Atlantic.Net is providing this security advisory as a news item; we want to reassure our customers that Atlantic.Net does not use any of these products affected by this exploit internally or in any of our service offerings.
Over the last few days, reports have emerged of what could turn out to be the biggest ransomware demand in history. The reported victim is Acer Inc., the Taiwanese multinational tech giant that is famous for manufacturing business and personal computer hardware including laptops, computers, tablets, and visual displays.
The news began breaking on the 19th March 2020 by tech and security website Bleeping Computer. The hacking group REvil has demanded a $50 million ransom from Acer after what they claim to be a successful data breach and ransomware attack.
REvil (previously known as Sodinokibi) is believed to be a Russian-based ransomware-as-a-service operation. They have previously successfully targeted the UK HQ of motoring giant Honda, and U.S law firm Grubman Shire Meiselas & Sack. The Grubman breach made international news as they represented many famous people including Madonna, Lady Gaga, Donald Trump, and Lebron James.
As part of the Grubman breach, legal documents were leaked as part of the extortion, but they sensibly never paid the ransom (unlike UK travel currency company Travelex who reportedly paid REvil over $2.3 million).
What Do We Know About the Acer Breach?
At the time of writing, there has been no official statement from Acer Inc. If reports are to be believed, only the back-office email system was targeted at Acer and no production environments were compromised. However, REvil has given Acer 9 days to pay a $50 million bounty; this is the largest ransom ever reported, and the group has published ‘evidence’ of the successful breach on their hidden TOR website.
Despite the rise in Exchange Online and Microsoft 365 cloud services, a huge number of businesses still operate on-premise Microsoft Exchange server farms, and it is believed that the breach may have taken advantage of a recently uncovered Microsoft Exchange vulnerability. Due to the very nature of the Exchange email delivery method, at least part of the network infrastructure has to be exposed to the public internet, usually in the form of a DMZ or perimeter proxy. As a result, any vulnerability can potentially expose a business to malicious actors.
On the 2nd March 2021, Microsoft scrambled to patch a “Microsoft Exchange Server Remote Code Execution Vulnerability” documented in CVE-2021-26855. The security bulletin states that Exchange 2013, 2016, or 2019 were vulnerable when running on Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, and Server 2019.
Microsoft has subsequently released a patching tool on GitHub for system administrators. The tool scans the environment to see if the infrastructure is vulnerable. If the scan confirms the system is vulnerable, the security updates are installed.
What Is the Next Move?
Unless Acer Inc. goes public, we may never know the true extent of the breach, but to demand $50 million, many expect the hacking group to have some valuable data on the company. If not that, the hackers are just being bullish in an attempt to extort money.
With Acer being tight-lipped, this is very much a case of “wait and see.” Have they paid the ransom? Have they even been hacked? Truthfully, no one knows yet, and while some suggested evidence has been released, there is no way to validate whether it’s genuine.
If your business is concerned about cybersecurity, please feel welcome to reach out to Atlantic.Net. We are specialists in Managed Services, Cloud Hosting, and HIPAA compliance. Security of our infrastructure is of paramount importance, and we work hard to ensure we have the best security processes in place.
There is no doubt that this cyberattack will go down in history, and we feel concerned for our friends in the industry that might be affected by this. Atlantic.Net has a full suite of Managed Security Services, to help be proactive and prepare in advance for any security issues. Get in touch today.