Ransomware escalates, fewer victims pay

CybersecurityHQ News

Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

—

Weekly Headlines

Chinese Hacker Indicted: Firewall Exploitation

A federal indictment unsealed in Hammond, Indiana, charges Chinese national Guan Tianfeng with conspiring to exploit a critical firewall vulnerability, CVE-2020-12271, affecting approximately 81,000 devices globally in 2020. According to the indictment, Guan, an employee of Sichuan Silence Information Technology Co. Ltd., and his co-conspirators developed malware targeting firewalls sold by UK-based cybersecurity firm Sophos.

The malware was designed to steal data and encrypt files if victims tried to remediate infections. Affected devices included those used by US agencies and businesses.

Sichuan Silence, linked to the Chinese government, provided services to the Ministry of Public Security and reportedly engaged in scanning overseas networks for intelligence. The hackers used fake domains mimicking Sophos to conceal their activities. Sophos discovered the breach within two days, mitigating the threat and forcing the conspirators to adapt their malware.


The Department of Justice highlighted the case as part of its efforts to hold China-based cybercriminals accountable. Sophos and the FBI collaborated to thwart further harm, underscoring the importance of public-private partnerships in combating cyber threats. The FBI continues to investigate PRC-sponsored hacking activities and has solicited public assistance in identifying Guan, with the State Department offering a $10 million reward for information leading to his apprehension.

Sanctions were also imposed on Sichuan Silence and Guan by the US Treasury. 

Gen Digital Acquires MoneyLion

In business news, Gen Digital, the owners of several of the most popular antivirus products, bought MoneyLion for $1 billion in cash. The fintech company is getting a 6.5% premium on its last closing price of $82 per share.

How does this exactly fit in with other Gen Digital holdings like Avast, Norton, LifeLock, Avira, AVG, ReputationDefender, and CCleaner? CEO Vincent Pilette said, “Gen has a family of consumer brands that's dedicated to protecting people's privacy, identity and financial assets so they can live their digital lives securely and without worry… By bringing MoneyLion into the Gen family, we're not only helping people protect what they already have, we're extending our capabilities to enable people to better manage and grow their financial wealth."

The cybersecurity firm SentinelOne couldn’t meet Wall Street estimates for its third-quarter profits, and Wednesday’s announcement led to a 12% tumble in share price.

The mismatch is in part caused by rising expectations for cybersecurity firms. In an age of increasing attacks and higher liabilities for companies, SentinelOne was expected to do a bit better than it did. Palo Alto and CrowdStrike had strong earnings for the same quarter.

Ineffective Patch Exploited Again

A vulnerability in Cleo's file transfer products (CVE-2024-50623) has been actively exploited, despite being supposedly patched in October. Cybersecurity firm Huntress discovered that the patch in version 5.8.0.21 was ineffective, enabling attackers to infiltrate Cleo Harmony, VLTrader, and LexiCom systems. Exploitation began on December 3, targeting over 1,700 servers, with 10 confirmed compromises in industries like consumer goods, food, and shipping.

Attackers have established persistence and conducted reconnaissance, mirroring past MOVEit file transfer attacks. Cleo is working on a new patch, expected mid-week. Huntress and Rapid7 recommend monitoring for indicators of compromise to mitigate risks.

North Korea DeFi Heist

Radiant Capital is blaming a North Korean threat actor, UNC4736, for the $50 million heist on October 16. The attack exploited a decentralized finance (DeFi) project during a routine multi-signature emissions adjustment process. It began in September when a developer was tricked by a fake Telegram message from a supposed former contractor. The message included a zipped PDF that, once shared, infected multiple devices with the Inletdrift backdoor malware.

The attackers bypassed traditional security measures by making fraudulent transactions appear legitimate during verification. They drained $50 million from Radiant’s core markets and exploited open approvals to withdraw user funds. The malware also deployed malicious smart contracts across Arbitrum, Base, Binance Smart Chain, and Ethereum.

Radiant’s post-mortem revealed how the attackers deceived standard checks, leaving no obvious discrepancies. Mandiant attributed the attack to the North Korean Reconnaissance General Bureau due to its sophisticated methods and targeting of the DeFi sector.

Small Organizations Under Siege

More odd attacks on small municipal organizations are popping up in North America. For instance, the Pembina Trails School Division in Winnipeg announced that last week it suffered a cyber attack. Division CEO Shelley Amos said in a memo that, "Pembina Trails took immediate steps to secure its network, which included making a variety of services unavailable."

The same memo says that the division, which serves 16,000 students, was working to fix the issue.

Then, only a week later, officials in Wood County, Ohio, told the public that ransomware on their system’s computer network led to an investigation. The county brought in data forensics consultants to find out the full extent of the attacks.

Krispy Kreme Cyber Disruption

Krispy Kreme is the latest company to suffer the woes of a major cyber incident. On Wednesday, the famous doughnut chain announced that it found unauthorized activity on its IT systems, leading to major disruptions to its online ordering in the US.

They were notified on November 29, and at that point they brought in outside experts to help with the situation.

Ransomware Surge Targets Supply Chains

Attacks like this are on the rise, but even worse is ransomware—and Moody’s recently released a report detailing just how big a problem this has become for companies. There was a 70% increase of ransomware incidents between 2022 and 2023, both in attack volume and ransom demands. Part of that trend has seen hackers shifting focus to larger organizations in an effort to get higher payouts. The main target? Supply chain vulnerabilities.

The largest ransom in 2024 reached $75 million, doubling the previous year’s record. However, fewer victims are paying ransoms, with only 28% complying in early 2024, compared to 85% in 2019.

Popular target industries today are finance, technology, healthcare, and logistics, which often need to return to normal operations as soon as possible. 

The culprit, as so many of these reports now claim, is GenAI. Moody’s report says this single technology is the biggest difference maker in these phishing attacks, making them both more convincing and scalable. Zscaler reported a 58% surge in phishing attacks after ChatGPT’s release in 2023.

Microsoft Patches Zero-Day Vulnerabilities

Microsoft's December Patch Tuesday addressed over 70 security flaws, including an actively exploited zero-day in the Windows Common Log File System (CLFS), tagged as CVE-2024-49138 with a CVSS score of 7.8. The flaw allows attackers to gain SYSTEM privileges through a buffer overflow, requiring low execution privileges and no user interaction.

Microsoft also highlighted 16 critical vulnerabilities, urging immediate action on CVE-2024-49112, a Windows LDAP remote code execution bug rated 9.8/10. Temporary mitigations include disconnecting Domain Controllers from the internet. Other patches cover flaws in Hyper-V, Remote Desktop Services, and Microsoft Message Queuing.

To date, Microsoft has patched 1,020 vulnerabilities in 2024, with 27 zero-day attacks documented.

Upgrade your subscription for exclusive access to member-only insights and services.

Interesting Read

One of the major issues for people with a cybersecurity background is their own confidence. In a recent article for CyberNews, Ernestas Naprys addresses just this problem. The fact is, whether we’d like to admit it or not, at some point any one of us might fall for a phishing scam.

That confidence can lead us to not have any plans in place for when the unthinkable happens. So, what do we do once we sense that we’ve clicked something we shouldn’t have?

Protocols for this kind of situation are good to have at hand. This article provides five easy-to-follow rules—the kind of thing that’s not only good to review but also good for entire companies to use.

So often, the emphasis is on preventing that first click, which is great. But at some point, someone is going to click something they shouldn’t. What then?

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team

Reply

or to participate.