Ransomware Payments Reach Record Highs in 2024, North Korea Exploits Windows Zero-Day to Install Advanced Malware, Toyota Discloses Massive Data Breach After Stolen Data Leaked Online and don’t get smug about Mac security if you are using Microsoft’s office suite.
Welcome to Cyber Security Today for Wednesday, August 21st. I’m your host, Jim Love
Ransomware payments have reached staggering new heights in 2024. According to the latest report from blockchain analysis firm Chainalysis, ransomware victims have already paid $459.8 million to attackers in the first half of this year.
That puts 2024 ion track to be the highest-grossing year yet for ransomware, with payments surpassing the previous record of $1.1 billion set in 2023.
The largest single ransomware payment ever recorded was around $75 million, paid to the “Dark Angels” ransomware group by a Fortune 50 company in the first quarter of 2024. The Chainanalysis report states “2024 has seen the largest ransomware payment ever recorded at approximately $75 million to the Dark Angels ransomware group. A clear indicator that ransomware actors target bigger organizations is a significant increase in the median ransom payment.”
But the median ransom payment has spiked dramatically, from just under $200,000 in early 2023 to a staggering $1.5 million in mid-2024.
Cybersecurity experts attribute this surge to ransomware groups shifting their tactics. Rather than carrying out numerous high-profile attacks, they are now focusing on targeting larger organizations that are more likely to pay hefty ransoms to avoid costly disruptions and data breaches.
While the overall number of confirmed ransomware attacks has only grown by 10% year-over-year, the cybercriminals are clearly reaping bigger rewards from their victims. This “big game hunting” strategy appears to be paying off handsomely for the ransomware syndicates.
Chainalysis notes that fewer organizations are succumbing to the extortion demands, suggesting that awareness and resilience against ransomware may be improving. But with record-breaking payouts still occurring, it’s clear that the fight against this persistent threat is far from over.
As we head into the second half of 2024, cybersecurity experts will be closely watching to see if this ransomware bonanza continues, or if increased defenses and law enforcement efforts can finally start to turn the tide.
And before we presume that small organizations are in the clear, let’s wait until we see some data on that.
Sources include: Bleeping Computer and Chainalysis
In a concerning development, researchers have uncovered evidence that hackers working for the North Korean government exploited a recently patched Windows zero-day vulnerability to install a highly sophisticated piece of malware known as FudModule.
The vulnerability, tracked as CVE-2024-38193, was one of six zero-days – meaning vulnerabilities known or actively exploited before a patch was available – that were fixed by Microsoft last month.
Microsoft warned that the vulnerability, a “use-after-free” bug in the Windows kernel, could be exploited to give attackers system-level privileges, the highest level of access on the system.
The security firm Gen reported that the threat actors behind these attacks were part of Lazarus, a hacking group tied to the North Korean government.
Lazarus used the zero-day exploit to install FudModule, a highly advanced rootkit malware discovered and analyzed by security researchers in 2022.
Rootkits like FudModule can hide their files, processes, and other components from the operating system, allowing them to bypass security defenses and maintain deep control over the infected system.
Earlier this year, a newer variant of FudModule was found to bypass key Windows security features like Endpoint Detection and Response and Protected Process Light.
Interestingly, Microsoft took six months to patch the vulnerability after it was privately reported, allowing Lazarus to continue exploiting it during that time.
The researchers noted that the FudModule malware is both sophisticated and resource-intensive, potentially costing “several hundred thousand dollars on the black market.” This type of attack specifically targets individuals and organizations in sensitive fields, such as cryptocurrency engineering and aerospace, in order to gain access to their networks and steal valuable data or assets.
It’s not a far leap to think that this exploit was used against large organizations, potentially engineering and aerospace, but how much damage was done before the patch or might continue in the future due to the opening made by this rootkit? We may never know.
