News has broken that Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000. REvil is demanding a $50 million sum from Acer, offering until March 28 for the company to send over funds before any alleged stolen data is leaked.
<p>While this attack at Acer may be unique in that it targeted vulnerabilities in Microsoft Exchange to trigger a massive-scale attack, this won’t be the last time we see this vulnerability exploited. It’s easy for cybercriminals to perform these attacks, and there are a plethora of unpatched Microsoft Exchange servers, creating a lethal combination. That said, other companies can learn from Acer’s situation and prepare before they’re hit. <u></u><u></u></p> <p> </p> <p>There is nothing better than prevention, so it’s really important for businesses to implement solid cyber hygiene measures. This involves mitigating high-critical vulnerabilities by automating scanning and remediation processes. Not only does this paint an accurate picture of the attack surface at all times, but it reduces IT team fatigue and improves productivity. It’s also crucial that teams keep multiple copies of backups and encrypt confidential data so they can lean on them to restore systems and operations. Implementing good cyber hygiene isn’t a one and done exercise, either; IT security teams must continuously monitor for vulnerabilities and research different attack patterns so they can fully understand their level of risk. </p>
<p style=\"font-weight: 400;\">We have also seen a trend in these large-scale attacks that is troubling. The compromise of Active Directory, which is the main nerve center of delivering services to employees and applications, is being used in every attack. </p> <p> </p> <p style=\"font-weight: 400;\">Ransomware has become a global economic threat that impacts businesses of all sizes. Ransomware attackers are well resourced and equipped with sophisticated tools that used to be reserved for nation-state attackers. Many organisations are becoming victims like these universities, and are faced with difficult decisions on whether to pay or face disruption of operations. </p> <p> </p> <p style=\"font-weight: 400;\">The situation is compounded by security defenders finding that they can no longer trust the software or security systems that they have historically relied on. A new approach to security architecture is desperately needed, though unfortunately, many security teams are not gaining the executive level support, resources, or budget to achieve it.</p> <p> </p> <p style=\"font-weight: 400;\">To stay protected, businesses must add layers of defense that include quickly detecting attacker lateral movement and privilege escalation. One of the fastest ways to better protect an organization is to obfuscate the attack surface with decoys and data concealment so that cybercriminals cannot find what they seek. A more sophisticated security posture would include adding in misdirections that channel the attackers own momentum against them, further disrupting their ability to succeed and deterring the attack.</p>
<p style=\"font-weight: 400;\">As evidenced by the recent SITA breach impacting the travel industry, today’s cyber attackers have become increasingly sophisticated with their tactics, which have grown in complexity. This evolution has several reasons, including lengthy dwell time that attackers are leveraging for their massive attacks and supply chain weaknesses where software is explicitly trusted. </p> <p> </p> <p style=\"font-weight: 400;\">Attackers are quietly exploiting these weaknesses to change policies and create backdoors. Traditional security defenses that rely on signatures, logs, and database lookups can’t sufficiently detect lateral movement or imposters using real employee credentials. Additionally, security infrastructure has failed to detect vulnerabilities and attacks on critical infrastructure such as Active Directory. However, by focusing more on lateral movement, credential theft, and privilege escalation, organizations can still mitigate the pervasiveness of these attacks until they establish greater security.</p>
<p>The reported Acer ransomware attack shows that attackers use multiple campaigns to discover security weaknesses and get a foothold into organizations. Human-operated attackers discover and compromise accounts with high privileges to move laterally and deploy ransomware organization-wide. Organizations can still get ahead of these attacks. Applying data cloaking and establishing a zero-trust architecture is critical for stopping attackers from getting deeper into the trust stack. By preventing attackers from discovering high privilege accounts in Active Directory and denying access to files, folders, or mapped network and cloud shares, attackers cannot locate or access the data they seek. This serves as a powerful defense against data theft and ransomware attacks.</p>
<p>There\’s still a lot of uncertainty about the extent of the attack on Acer. Not only did the REvil operation lockdown files, but they also clearly exfiltrated some portion of that data. Exfiltration before encryption is becoming increasingly popular because it gives victims two reasons to pony up the ransom: they need to both regain access to their files and attempt to prevent leaks of their data.</p> <p> </p> <p>The part that\’s most disturbing about this incident, however, is the threat from the attackers that Acer could be the next SolarWinds. Encrypting files and exfiltrating data, even their source code, wouldn\’t allow them to perpetrate a SolarWinds-style supply chain attack. For that, they would need to have compromised Acer\’s build or update systems.</p> <p> </p> <p>While that seems unlikely at this point, and is probably just a scare tactic to increase the odds of getting the ransom paid, the prospect of a multi-vector attack that involves encryption, exfiltration, and exploitation, is terrifying. It\’s a cyber attack hat trick.</p>