Microsoft Exchange exploit a possible factor in $50M ransomware attack on Acer

Cyber Security News

Pictured: an Acer exhibit booth at COMPUTEX Taipei, or the Taipei International Information Technology Show. (Quintin Lin, CC BY-SA 2.0 https://creativecommons.org/licenses/by-sa/2.0, via Wikimedia Commons)

Security researchers responded Monday to news of the REvil ransomware attack on computer and electronics manufacturer Acer late last week, mostly expressing shock over the $50 million price tag and advising the computer maker not to pay.

The incident was first reported in BleepingComputer. which said the REvil cybercriminal gang (also known as Sodinokibi) announced that it had breached Acer and shared some images of allegedly stolen files as proof. The leaked images consist of documents that include financial spreadsheets, bank balances and bank communications.

A reported leak of the ransom note revealed that Acer has until March 28 to pay the $50 million ransom. If the ransom is not paid by that date, the ransom will apparently double to $100 million.

Acer still has not confirmed that it was the target of a ransomware attack, and efforts to reach the company today were unsuccessful. The company also did not confirm that REvil had executed the ransomware attack via one of its Microsoft Exchange servers, as was reportedly alleged by Vitali Kremez, CEO of Advanced Intel. However several cyber thought leaders commented on this possibility, and the potential connection to a series of Exchange vulnerabilities that have been exploited by multiple actors.

“The move by REvil to exploit Exchange against big targets makes sense as these vulnerabilities are so easy to exploit and provide the initial access ransomware affiliates need,” said Chad Anderson, senior security researcher at DomainTools. “That said, this ransom demand is especially huge and outside the mean for REvil affiliates. As always, we would encourage Acer to not pay the ransom, despite evidence of private financial documents on the REvil leaks site.”

Oliver Tavakoli, CTO at Vectra, said it’s expected that the recently disclosed Microsoft Exchange Server vulnerabilities, collectively known as ProxyLogon, will continue be leveraged by a number of actors with varying objectives over the coming weeks and months.

“Targeted ransomware actors like REvil will see this as a particular boon as the many bespoke steps of an attack (infiltration, reconnaissance, gaining access to valuable data) can be short-circuited with a direct attack on an organization’s Exchange server,” Tavakoli said. “The size of the ransom request comes down to threat actors testing the market with a fantastical opening gambit – I would guess that Acer would either pay no ransom or would negotiate a much reduced amount.”

Ivan Righi, cyber threat intelligence analyst at Digital Shadows, said the REvil ransomware group has become known for its high monetary demands, with a recent example being the $30 million ransom it tried to extort from Dairy Farm in February 2021. Righi said it’s not known if any of REvil’s victims have paid these exorbitant demands, although it’s unlikely.

“The large demand suggests that REvil likely exfiltrated information that’s highly confidential, or information that could be used to launch cyber attacks on Acer’s customers,” Righi said.

Jeff Barker, vice president of product marketing at Illusive, added that all of the recent high-profile attacks, this one on Acer included, demonstrate that every organization needs to adopt an “assume compromise” security posture and ensure they are taking adequate measures to reduce risk that attackers can move laterally without detection. “We recommend that organizations assess the ransomware risk for their current environment and take steps to eliminate the unnecessary credential, connection, and pathway information that makes reconnaissance and movement too easy for the attackers,” Barker said. “At-risk organizations would benefit from preparing for and executing a four-step ‘shake the tree’ lateral movement hygiene and detection exercise: assess and improve credential and pathway hygiene; ensure lateral movement detection strategy and required controls are functioning properly; reset privileged account passwords; and monitor lateral movement to spot attacker propagation in the environment.”