational attacks on other US infrastructure, in particular on Colonial Pipeline, the Steamship Authority, the largest ferry operator in Massachusetts, was infected.

The Steamship Authority acts as a single regulator and controls all ferry traffic between mainland Massachusetts and Martha’s Vineyard and Nantucket Islands. Fortunately, the transportation itself was not paralyzed, but so far there is no information about what ransom the attackers are demanding, and how the Steamship Authority plans to restore its systems after a large-scale attack.

But the saddest thing is that because of file encryption, no one can yet say how sensitive information fell into the hands of attackers. This is another argument why criminals are increasingly using Ransomware together with Infostealer-class programs – the victim is at the same time under the threat of data loss and data leakage. As a result, there are more risks for the business and a higher chance that management will decide to pay the ransom.

These are not the ransomware you are looking for …

After the US imposed sanctions in 2019, the criminal group known as the Evil Corp went into disguise and undertook a “small rebranding” to cover up their activities. So even those who have already been injured can again face the actions of the same intruders, but under a new “sauce”. As a reminder, Evil Corp is liable for damages of more than $ 100 million, taking into account the ransoms and damages. It was they who attacked major companies such as Garmin, Forward Air and the insurance tycoon CNA.

Recently, researchers discovered a number of cyber attacks using the new PayloadBIN malware and attributed these attacks to the activities of another well-known group called Babuk (by the way, they announced their cessation of activity before that). It was believed that Babuk simply lied about their “retirement”. However, after a more detailed analysis, the facts began to point to the activities of Evil Corp, which may well be behind the new attacks.

Why is it important? Linking PayloadBIN to Evil Corp allows for a better understanding of the cyber threat landscape, as well as countermeasures – after all, cybersecurity experts are well aware of the techniques of Evil Corp. But for users, this is another argument that for a real fight against Ransomware, it is worth using AI solutions that can detect unknown threats.

Seven zero-day holes were closed on June patch Tuesday

On its patch Tuesday, Microsoft released 50 updates, including fixes for seven zero-day vulnerabilities. Moreover, at that time it was already known that six of them were used by cybercriminals.

Four of the discovered vulnerabilities allowed additional privileges to be gained, one was capable of leading to information leaks, and another opened the possibility of remote execution of arbitrary code. The seventh vulnerability did not manifest itself in any way in the form of real attacks – this is a loophole for implementing DDoS in Windows Remote Desktop services.

Of the 50 patches proposed earlier this month, 5 were rated critical by Microsoft and 45 important. Potentially vulnerable software includes Microsoft Office, Edge browser, Visual Studio, .NET Core and a number of other business applications.

This situation once again speaks in favor of patch management technologies. When vulnerabilities are already exploited by attackers, it is best to install updates on time. Therefore, organizations should use automated patch management tools to prioritize downloading and installing the most critical patches on all machines first.

Ransomware Continues Attacking Pipeline Companies

Before we could forget about the recent panic and complete shutdown of Colonial Pipeline systems due to the Ransomware attack, the news of the last week was supplemented by an attack on another pipeline business – LineStar Integrity Services.

LineStar Integrity Services are specialists in audit, maintenance and other services for pipeline companies. The organization’s annual profits are over $ 171 million. And a relatively new Ransomware group known as the Xing Team stole 70 GB of data from the service company, some of which has already been published on leak sites. The compromised information includes over 73,000 emails, accounting records, contracts, software code, technical data, and sensitive HR information such as social security numbers and driver’s license numbers.

The attack was made possible in large part because the Xing Team is a relatively new cybercriminal group, and the Ransomware samples they use have not yet been analyzed by many laboratories. Thus, protection against such attacks can only be achieved through behavioral analysis and blocking of suspicious activity, similar to encryption and file theft.

After a successful attack on SolarWinds, Nobelium got caught up in phishing

The Nobelium group, which became widely known a few months ago after the attack on SolarWinds, decided to expand the range of its activities. Cybercriminals launched a massive phishing campaign, targeting nearly 3,000 government and consulting company accounts. And although the main targets of the attackers were clearly US institutions, the same emails were received by addressees in 24 other countries.

The criminals gained access to the Constant Contact service (which is engaged in marketing mailings), namely, to the USAID (United States Agency for International Development) account. Using a trusted system allowed Nobelium to create really convincing phishing emails, because the sender was among the verified, and the messages themselves were distinguished by the correct headers.

The letters contained information about new documents, allegedly testifying to fraudulent elections in the United States. However, following the link resulted in the download of a malicious ISO file. After downloading it, the file installed a malicious DLL into the system, which was actually the Cobalt Strike backdoor.

It is worth noting here that such attacks are generally possible due to the low level of use of URL filtering mechanisms in corporate security systems. Acronis Cyber ​​Readiness 2020 showed that only 2% of companies have budgets for such solutions. Therefore, you should not be surprised if cyber fraudsters use such methods more often.

Similar Posts

Leave a Reply