Ransomware payments plunged in 2022, malware hidden in blank images and more.
Welcome to Cyber Security Today. It’s Friday, January 20th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsDay.com in the U.S.
The amount of money collected by ransomware gangs last year dropped significantly compared to 2021. That suggests victim companies and governments are refusing to pay attackers — or are refusing to pay as much as they did in previous years. According to researchers at Chainalysis, data they can get hold of says ransomware gangs collected at least US$457 million in 2022. That compares to about US$765 million in each of the previous two years. That’s a 40 per cent drop. The real payout numbers, researchers admit, are much higher. However, the data suggests crackdowns by police and tough cyber insurance requirements may be having an effect.
Meanwhile, ransomware attacks continue. Yum! Brands, which operates Kentucky Fried Chicken, Pizza Hut, Taco Bell and other food outlets said this week it had to close around 300 restaurants in the U.K. for a day after a ransomware attack. Data was taken, but the company doesn’t think any customer information was copied.
Have you heard of Kudu? Few IT people have, but it’s a source control management console for deploying applications on Microsoft’s Azure cloud service. A few months ago researchers at Ermatic discovered a serious vulnerability in Kudu that could have allowed an attacker to deploy malware. Thanks to their warning, Microsoft fixed the bug in December. But it’s also a warning to IT administrators to understand all of the on-premise and cloud tools in their environment. Access to those with management capabilities — like Kudu — must be restricted to only those who need it and by strong login protection like hardware-based multifactor authentication.
Imaginative hackers have found a new technique for evading defences. They’re placing blank malicious images on web pages they want victims to go to. According to researchers at Avanan, the victim gets an email with a link to a document they are asked to read and sign through the DocuSign service. There’s an attachment that displays an image of the document. If the victim follows good security and hovers over the link it shows a legitimate DocuSign page. However if the victim clicks on the attachment to read it, they don’t realize there’s an empty image underneath that hides JavaScript that automatically pulls in a malicious web page. Then the victim’s computer gets infected. IT administrators should consider blocking HTML attachments in emails. Employees have to be reminded to be suspicious of email and text messages with attachments.
Ireland’s Data Protection Commission — which acts for the entire European Union — has levied its third fine against a service of Meta. This time it’s WhatsApp, which has been fined the equivalent of $8 million for not being clear to users how their personal data is being used. This comes after the commission fined Facebook and Instagram earlier this month the equivalent of $568 million for requiring users to accept its new privacy notice. That notice says their personal data will be used for targeted advertising. Meta is appealing all three rulings.
Finally, attackers this week managed to disrupt an online version of the Le Mans 24 hours race where famous racing drivers were participating for prize money. Two-time Formula 1 champion Max Verstappen was knocked offline and out of contention. According to security reporter Graham Cluley, several other drivers had connectivity problems. Organizers said the servers running the race suffered a suspected security breach.
Later today the Week in Review edition will be out. This week guest commentator David Shipley and I will discuss hacks at Mailchimp, CircleCI, the theft of a Nissan customer database from an outside application developer and why we put up with application vulnerabilities.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing.