In the biggest ever ransomware attack, hackers have demanded $50 Million from Acer. According to reports, hackers have accessed Acer’s financial documents compromising Microsoft Exchange Server vulnerability. The REvil group which attacked Travelex last year is said to be behind this attack.
Below are the comments from top industry experts.
Morey Haber, CTO and CISO at BeyondTrust
With the endless barrage of ransomware attacks continuing to make news, security professionals are beginning to reshape the security conversation with management and the Board of Directors. Now instead of asking for additional funding to purchase and implement security solutions, the message to the C-suite is more direct, we will be hacked, and we will experience ransomware at some point.
For example, security professionals are now saying that their best defence is to have a proper plan to handle it when it does occur. This includes well-rehearsed incident response plans and breach notification procedures.
In addition to making it clear that being attacked is a matter of when, rather than if, the messaging also calls for ensuring cyber insurance is up-to-date and that back-ups and external legal counsel are all available to help with the clean-up. In this age, it is impossible to protect against all attack vectors that could lead to ransomware and other types of hacking attempts. Security teams can build the best defence possible, but need to have appropriate response steps in place, because it can happen to anyone, and at any time.
As Acer has now become the latest victim, and the ransomware is allegedly $50 Million, these extra steps are now more important than ever before.
Morgan Wright, Chief Security Advisor at SentinelOne
The initial reporting indicates that Acer may have been compromised by exploiting the known vulnerabilities in the on-premise Microsoft Exchange server. The exploit was recently used by threat actors from China called Hafnium. The exploit then became known in the criminal community and turned into a vector of intrusion for the delivery of the ultimate payload. In this case it was ransomware.
Once information about the zero-day exploit becomes known, the race is on to build the countermeasures, patches, and get them to vulnerable customers in time. On the other hand, once the patch has been published, it is up to the end user to apply and test the patch.
Many criminal organisations, like REvil, do not have the financial or technical resources to conduct the kind of long-term development that nation states have. To put this in perspective, Brad Smith, President of Microsoft, told the US Senate Select Intelligence Committee that conservatively it would have taken at least 1,000 engineers to architect and deploy the software, tactics, and techniques in the SolarWinds attack.
Criminal organisations will never be first to market with novel exploits developed by nation states. The danger is they will always be a fast second.
Paul Baird, Chief Technology Security Officer at Qualys
The reported attack on Acer shows the significant cyber threat that all businesses and organisations are facing today. The discounted $50 Million ransom is the highest demand we have ever seen. As a result of the high ransomware, it is easy to speculate that the high fee may indicate the severity of the breach.
There have been some suggestions, although not yet confirmed by Acer, that the attack exploited the new Microsoft Exchange vulnerability. The patch for this flaw was made available on March 2 with reports indicating the breach occurred three days later. If this is how REvil gained access, it suggests Acer had not yet installed the issued patch.
When new vulnerabilities are found and patches issued, it is vital to act fast around vulnerable applications and infrastructure. Secondly, teams should conduct continuous scans for potential issues to minimise risks. This works well provided organisations have a consistent and up to date asset inventory to reference, which is not always the case.
When attack claims begin to surface online, speculations quickly follow. If a business can address those reports swiftly, they can reduce concerns from customers, shareholders, suppliers, and the security community. Being honest and factual can help everyone know what is taking place, as well as show other companies how to address those same problems. In these instances, businesses should try to be as proactive and transparent as possible by issuing a prompt, factual and detailed response. Without this, rumours continue and reputations can be irreparably damaged.
Sam Curry, CSO at Cybereason
The reported Acer breach is yet another reminder that threat actors are like extortionists. With a $50 Million ransom demand, they are trying to triangulate the right price, so to speak. This will be done based on what they think the value of the denied data and computing is worth. As with pricing on the legitimate side of the business world, this is about leaving no money behind and understanding the customer, or in this case, the victim. Previous payments by companies are a big guide, as is estimated cash flow impacted, ability to pay, value of data or services denied and so on.
As for reports that the bad guys offered a 20% discount to Acer, let us remember the adversaries are not nice people trying to give anyone a break. They are ruthless and maniacal. As for negotiation, the FBI and authorities will advise you never to pay.
However, step one is to involve your legal counsel and possible insurance partners and to let the authorities know and make sure that it is legal to pay them at all. Step two is to determine the risk equation if you can, and every organisation must decide, in the interests of its shareholders and customers, the right course of action. Leadership is a hard thing; and I would counsel all leaders not to pay if it is at all possible.
However, until legislation comes out that makes such behaviour illegal, it remains an internal decision that each company needs to make carefully. My suspicion is that it should not be paid always, but in some cases that could mean going out of business, loss of life, or even threats to the health and safety of large groups of people.
For Acer, Travelex, Garmin, Hyundai, Kia, and other companies impacted by recent ransomware attacks, simply recovering does not solve everything. You must be careful to destroy as little forensic evidence as possible to know what really happened and to avoid re-infection. Also, you need a record of what happened during down time and recovery to ensure breaches have not occurred, to avoid follow on issues, and to limit liability to what really happened.
The goals here include getting operational in as little amount of time as possible but that just one of many important goals. Also, keep in mind that backups can be compromised as can failover and redundancy plans. The bad guys are learning how recovery is done and are developing more insidious operations to infect those too.
Defenders can take the high ground when it comes to preventing future ransomware attacks, but it takes security maturity to do this. Companies must engage in programmes that do all the following:
- Minimise the impact and likelihood of ransomware
- Deploy prevention and recovery technology
- Get the right insurance in place
- Plan contingencies and ensure continuity of security operations
All of this must be tested, regularly, and improved; and this involves all the departments of the organisation from legal to marketing to finance and IT.
Gregory Cardiet, Security Engineering Director, EMEA at Vectra AI
Sodinokibi or REvil is a very common ransomware, usually widely detected by AV software as its signature is rather known. Traces have been found on Microsoft Exchange servers that the malware has been pushed on to.
We are now in a second phase of an attack, where the speed of Exchange servers that are going to be infected by malicious actors are going to be discovered at an increased pace. On daily or hourly basis, companies of all sizes are going to be in the news for having an Exchange hack. This second wave of attack was already predictable. Back when the vulnerability was disclosed, we anticipated the following scenario:
- Attacker finds vulnerability
- Attacker writes exploit
- Attacker uses exploit
- A defender detects use of exploit
- The defender reports exploit to appropriate software vendor
- Software vendor produces patch
- Vendor sends out communication about the vulnerability, exploit and patch
- All other attackers try for a land grab, opportunistically using the exploit to compromise systems without a clear intent to use before all systems are patched
- Most target systems are eventually patched
- Most people try to clean out their infrastructure and will know much later if they have been affected by a more silent offender
Steps 1-7 are already done, and the rest are in the current phase. It is expected that steps 8 and 10 is where we will see the most focus in the coming days and weeks, and that together, these will create the most significant damage.
Venu Vissamsetty, VP Security Research, Attivo Networks
The reported Acer ransomware attack shows that attackers use multiple campaigns to discover security weaknesses and get a foothold into organisations. Human-operated attackers discover and compromise accounts with high privileges to move laterally and deploy ransomware organisation-wide.
Organisations can still get ahead of these attacks. Applying data cloaking and establishing a zero-trust architecture is critical for stopping attackers from getting deeper into the trust stack. By preventing attackers from discovering high privilege accounts in Active Directory and denying access to files, folders, or mapped network and cloud shares, attackers cannot locate or access the data they seek. This serves as a powerful defence against data theft and ransomware attacks.
This is a developing story. We will keep publishing comments and updates, so go ahead bookmark this link.