Sources include: ArsTechnica
Toyota has confirmed a data breach after a hacking group known as ZeroSevenGroup leaked 240 gigabytes of stolen data from the automaker’s systems on a cybercrime forum.
The threat actor group boasted of obtaining a trove of data covering “everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data.”
Toyota has acknowledged the incident, but has attempted to downplay its significance, stating that the “issue is limited in scope and is not a system wide issue.”
However, the sheer volume of data stolen – 240 gigabytes – suggests this was a substantial breach impacting a wide range of Toyota’s operations and sensitive information.
This is not the first time Toyota has faced a data breach. In late 2023, the company’s financial services division disclosed an incident that exposed customer names, addresses, and financial details.
That earlier breach was claimed by the Medusa ransomware gang, who demanded a multi-million dollar ransom to delete the stolen data, reportedly 8 million dollars with 10,000 dollars a day for each day after their intial deadline.
Some security experts believe the ZeroSevenGroup may have exploited vulnerabilities in Toyota’s network infrastructure to gain initial access and carry out this latest large-scale data theft.  Popular cyber security expert Kevin Beaumont first proposed that Germany had a vulnerable Citrix Gateway exposed online and that threat actors could have exploited the vulnerability Citrix Bleed to gain initial access to the company’s network.
This incident underscores the ongoing threat that organizations face from sophisticated cybercriminal groups seeking to monetize stolen data and intellectual property. Toyota’s delayed response and downplaying the scope of the breach is unlikely to reassure impacted customers and employees whose sensitive information may now be circulating on the dark web.
Sources include: Security Affairs
A vulnerability has been discovered in Microsoft’s suite of productivity apps for macOS, which could allow hackers to gain unauthorized access to users’ cameras and microphones.
Security researchers from Cisco Talos uncovered a total of 8 flaws across various Microsoft apps, including:
- Microsoft Outlook
- Microsoft Teams
- Microsoft PowerPoint
- Microsoft OneNote
- Microsoft Excel
- Microsoft Word
The vulnerabilities could allow an attacker to inject malicious code into these Microsoft apps, bypassing the robust security controls built into macOS.
Normally, macOS has strong safeguards in place to prevent apps from accessing sensitive user data and resources without explicit permission. This includes features like Discretionary Access Control and Transparency, Consent and Control.
However, the issues found in Microsoft’s implementations of these security mechanisms create a dangerous loophole. Attackers could exploit these flaws to gain unauthorized access to a user’s camera, microphone, and other protected system resources.
Michael Covington, VP of strategy at security firm Jamf, explains the broader implications:
“Microsoft’s apps were found to disable checks on third-party libraries being loaded. This is a noteworthy flaw in apps that naturally require permissions to Apple’s controlled resources, like the camera or microphone, because users are inclined to grant such permissions to collaboration tools like Microsoft Teams or logging tools like OneNote.”
While Microsoft has patched some of the vulnerabilities in apps like Teams and OneNote, productivity tools like Word, Excel, Outlook, and PowerPoint remain exposed. The risk may be relatively low, as users are unlikely to grant these apps access to sensitive resources like the camera.
Nevertheless, this incident highlights the potential security trade-offs that can arise when third-party apps interface with the robust security controls of platforms like macOS. It serves as a reminder for users to be cautious about granting permissions to apps, even from trusted vendors like Microsoft.
To those of us who love our Macs but still use Microsoft’s suite of applications, making the shift to the Mac equivalents might finally make sense.
That’s our show. You can find the show notes with links at technewsday.com or .ca – take your pick.
I want to thank all of you who have sent in your notes saying how much you miss Howard. I have to say that I agree. Howard has been a colleague of mine for many years. We marvelled at him as a journalist, and he’s still a friend. I hope to bring him back as a panelist of with some stories in the future, and these a big shoes to fill, but I hope, with your guidance and support to continue to make this what it because under Howard’s hosting – one of the top security podcasts in the world.
I’m your host, Jim Love. Thanks for listening.