Morphisec Cybersecurity Blog

Security News in Review: REvil Attacks Laptop Maker Acer; Black Kingdom Ransomware Targets Unpatched Exchange Servers

Written by Matthew Delman | March 27, 2021 at 12:30 PM

In this week’s edition of Security News in Review, there’s new stories about the ransomware attack that locked up Acer’s computer systems, insight into how many Microsoft Exchange servers remain unpatched, and some theorizing on whether takedowns of cybercrime networks are valuable. 

Read on for the news, and let us know if we missed anything. 

REvil continues ransomware attack streak with takeover of laptop maker Acer -- Computer manufacturer Acer was taken down by a ransomware attack on Monday this week. REvil posted financial documents and bank forms from the Taiwanese manufacturer on Friday, claiming responsibility for the attack. Acer has yet to confirm or deny that their systems were taken down by ransomware, but the reported demand for $50 million is now the highest ransom ever reported. 

REvil Ransomware Can Now Reboot Infected Devices -- The REvil ransomware gang has added the ability to reboot an infected machine after encryption, according to security researchers. REvil added two new commands--AstraZeneca and Franceisshit--in Windows Safe Mode, which they use to access the Windows device’s startup screen. AstraZeneca is used to run the ransomware sample in safe mode, and Franceisshit allows the computer to start again in normal mode after the next reboot. While not a new approach, this is unusual and REvil can likely use it to evade detection-centric tools.

Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers -- According to reporting from The Hacker News, 92% of all on-premises internet-facing Microsoft Exchange servers have deployed the patches for the Exchange vulnerability. This is a 43% improvement from a week ago. It’s critically important that companies patch their Exchange servers as soon as they can--no less than 10 advanced persistent threat groups are actively using attacks based on the Exchange flaws as of this writing. At least two different strains of ransomware--DearCry and Black Kingdom--also currently leverage the flaws. 

Brute-Force Campaign on Windows SMBs Spreads Worming Malware -- Internet-facing Windows devices are being targeted by Purple Fox, a wormable malware, through brute force attacks according to security researchers. After recent updates, Purple Fox is now able to spread through indiscriminate port scanning and active exploitation of exposed SMB services, such as those with weak hashes or passwords, according to reporting at Health IT Security. 

Hades Ransomware Targets 3 US Companies -- According to the cyberthreat intelligence group at Accenture, an unknown threat actor has targeted three U.S. companies using the Hades ransomware. The three unidentified companies are in the transportation, consumer products and manufacturing sectors and all have revenues of over $1 billion. According to the report, "Based on the intrusion data from incident response engagements, the [Hades] operators tailor their tactics and tooling to carefully selected targets and run a more “hands on keyboard” operation to inflict maximum damage and higher payouts.” 

'Like playing whack-a-mole': Do cyber-crime crackdowns have any real impact? -- Disruptions of Emotet and Trickbot in the past 12 months have raised the question of whether law enforcement actions against cybercrime networks have any substantive impact on the threat of attack. The macro answer, writes Danny Palmer in ZDNet, is that some other threat actor will always come in to fill the gap. That said, there is always the chance that lower-level cybercriminals will be scared away from getting involved as takedowns continue. 

Microsoft Offers Up To $30K For Teams Bugs -- Microsoft has started to offer substantial bug bounties for vulnerabilities in their Teams collaboration application. They’re offering the maximum amount--$30,000--for bugs that have the greatest potential to expose user data.