Acronis Cyber ​​Incidents Digest # 19

According to APWG, phishing volumes will only grow

The Anti-Phishing Working Group (APWG), an international consortium working group that also includes representatives from Acronis, is committed to developing a unified global approach to countering cybercrime. And the results of the organization’s work achieved to date were set out in the report for the third quarter of 2021.

According to the APWG, the consortium members blocked 260,642 phishing attacks in July 2021 alone – the highest figure ever since the collection and systematization of consolidated statistics. At the same time, 35% of attacks accounted for hacking of financial applications, 29% were aimed at cloud applications and webmail. Theft of cryptocurrencies was next on the list of priorities, accounting for 6% of attacks.

However, the results of the study clearly indicate that attackers are expanding their spectrum of activity. Only the number of brands that were attacked is constantly growing – at the beginning of the year there were about 400 of them, and by September the number of victims had jumped to 700. Compared to 2020, the total number of phishing attacks more than doubled.

This news clearly shows that businesses need to take their email security and URL filtering seriously. The truth is to do this in modern conditions, when many people work from home, it turns out to be much more difficult.

Hive attacked Supernus Pharmaceuticals and TH Nürnberg University

Known for their high-profile attacks, Hive criminals have launched a series of new attacks on large targets. New victims include the biopharmaceutical firm Supernus Pharmaceuticals and the German TH Nürnberg University.

And although Supernus Pharmaceuticals said the attack did not have a significant impact on their business, the Hive members themselves stated on their leaked website that they had about 1.3 TB of valuable data from the company. The group insists that Supernus is withholding information about the leaks so as not to spoil its reputation during a major deal to acquire Adamas Pharmaceuticals. Perhaps that is why no information about the ransom amount has been published.

TH Nürnberg University suffered the same attack and recovered most of its systems after only three weeks. However, even after that, some of the systems remained offline. However, in this incident, it is also not known whether any valuable data was stolen, or whether any ransom was paid to the criminals.

IKEA postal system hit by cyberattack

The world famous retailer IKEA was attacked with phishing emails. At the same time, the attack remains internal, because the attackers use the already existing chains of letters and correspondence, imitating typical messages that employees send to each other.

The cybercriminals managed to get into the IKEA network through the ProxyShell and ProxyLogon vulnerabilities. Once inside, hackers were able to respond to corporate emails. Of course, this was sending malware – in this case, Emotet and Qbot.

For the Swedish company IKEA, which owns 445 huge stores around the world and employs more than 220,000 employees, this attack is a serious problem, because the volume of internal correspondence within the organization is large. And for cybercriminals, IKEA certainly acts as a very large target, because the likelihood of getting a ransom in case of successful blocking of any critical business processes or theft of important data is quite high.

Japanese Hospital Rebuilds IT Systems Due to Ransomware Attack

Handa Hospital, based in Tsurugi, Japan, reported on the aftermath of a major cyberattack in October. The organization plans to spend about ¥ 200 million reorganizing its computer network instead of paying the ransom to the attackers. Overall, this is a commendable trend because it discourages cybercriminals.

However, the attack negatively affected the quality of patient care. Electronic cards of 85,000 people became unavailable to the staff, and the hospital’s accounting system was damaged, which means that the employees had problems with calculating salaries, ordering materials, and so on. Due to the attack, Handa Hospital stopped accepting new patients and plans to return to normal work only by January 4, 2022.

Of course, this state of affairs is unlikely to please the townspeople themselves, who were deprived of medical care in our difficult time. However, the mayor of the city held a public hearing and explained that the municipality even agreed to pay the fraudsters’ claims, but then changed his mind. After all, the hospital does not receive any guarantees of data recovery. And budgetary funds “are not intended for payments to criminals”. Of course, the question arises as to why budget funds were not spent earlier on the creation of protection systems in a medical organization, but this is a topic for another conversation.

Windows Defender is “crazy” about Emotet

Immediately after Trickbot was spotted distributing a new version of the Emotet botnet, the Microsoft Windows Defender protection system began to generate an incredible number of false positives, identifying various executable programs and Microsoft Office documents as Emotet payloads.

While Microsoft has not commented on what caused these false positives, experts are of the opinion that it is all due to inaccurate configuration of the behavior module, which labeled any similarity in behavior with Emotet as a threat instead of a warning. Unfortunately, the nuisance led to the de facto shutdown of a number of companies that decided they were victims of the Emotet attack.

But even in those organizations that did not think about stopping IT systems, administrators reported numerous problems in their work: a huge number of documents did not open, and applications did not start. All this interfered with normal work. Microsoft, of course, immediately released an update to cloud users of its systems, but everyone else had to wait for the patch to be released, which can be downloaded and installed.

Well, this incident shows that the ability to mark files as “trusted” can be very important, although it is often underestimated. This approach allows you to avoid false positives and guarantee system performance, even if the antivirus is “crazy”.

Coronavirus phishing exploits Omicron theme

A new wave of fear associated with the next strain of the coronavirus – Omicron COVID-19 – was the reason for launching another phishing campaign. According to an analysis of a number of companies specializing in the field of cyber defense, the number of phishing emails related to vaccinations increased by at least 26%.

One such campaign, for example, targeted British citizens. The attackers sent out e-mails with various intimidating disinformation and links to a fake NHS website whose sole purpose is to collect personal data. In addition, the victims were offered to pay for various services or sign up for a paid vaccination procedure so that they would disclose their financial data.

In such cases, even savvy users can fall prey to phishing attacks. But the saddest thing is that such incidents can lead to the compromise of the entire corporate IT infrastructure. Therefore, companies should think again about implementing solutions for email filtering, because phishing activity is growing every day!

Cuba Ransomware Operators Earned Over $ 44 Million

An FBI report released last month revealed the scale of the damage done by Ransomware Cuba. According to the federal agency, the attackers managed to get at least $ 43.9 million only in the form of payments from victims who paid off the ransomware. This was made possible by successful attacks on 49 (publicly known) targets in five sectors related to critical infrastructure.

The Cuba group has been developing its Ranomware project and has been working for several years, attacking mainly organizations in the United States, South America and Europe. They use the Hancitor Trojan to distribute malicious code and do not hesitate to use phishing.

Thus, in order to ensure protection against this malware, it is necessary to either detect and stop the operation of Ransomware Cuba itself (and restore corrupted files), or block the Trojan program and phishing attacks. In principle, today both are making complex cyber defense solutions, so that the owners of modern systems “more than antivirus” should not suffer from this threat.