Date: 1 June 2023
We're almost into the second half of the year but the cyber attacks, data breaches and ransomware attacks are nowhere close to abating. May 2023 saw a fair share of high-profile cybersecurity incidents. We also received some major updates on attacks that happened earlier in the year. This article contains all that information and more!
- Ransomware Attacks in May 2023
- Data Breaches in May 2023
- Cyber-Attacks in May 2023
- New Ransomware/Malware Detected in May 2023
- Vulnerabilities/Patches
- Advisories issued, reports, analysis etc. in May 2023
Ransomware attacks continued their rampage in May 2023. Two cities, many healthcare organisations, an airline, educational institutions and tech giants - almost nobody seems to have been spared. Black Basta, LockBit, Black Cat continued to be the usual suspects with the new Money Message extortion gang making waves in every sector and demanding hefty ransoms.
Data Breaches in May 2023 were no less damaging. While most data breaches in the month gone by have been the work of criminal threat actors, some were caused due to technical errors. Interestingly, Tesla's massive data breach was, apparently, the work of an insider. The data handed over to one of Germany's top news organisations, allegedly, contains information of customers, employees, and business partners as well as thousands of customer complaints regarding the carmaker’s driver assistance system. A damaging data leak indeed!
And that's not all. Cyber Attacks continued to make news, be it on government websites, industry and education ministries and even on crypto exchanges.
The cost of these attacks and data breaches is immense and goes way beyond just monetary. While you do lose money in recovering from the attacks and/or in regulatory fines, you also lose customer trust once their information has been compromised. The inconvenience caused to them by business disruption is another critical factor to consider.
This is why it has become increasingly important to focus on your cybersecurity resilience and Business Continuity Management. Business Continuity can be achieved by reviewing or creating existing plans, policies and processes with the help of external cybersecurity experts like our Virtual Cyber Assistants.
Executive training, enhancing board knowledge about the threats to their business, improving overall board engagement with cybersecurity are also critical.
Ransomware Attacks in May 2023
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
May 03, 2023 |
City of Dallas hit by Royal ransomware attack impacting IT services |
Royal ransomware |
The City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website. To reduce the impact, the City of Dallas shut down some of its IT systems. |
||
|
May 03, 2023 |
Ransomware gang hijacks university alert system to issue threats |
Avos ransomware gang |
Hackers hijacked Bluefield University's emergency broadcast system, "RamAlert," to send students and staff SMS texts and email alerts that their data was stolen and would soon be released. The impact on the IT systems caused all examinations to be postponed. The ransomware group, apparently, communicated with students via email and SMS to warn them that they have hacked the university network to exfiltrate 1.2 TB files including admission and personal data of thousands of students. |
||
|
May 04, 2023 |
ALPHV gang claims ransomware attack on Constellation Software |
ALPHV Ransomware |
The ALPHV ransomware gang (aka BlackCat) added an entry to its data leak site, claiming that they breached the company's network and stole more than 1 TB worth of files including the company’s confidential data. |
||
|
May 07, 2023 |
Tech firm ABB |
Multinational tech firm ABB hit by Black Basta ransomware attack |
Black Basta ransomware |
The ransomware attack affected the company’s Windows Active Directory, and hundreds of devices. It also disrupted the company's operations, delayed projects and impacted factories. ABB revealed that the attackers had stolen data from compromised devices and that it would notify affected individuals if their information was impacted in the incident. |
|
|
May 08, 2023 |
Intel investigating leak of Intel Boot Guard private keys after MSI breach |
Money Message extortion gang |
In March, the Money Message extortion gang attacked computer hardware maker MSI, claiming to have stolen 1.5TB of data during the attack, including firmware, source code, and databases. The gang demanded a $4,000,000 ransom and, after not being paid, began leaking the data for MSI on their data leak site. Now in May, they began leaking MSI's stolen data, including the source code for firmware used by the company's motherboards. Alex Matrosov, the CEO of firmware supply chain security platform Binarly, warned that the leaked source code contains the image signing private keys for 57 MSI products and Intel Boot Guard private keys for 116 MSI products. |
||
|
May 09, 2023 |
Norton Healthcare |
