Cybersecurity trends that marked January 2024
In our January 2024 report, we take a closer look at the cybersecurity trends that marked January 2024 including the rise of malware infested ads and LockBit's ransomware attack on sandwich franchise Subway.
Data leaks and credentials statistics
Reported leaked credentials
Reported leak sources
FYEO indexed sources
FYEO indexed credentials
January saw 17 security incidents that resulted in the compromise of more than 71.9M (Million) records. On January 18, 2024, VF Corporation announced that a cyberattack in December compromised the personal information of over 35 million customers. Despite this breach, the company assured that highly sensitive data such as social security numbers, bank accounts, and payment card details were not affected, as it does not store such information. This incident underscores the ongoing threat of cyberattacks and highlights the importance of robust cybersecurity measures to protect consumer data.
During the month, FYEO indexed and gathered a total of 211.5 (Million) leaked credentials from a total of 13 sources that were gathered through open sources and public releases.
In regards to FYEO’s collection statistics it's worth noting that there is in general a large delay in the time in which the hacked data gets published. Therefore the data collected by FYEO is most likely not the same sources that were reported hacked for the month.
LockBit Ransomware Strikes Subway, Demands Ransom for Confidential Data
Subway, the global fast-food giant, has reportedly experienced a significant data breach orchestrated by the infamous LockBit ransomware gang. The Register reports that Subway was added to LockBit's data leak site after the gang allegedly seized gigabytes of sensitive data. The information stolen includes Subway's internal system data, with details like employee salaries, franchise payments, and restaurant turnovers.
LockBit has publicly claimed responsibility for this attack and has given Subway a deadline to protect the data before it is potentially sold to rivals. Despite the severity of the breach, Subway appears to have remained silent on the matter. There's speculation that the company might not have been aware of the breach until LockBit publicly disclosed it.
In a notable shift in ransomware tactics, LockBit did not encrypt Subway's data but instead opted for data theft and extortion. This change reflects a broader trend in cybercrime, where hackers are moving away from traditional ransomware encryption to simply stealing data. This strategy has emerged as a response to improved corporate data backups and defenses against ransomware. The attackers now focus on stealing data and demanding ransom to prevent its public release, rather than relying on encryption to cripple the victim's operations.
Subway has acknowledged the claims and is currently investigating the breach. This incident highlights the evolving nature of ransomware attacks and the continuous threat they pose to corporations.
The Perils of Software Downloads via Google Search: Malware-Infested Ads
Google is grappling with a persistent issue on its search platform: cybercriminals using malicious ads to distribute booby-trapped versions of popular software. These deceptive ads often appear above organic search results, misleading users into downloading malware-laden software. Despite Google's efforts, with thousands working to combat such abuse, these malicious campaigns continue to be a significant threat.
One recent example involved an ad for the free graphic design program FreeCAD, which led to a fake website (freecad-us[.]org) instead of the legitimate freecad.org. This is part of a larger pattern where cybercriminals register domains that closely mimic popular software sites, then use them to host or direct to malware.
The domains, hosted in the Netherlands, vary in their approach. Some are mere copycats of legitimate software review sites, while others intermittently swap legitimate software downloads with malware-infested versions. This strategy, known as "MalVirt" (malvertising), targets users from specific geographic locations, like the United States, with these harmful downloads. The aim is to first gain legitimacy on search engines before deploying the malware.
This technique has been linked to a rise in malware infections, particularly info stealers like IcedID, Redline Stealer, Formbook, and AuroraStealer. It appears to have gained traction after Microsoft blocked Office macros by default, prompting criminals to find new methods of attack.
Google has taken steps against this threat, like blocking many malicious sites through its Safebrowsing technology. However, the company faces challenges in completely eliminating these threats due to the sophisticated tactics of the attackers, who often show different content to Google and regular users.
The situation highlights a growing concern in digital security, where even legitimate search engines can inadvertently lead users to malware. It also underscores the importance of vigilance and caution when downloading software from the internet.