Robin’s Newsletter #240

22 January 2023. Volume 6, Issue 4
Ransomware payments fell 40% in 2022. T-Mobile suffers *another* breach; 37 million accounts affected. Credential stuffing attacks against Norton Password Manager, PayPal.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Ransomware payments fell almost 40% in 2022

At the beginning of the year, I forecast (vol. 6, iss. 1) that the number of ransomware victims would fall this year. This week reporting from Chainalysis shows that ransomware revenues fell by over $300 million from $766 million in 2021 to $457 million in 2022.

Bar chart showing the total value received by ransomware attackers from 2017 to 2022 (source: Chainalysis)

There are many potential causes for this. The US has introduced sanctions against ransomware groups and cryptocurrency exchanges used to launder their ill-gotten gains. This has caused many company executives to think twice about paying ransoms (a good policy move!). Cyber insurance policies are tougher on what they will and won’t pay out for (and cost more). Endpoint detection and response solutions have gotten good at stopping malware. The Russian invasion of Ukraine pitted many cybercriminals against each other.

Overall, payment rates have fallen since 2019 from 76% to 41%.

Hopefully, the trend will continue!

Interesting stats

59.4 million compromised payment cards posted for sale on the dark web in 2022, 36.6 million (38%) fewer than the 96 million posted in 2021, according to Recorded Future.

3x increase in cyber-attacks against Ukraine in the past year, according to Ukraine’s communications and information protection agency

Other newsy bits

Six breaches in five years; T-Mobile breach exposes personal info of 37 million customers

T-Mobile is investigating another breach affecting 37 million customer accounts. Access appears to have been gained via an API around the 25th of November 2022 and persisted through the 5th of January 2023. The internal system provided account information, including names, addresses, emails, phone numbers, and dates of birth.

It’s the mobile carrier’s sixth breach since 2018. In July last year, the company reached a $350 million settlement over a 2021 breach (vol. 4, iss. 34) of over 47 million customer’s data. T-Mobile also vowed to invest $150 million in improving its security posture (vol. 5, iss. 31).

That investment isn’t yet delivering the outcomes that management would have hoped.

Until then, customers should be assured that the company is “working hard to earn a place in your heart”, per their Privacy Policy.

Credential stuffing attacks against Norton Password Manager, PayPal

Credential stuffing — trying known username and password combinations on other websites and services — is proving fruitful for attackers. Norton LifeLock has contacted 925,000 customers after detecting an unusually high number of login attempts against their Norton Password Manager accounts. Paypal has also altered almost 35,000 customers after investigating similar credential stuffing attacks against customer accounts in December 2022.

Motherboard manufacturer MSI shipped firmware circumventing SecureBoot

Motherboard firmware updates from manufacturer MSI since January 2022 have set insecure BIOS defaults for a “user-friendly environment”. Secure Boot checks the integrity of boot loaders and core operating system files to help protect systems from UEFI rootkits and other low-level nasties. MSI’s choice of defaults changed the ‘Image Execution Policy’ for their motherboards to ‘Always Execute’, meaning it would load even if suspicious flags were being raised. Future firmware updates will use the ‘Deny Execute’ setting, or MSI users can change the BIOS configuration themselves.