Norton Healthcare hit with demands from hackers after cyber event |
Unknown |
The attack forced Norton to shut down its systems so the threat actors sent a fax to Norton Healthcare including undisclosed threats and demand. |
|
|
May 12, 2023 |
Capita |
Capita warns Universities Superannuation Scheme (USS), the largest private pension scheme in the UK, that they should assume data was stolen |
Black Basta ransomware |
The servers accessed by the hackers held roughly 470,000 active, deferred, and retired members' personal information, including names, dates of birth, National Insurance numbers, and USS member numbers. Capita revealed that the attackers exfiltrated files from roughly 4% (then changed its statement to 0.1%) of its "server estate," including systems customer, supplier, or colleague data after gaining access to Capita's systems. |
|
|
May 12, 2023 |
PharMerica |
Ransomware gang steals data of 5.8 million PharMerica patients |
Money Message ransomware |
PharMerica said the threat actors have exposed data of over 5.8 million patients but the ransomware gang claimed to have stolen 4.7 TB of data during their attack on PharMerica, stating that it consisted of at least 1.6 million unique records of personal information which they have leaked on their extortion site |
|
|
May 14, 2023 |
ScanSource |
ScanSource says ransomware attack behind multi-day outages |
Unknown |
The ransomware attack impacted some of its systems, business operations, and customer portals. The company warned that there would be delays in the provision of services to customers in the forthcoming period, expected to affect operations in North America and Brazil. |
|
|
May 14, 2023 |
Philadelphia Inquirer |
Philadelphia Inquirer operations disrupted after cyberattack. |
Cuba ransomware |
The attack disrupted operations, with newspaper circulation halting while Inquirer.com was only slightly affected, with publishing and updating stories being impacted by intermittent delays. The threat actors. apparently, had access to an email and document storage system used by several News Corp businesses. This enabled them to compromise business documents and emails containing sensitive data, including employees' personal information. |
|
|
May 17, 2023 |
Zimbra servers |
MalasLocker ransomware targets Zimbra servers; demands charity donation |
MalasLocker ransomware |
A new ransomware operation hacked Zimbra servers to steal emails and encrypt files and instead of demanding a ransom payment, the threat actors demanded a donation to charity to provide an encryptor and prevent data leaking. |
|
|
May 20, 2023 |
Arms maker Rheinmetall |
Arms maker Rheinmetall confirms BlackBasta ransomware attack |
BlackBasta ransomware |
The ransomware attack impacted its civilian business as BlackBasta posted Rheinmetall on its extortion site along with samples of the data the hackers claimed to have stolen from the arms maker. The published data samples include non-disclosure agreements, technical schematics, passport scans, and purchase orders. |
|
|
May 20, 2023 |
Thomas Hardye School |
Dorchester school IT system held to ransom in cyber attack |
Unknown |
Thomas Hardye School in Dorchester said its screens and systems had been locked. The school was unable to use email or accept payments following the ransomware attack. |
|
|
May 24, 2023 |
SAS Airlines hit By cyber attack. Hackers demand $175,000 |
A group known as Anonymous Sudan |
The ransomware attack on Scandinavian Airlines (SAS) halted its app and made its website inoperable for nearly a full day. The ransomware gang reportedly first demanded $3,500 from the carrier before upping its demands to $175,000. |
||
|
May 25, 2023 |
City of Augusta |
BlackByte ransomware claims City of Augusta cyber attack |
BlackByte ransomware |
The city of Augusta in Georgia, U.S., confirmed an IT system outage. BlackByte ransomware group claimed to hold troves of sensitive data stolen from Augusta’s computers and also allegedly leaked a sample of 10 GB of data as proof of their breach containing payroll information, contact details, personally identifiable information (PII), physical addresses, contracts, city budget allocation data, and other types of details. |
|
|
May 26, 2023 |
Managed Care of North America (MCNA) Dental |
MCNA Dental data breach impacts 8.9 million people after ransomware attack |
LockBit ransomware |
LockBit gang accessed the computer systems of MCNA Dental and stole 700GB of sensitive, confidential information. On April 7th, 2023, LockBit released all data on its website, making it available for download by anyone. |
Ransomware attacks are only rising in number and complexity with every new month. We are now also dealing with the sprouting of new and sophisticated ransomware and extortion gangs. While there is no escaping them, you can mitigate their impact and minimize their likelihood by using some of these FREE ransomware resources created by our cybersecurity experts.
