26th March 2021 | Asia Cyber Summary

Updated: May 19, 2021


WEBINAR | What is Cyber Insurance? Who needs it, what it covers, and how you can apply. 31 March 2021 | 2:00 pm HKT

Join Struan Todd, Vice President of Underwriting at Pandamatics Underwriting, and Gene Yu, Blackpanda Co-founder and CEO for an informative webinar discussion on the value of cyber insurance to modern businesses. Register for the webinar here.

In the Spotlight This Week

  • Computer giant Acer hit by USD 50M ransomware attack

  • Ransomware attack halts production at Sierra Wireless

  • Top insurer CNA disconnects systems after cyber attack

  • Trojan program on fake Clubhouse website

  • Purple Fox malware evolves

Computer Giant Acer hit by USD 50M Ransomware Attack

Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, USD 50M. The ransomware gang announced on their data leak site that they had breached Acer and shared images of allegedly stolen files as proof. These leaked images include financial spreadsheets, bank balances, and bank communications.

The attackers offered a 20% discount if payment was made by Wednesday. In return, the ransomware gang would provide a decryptor, a vulnerability report, and the deletion of stolen files. The REvil operation offered a cryptic warning to Acer "to not repeat the fate of the SolarWind."

Ransomware Attack Halts Production at Sierra Wireless

On March 20th, multinational manufacturer of Internet of Things (IoT) devices Sierra Wireless has halted production after falling victim to a ransomware attack against its internal IT systems. The attack has led to production being halted at its manufacturing sites. Internal operations have also been disrupted by the attack.

The company says the impact of the attack is limited to internal Sierra Wireless systems and that customer-facing products haven't been affected by the incident. After falling victim to attack, the company said it implemented counter-measures to mitigate in accordance with established cybersecurity procedures developed alongside third-party cybersecurity advisors, who have also been involved in investigating the attack.

Top insurer CNA Disconnects Systems After Cyberattack

CNA, one of the U.S.’s top providers of cybersecurity insurance, is struggling with a cyberattack that prompted it to disconnect its systems from its network. If the attack proves to include policyholder data, it could enable particularly devastating further incidents that hackers could use as leverage in extortion attempts. The company said it discovered the intrusion on March 21, adding that it is working with forensics experts to determine the scope of the incident and has alerted law enforcement for an investigation.

The ramifications of a ransomware attack or threat actor activity against CNA—one of the larger providers of cyber insurance—is that the threat actors are now aware of which companies have applied for insurance with CNA, which ones have actually purchased that insurance, what coverage they have (including coverage for cyber extortion or ransomware), as well as the limits and deductibles of those policies.

Trojan Program on Fake Clubhouse Website

Hackers are attempting to attack users who are anxiously anticipating the release of the Android version of the popular audio-centric app Clubhouse. According to antivirus provider ESET, cybercriminals are attempting to take advantage of Clubhouse’s popularity to trick people into falling for a malware scheme.

ESET malware researchers found a Trojan program on a fake Clubhouse website that looks identical to the real site and claims to offer an Android version of the Clubhouse app from the Google Play Store, which does not yet exist.

Analysis reveals that if you download this particular fake Clubhouse app, the “BlackRock” Trojan program will try to steal your login credentials from more than 450 apps and services including Amazon, Netflix, Outlook, and Facebook, in addition to bypassing SMS-based two-factor authentication.

Purple Fox Malware Evolves

An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding. Purple Fox, first discovered in 2018, is malware that used to rely on exploit kits and phishing emails to spread. However, a new campaign taking place over the past several weeks has revealed a new propagation method through indiscriminate port scanning and exploitation of exposed server message block (SMB) services with weak passwords and hashes. The malware targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads. Infection chains may begin through internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG. As of now, close to 2,000 servers have been hijacked by Purple Fox botnet operators.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.