In brief

Attacks, incidents & breaches

  • AlphV/BlackCat ransomware group claims to have compromised NextGen Healthcare. The healthcare technology company provided electronic health records (EHR) and practice management systems to US, UK, Indian and Canadian hospitals.
  • Almost 300 KFC and Pizza Hut restaurants in the UK were closed for a day after a ransomware attack against parent company Yum! Brands took “certain information technology systems” offline. Cybercriminals have exfiltrated data, though the nature is unknown. All stores are now open again.
  • ODIN Intelligence, a ‘creator of tools for law enforcement’, has been having a bad couple of weeks. First, it came to light that the firm’s SweepWizard app wasn’t protecting plans for imminent police raids. Then someone defaced their company website and shared company data with the DDoSecrets leak site. (exposed data), (website defacement)
  • Nissan North America notified 17,998 customers of a data breach after a service provider left a ‘poorly configured’ development database exposed. Good practice would be to use representative test data, rather than that of real customers, for development and test purposes.
  • Oslo-headquartered DNV, which provides testing and certification services to the shipping industry, has suffered a ransomware attack that has affected its ShipManager software. Around 1,000 vessels used the software and are currently operating locally and offline.
  • Over 130 Mailchimp accounts, including that of the e-commerce platform WooCommerce, were accessed after social engineering attack against company employees. It’s the second such attack against Mailchimp in six months.
  • Costa Rica’s Ministry of Public Works and Transport became victim to a ransomware attack months after the country declared a state of emergency (vol. 5, iss. 20) after a wide-ranging attack from the Conti ransomware gang.
  • A cyber-attack on the Qulliq Energy Corporation (QEC), which supply energy in Canada’s Nunavut territory, has disrupted the company’s ability to take payments. The company’s power plants are unaffected. 
  • Updates from games developer Riot Games are delayed after compromising a development environment.

Threat intel

  • Google Ads are being used to push fake versions of open-source software, including info stealer malware.
  • Attackers are hiding JavaScript in SVG images inside HTML attachments to redirect victims to phishing sites.
  • Kaspersky says the Wroba.o Android app tries using default wireless router passwords to log in and change local DNS settings to redirect user traffic to malicious versions of popular websites.
  • Attackers are using malicious OneNote attachments to trick users into executing malicious scripts.


  • 1,600 instances of the Cacti monitoring tool are exposed to a critical command injection vulnerability. CVE-2022-46169 (CVSS 9.8) is being actively exploited to ensnare the servers into Mirai and other botnets.
  • Around 6%, or 4,000, Sophos Firewalls haven’t received an update to fix a remote code execution vulnerability (CVE-2022-3236; CVSSS 9.8) that was patched in September 2022. Though mass exploitation is unlikely as exploitation requires solving an authentication captcha.
  • Mandiant says a Chinese actor has specifically written BOLDMOVE malware to backdoor Fortinet devices vulnerable to CVE-2022-42475.
  • Remote code execution vulnerability (CVE-2022-47966) in Zoho ManageEngine products is being exploited, according to Rapid 7.

Cyber defence

  • Avast has released a decryptor for the BianLian ransom malware


  • The Irish Data Protection Commissioner fined WhatsApp €5.5 million for ‘forcing’ users to consent to data processing with an “Agree and Continue” option with the introduction of new, GDPR-aligned Terms of Service in 2018.

Public policy

  • China wants to grow its ‘data security industry’ by 30% yearly to reach ¥15 billion ($22 billion) by 2025. The country will build security labs, industrial parks and demonstration areas to support this ambition.
  • Two-year jail terms for tech company executives found to be “deliberately” exposing children to harmful content on their platforms, following changes to the UK’s Online Safety Bill currently passing through Parliament.
  • Ukraine has signed an agreement to join NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE). All NATO members need to sign the agreement before it becomes official.

Law enforcement

  • Anatoly Legkodymov, the founder of the cryptocurrency exchange Bitzalto, has been arrested in Florida. Bitzalto is accused of processing around $4.58 billion of cryptocurrency transactions, of which a “substantial portion” was the “proceeds of crime” or “intended for use in [crime]”.

Mergers, acquisitions and investments

  • Bitwarden has acquired Swedish startup, which helps developers add Webauthn capabilities to their apps. 
  • Private equity giant Thoma Bravo has announced a $1.34 billion acquisition of Canadian firm Magnet Forensics. The firm plans to merge the capabilities of Magnet Forensics with that of Grayshift, which it acquired last July.

Industry news

  • Sophos is to lay off 450 employees, around 10% of its global workforce, to “achieve the optimal balance of growth and profitability” and “delivering cybersecurity as a service”, such as MDR services.

  Robin's Newsletter - Volume 6

  Ransomware Cybercrime T-Mobile Norton LifeLock Password Manager PayPal SecureBoot Costa Rica