Data Breaches in May 2023
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
May 01, 2023 |
T-Mobile discloses second data breach since the beginning of 2023. |
Unknown |
This incident affected 836 T-Mobile customers and it is believed that threat actors gained access to their sensitive personal information. |
||
|
May 02, 2023 |
Paediatric mental health provider Brightline |
Brightline data breach impacts 783K paediatric mental health patients |
Clop Ransomware |
Paediatric mental health provider Brightline is warning patients that it suffered a data breach impacting 783,606 people. A ransomware gang, allegedly, stole data using a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform. |
Paediatric healthcare provider Brightline data breach incident |
|
May 08, 2023 |
Cybersecurity firm Dragos |
Cybersecurity firm Dragos discloses cybersecurity incident, extortion attempt |
Undisclosed |
The hackers got access to the company's SharePoint cloud service and contract management system and gained access by compromising the personal email address of a new sales employee prior to their start date. They subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process. After breaching Dragos' SharePoint cloud platform, the attackers downloaded "general use data" and accessed 25 intel reports that were usually only available to customers. |
|
|
May 09, 2023 |
Food distribution giant Sysco |
Food distribution giant Sysco warns of data breach after cyberattack |
Unknown |
The data breach affected 126,243 individuals who had their names and other personal identifiers exposed together with Social Security Numbers. The investigation determined that the threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data. The company believes the employees' data stolen from its systems during the breach is a combination of the following: personal information provided to Sysco for payroll purposes, including name, social security number, account numbers, or similar info. |
|
|
May 10, 2023 |
Seoul National University Hospital (SNUH) |
North Korean hackers breached major hospital in Seoul to steal data |
Kimsuky hacking group (apparently) |
The cyber attack resulted in data exposure for 831,000 individuals, most of whom were patients and 17,000 of the impacted people were current and former hospital employees. |
|
|
May 11, 2023 |
U.S. tech company and Siemens subsidiary Brightly Software |
Brightly warns of SchoolDude data breach exposing credentials |
Unknown |
This security incident has affected an account on Brightly Software’s SchoolDude application (schooldude.com), an online platform used by educational institutions for placing and tracking maintenance work orders as the incident involved an unauthorised actor obtaining certain account information from the SchoolDude user database. The company believed the threat actors have stolen customer account information, including names, email addresses, account passwords, phone numbers (where available), and school district names. |
|
|
May 12, 2023 |
Car location data of 2 million customers, apparently, exposed for ten years |
Human Error (Misconfiguration of the cloud environment) |
A data breach, allegedly, exposed the car location information of 2,150,000 customers for ten years. The incident exposed the information of customers who used the company's T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023. |
||
|
May 12, 2023 |
Discord discloses data breach after support agent got hacked |
Unknown |
In this attack, the account of a third-party support agent was compromised. The breach exposed the agent's support ticket queue, which contained user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets. |
||
|
May 12, 2023 |
Latvian airline accidentally exposes passenger info to others due to a 'technical error' |
Technical Error |
Due to a technical error, the reservation details of some of its passengers were exposed to other airBaltic passengers. The exposed information may have included the passengers' full names, birth dates, email addresses, etc. |
||
|
May 12, 2023 |
Luxottica confirms 2021 data breach after info of 70 M leaks online |
Unknown hacking group using Sin (GOD) title on breach forums |
Threat actors leaked previously stolen data containing 305 million lines (records), 74.4 million unique email addresses, and 2.6 million unique domain email addresses. |
||
|
May 16, 2023 |
U.S. Transportation Department (USDOT) |
Data of 237,000 US government employees, apparently, breached |
Unknown |
The personal information of 237,000 current and former federal government employees has been exposed in a data breach in the U.S. Transportation Department (USDOT). |
|
|
May 19, 2023 |
M&S pension scheme and Diageo pension scheme |
M&S and Diageo pension schemes hit by Capita cyber attack |
Unknown |
Capita warned the pension schemes of Marks and Spencer, Diageo, Unilever and Rothesay that their members’ personal data was likely to have been stolen by hackers during a cyber attack at the UK outsourcer. |
|
|
May 22, 2023 |
Apria Healthcare says potentially 2M people affected by IT security breach |
Unknown |
