Cyber Security Headlines: Ransomware revenue falls, Vice attacks university, Android Hook malware

Ransomware revenue falls by $300 million in 2022 as more victims refuse to pay

According to a new report from blockchain research firm Chainalysis, the fall was from $765.6 million in 2021 to $456.8 million last year. The report attributed the drop to a variety of factors, most notably that more victims are simply refusing to pay up when threatened by criminal groups. The report’s researchers spoke with several ransomware experts to check whether their theory was correct. Michael Phillips, chief claims officer of cyber insurance firm Resilience, confirmed that several “meaningful disruptions” were driving the downturn in ransomware revenue including Russia’s invasion of Ukraine and law enforcement actions against ransomware gangs that included arrests and the seizure of ransoms. 

(The Record)

Vice Society claims ransomware attack against University of Duisburg-Essen

The threat actor Vice Society has claimed responsibility for November’s ransomware attack against the University of Duisburg-Essen in Germany and has reportedly published some stolen data on the dark web. The university made the announcement over the weekend, saying the data publication resulted from the university not complying with the attackers’ ransom demands. It added that immediately after the attack was discovered, the university shut down the entire IT infrastructure and disconnected it from the network, meaning the criminal organization would have only obtained a limited amount of data.

(InfoSecurity)

Android users beware of new Hook malware with RAT capabilities

The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session. ThreatFabric, in a report shared with The Hacker News, characterized Hook as a novel ERMAC fork that’s advertised for sale for $7,000 per month while featuring all the capabilities of its predecessor…in addition, it also adds Remote Access Tooling (RAT) capabilities without the need of additional channels.

(The Hacker News)

Over 4,000 Sophos Firewall devices vulnerable to RCE attacks

In September, Sophos disclosed this code injection flaw (CVE-2022-3236) found in the User Portal and Webadmin of Sophos Firewall, and also released hotfixes for multiple Sophos Firewall versions. Official fixes were issued three months later, in December. The company warned at the time that the RCE bug was being exploited in the wild in attacks against organizations from South Asia. The September hotfixes rolled out to all affected instances (v19.0 MR1/19.0.1 and older) since automatic updates are enabled by default — unless an administrator disabled the option.

(Bleeping Computer)

Thanks to this week’s episode sponsor, Cerby

Did you know that over 60% of the cloud applications used by your company don’t support identity standards like single sign-on? And that these applications are the leading cause of breaches? Cerby can help.

Cerby discovers new applications, eliminates manual security tasks like offboarding, and addresses misconfigurations like disabled 2FA while increasing employee productivity. Wait. A security tool that increases productivity? Yup. Learn more at cerby.com.

Microsoft investigates bug behind unresponsive Windows Start menu

Microsoft is investigating an issue causing the Windows taskbar and Start Menu to become unresponsive and triggering Outlook and Teams login problems. Other user issues include not seeing the Windows Start Menu when clicking, not being able to launch apps, the Windows Search feature being broken, and encountering issues while trying to log into Azure Active Directory (Azure AD) to activate Office 365 apps are also beng reported. Similar issues happened in the past, which were originally thought to be connected to the ClickShare app Microsoft sent a statement two months later acknowledging that its own software was breaking permissions for the affected apps causing unresponsiveness and connection issues. This time around, too, Microsoft believes the cause to be due to its own software.

(Bleeping Computer)

Russia-linked drug marketplace Solaris hacked by rival

This is according to research released this week by blockchain analysis firm Elliptic. Users who tried to access Solaris after January 13 were redirected to the recently-launched Russian language drug marketplace known as Kraken, which claimed to have successfully taken over Solaris’ infrastructure, GitLab repository, and project source code. Elliptic added that no activity has been tracked in Solaris-affiliated bitcoin addresses since January 13.

(The Record)

Too many admin1234 passwords still exist in industrial systems, research finds

According to research released Wednesday, operators of critical infrastructure companies aren’t updating off-the-shelf security credentials in internet devices connected to industrial systems. Roya Gordon, security research evangelist at Nozomi Networks, a cybersecurity firm that specializes in industrial security, said, “We’re seeing a lot of the ‘admin1234,’ meaning that [hackers are] still going to be using default credentials in hopes that no one is changing them for IoT devices — which is pretty accurate.” The White House is expected to release an updated national cybersecurity strategy in the coming weeks and the administration is likely to call for mandatory cybersecurity rules for particularly vulnerable industries, according to The Washington Post.

(Cyberscoop)

ChatGPT changes the phishing game

The rise of OpenAI’s ChatGPT chatbot has raised all types of alarm flags in the business, academic, and cybersecurity communities, and we at Cyber Security Headlines have been covering examples of its versatility such as writing malicious code. But as Maria Korolov writes in CSO Online, it is also being used to craft highly convincing and grammatically correct phishing emails. In her article she shows how the phrase “im tom. writing letter to becky. i send her excel file to open. veyr important bizness content,” with almost every word spelled incorrectly, is converted to a clear and grammatically correct request, offering versions with more – or less – casual, formal, or urgent  tones. The article concludes with some revamped and updated strategies for anti-phishing in the age of AI and is available at CSO Online. A direct link is available in our shownotes.

(CSOOnline)