Personal and financial data describing almost 1.9 million Apria Healthcare patients and employees may have been accessed by criminals who breached the company's networks over a series of months in 2019 and 2021. |
||
|
May 22, 2023 |
Mazars Group |
Mazars Group allegedly breached by BlackCat cybercrooks |
BlackCat ransomware group |
Russia-linked ransomware syndicate ALPHV/BlackCat claims to have stolen sensitive data from Mazars Group. A post on the gang’s dark web blog says that cyber criminals accessed over 700 GB of data, including agreements, financial records, and other sensitive information. |
|
|
May 22, 2023 |
Automotive supplier Gentex |
Gentex confirms data breach by Dunghill ransomware gang |
Dunghill ransomware gang |
The ransomware gang published 5 TB of sensitive corporate data, which reportedly includes emails, client documents, and personal data of approximately 10,000 Gentex employees, such as Social Security numbers. |
|
|
May 23, 2023 |
Zivame |
Zivame data breach: Personal info of 1.5 million users on sale for $500 |
Unknown |
Hackers put personal details of 1.5 million users of e-commerce retailer Zivame, mostly women, on sale online for as little as $500 in cryptocurrencies. The details include personal information such as names, email, phone numbers, as well as addresses of customers. |
|
|
May 23, 2023 |
Harvard Pilgrim |
Harvard Pilgrim says customers' information compromised in cyber attack |
Unknown |
The company said information was taken from Harvard Pilgrim systems from March 28 to April 3, including names, addresses, Social Security numbers, taxpayer ID numbers, and medical information and history. |
|
|
May 24, 2023 |
Adur and Worthing council |
Adur and Worthing council contractor in data breach |
Unknown |
The personal information of about 100 people could have been leaked in the data breach. |
|
|
May 24, 2023 |
NT patient health |
Thousands of identifiable NT patient health files sent to overseas-based software vendor in government data breach |
Human Error |
The Northern Territory government has breached the privacy of thousands of public health patients by sending identifiable medical records to a software vendor with offices in Europe, South America and China. |
|
|
May 26, 2023 |
Report: ‘Massive’ Tesla leak reveals data breaches, thousands of safety complaints |
A Whistleblower |
According to Germany’s Handelsblatt, Tesla has failed to adequately protect data from customers, employees and business partners and has received thousands of customer complaints regarding the carmaker’s driver assistance system. A whistleblower leaked 100 gigabytes of confidential data including tables containing more than 100,000 names of former and current employees. The data also, allegedly, contains the social security number of the Tesla CEO, Elon Musk, along with private email addresses, phone numbers, salaries of employees, bank details of customers and secret details from production. |
Cyber Attacks in May 2023
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
May 01, 2023 |
Level Finance crypto exchange hacked after two security audits |
Unknown |
Hackers exploited a Level Finance smart contract vulnerability. They managed to drain 214,000 LVL tokens from the decentralised exchange and swapped them for 3,345 BNB, worth approximately $1,100,000. |
||
|
May 01, 2023 |
Packagist, PHP packages repository |
Researcher hijacks popular Packagist PHP packages to get a job |
A researcher with the pseudonym 'neskafe3v1' |
A researcher hijacked over a dozen Packagist packages. Some of these packages have been installed over 500 million times over the course of their lifetime. He claimed that by hijacking these packages he hopes to get a job. |
|
|
May 10, 2023 |
Suzuki Motorcycle India |
Suzuki Motorcycle India plant shut for a week due to cyber-attack |
Unknown |
Suzuki Motorcycle India has been forced to halt production at its factories due to a “cyber-attack” on its operations. Due to this halt, it is estimated to have incurred a production loss of over 20,000 vehicles in this timeframe. |
|
|
May 18, 2023 |
Various Pakistani Embassy websites |
Indian hacktivist, Kerala Cyber Xtractors, strike back: 10 Pakistani Embassy websites hacked in a counter cyberattack |
Kerala Cyber Xtractors |
Indian hackers brought down 10 Pakistani Embassy websites worldwide with DDoS attacks in a counter cyber attack as Pakistani hacker group Team Insane PK claimed credit for attacking 23 Indian government and private organisation websites. |
|
|
May 24, 2023 |
WordPress websites |
Hackers target 1.5M WordPress sites with cookie consent plugin exploit |
Unknown |
The impact may include unauthorised access to sensitive information, session hijacking, malware infections via redirects to malicious websites, or a complete compromise of the target's system. |
|
|
May 26, 2023 |
The open media solution, Emby |
Emby shuts down user media servers hacked in recent attack |
Unknown |
The attackers targeted Internet-exposed private Emby servers and infiltrated those configured to allow admin logins without a password on the local network. To mitigate the impact, Emby remotely shut down an undisclosed number of user-hosted media server instances. |
|
|
May 26, 2023 |
|
Italy's Industry Ministry reports 'heavy' cyberattack |
Unknown |
The Italian Industry Ministry's web portal and applications were hit by a "heavy cyberattack" and remained out of order. |
|
|
May 27, 2023 |
Senegalese government websites |
Senegalese government websites hit with cyber attack |
A group of hackers called Mysterious Team |
Hackers made multiple Senegalese government websites go offline by hitting them with denial-of-service (DDoS) attacks. |
|
|
May 28, 2023 |
Jimbos Protocol |
Flash loan attack on Jimbos Protocol steals over $7.5 million |
Unknown |
Jimbos Protocol, an Arbitrum-based DeFi project, has suffered a flash loan attack that resulted in the loss of more than 4000 ETH tokens, currently valued at over $7,500,000. Following the hack, though, Jimbos’ price collapsed quickly, going from $0.238 to just $0.0001. |
|
|
May 30, 2023 |
Cyber attack in Greece disrupts high school exams, causes political spat |
Unknown |
Greece's Education Ministry said it has been targeted in a cyberattack described as the most extensive in the country's history, aimed at disabling a centralised high school examination platform. It said the DDoS attacks aimed at overwhelming the platform for almost two days as the attack involved computers from 114 countries, causing outages and delays in high school exams but failing to cripple the system, the ministry said. The outages left students waiting in classrooms for hours for the exams to start and touched off a political spat, following an inconclusive general election earlier this month. |
New Ransomware/Malware Discovered in May 2023
|
New Ransomware |
Summary |
Source Link |
|
LOBSHOT Malware |
A new malware known as ‘LOBSHOT’ distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC. |
New LOBSHOT malware gives hackers hidden VNC access to Windows devices |
|
Stop/Djvu Ransomware version- v0700 |
Stop/Djvu Ransomware (v0700); Extension: .saba; Ransom note: _readme.txt |
|
|
H3r ransomware |
H3r ransomware; Dharma/CrySis ransomware family; Extension: .h3r (also appends filenames with victim's unique ID and developers' email address); Ransom notes: info.txt and pop-up window (Info.hta) |
A new variant of Dharma/CrySis ransomware family, H3r Ransomware |
|
BOOM ransomware |
BOOM ransomware; Phobos ransomware family; Extension: .BOOM (also appends filenames with victim's unique ID and developers' email address); Ransom notes: info.txt and info.hta |
|
|
CrypBits256 Ransomware |
CrypBits256 Ransomware; Xorist ransomware family; Extension: .CrypBits256PT2; Ransom notes: pop-up window and HOW TO DECRYPT FILES.txt |
A new variant of Xorist ransomware family, CrypBits256 Ransomware |
|
Zhong Ransomware |
Zhong Ransomware; Extension: .zhong; Ransom note: Restore.txt |
|
|
BlackSuit ransomware |
New BlackSuit ransomware targets Windows, Linux. Extension: .blacksuit. ReadMe file name: README.BlackSuit.txt. |
|
|
Rec_rans Ransomware |
Rec_rans Ransomware; Extension: .rec_rans; Ransom note: HOW_TO_RECOVERY_FILES.txt; Changes the desktop wallpaper |
|
|
NodeStealer |
Facebook discovered and disrupted the operation of a new information-stealing malware distributed on Meta called 'NodeStealer,' allowing threat actors to steal browser cookies to hijack accounts on the platform, as well as Gmail and Outlook accounts. |
Facebook disrupts new NodeStealer information-stealing malware |
|
btc-A Ransomware |
btc-A Ransomware; Xorist ransomware family; Extension: .btc-Apt2; Ransom notes: pop-up window and HOW TO DECRYPT FILES.txt |
|
|
Fleckpe Malware |
A new Android subscription malware named 'Fleckpe' has been spotted on Google Play, the official Android app store, disguised as legitimate apps downloaded over 620,000 times. |
New Fleckpe Android malware installed 600K times on Google Play |
|
ReconShark Malware |
The North Korean Kimsuky hacking group has been observed to be employing a new version of its reconnaissance malware, now called 'ReconShark,' in a cyberespionage campaign with a global reach. |
|
|
New Android FluHorse malware |
A new Android malware called 'FluHorse' has been discovered, targeting users in Eastern Asia with malicious apps that imitate legitimate versions. |
New Android FluHorse malware steals your passwords, 2FA codes |
|
New Cactus ransomware |
A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.” |
|
|
Akira ransomware |
The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms. |
Akira, a new ransomware operation targets corporate networks worldwide |
|
Suffering Ransomware |
Suffering Ransomware; GlobeImposter ransomware family; Extension: .Suffering; Ransom note: how_to_back_files.html |
A new version of GlobeImposter ransomware family, Suffering Ransomware |
|
Solix Ransomware |
Solix Ransomware; Extension: .Solix; Ransom note: pop-up window |
|
|
Newlocker Ransomware |
Newlocker Ransomware; MedusaLocker ransomware family; Extension: .newlocker; Ransom note: HOW_TO_RECOVER_DATA.html |
A new version of MedusaLocker ransomware family, Newlocker Ransomware |
|
BrightNight Ransomware |
BrightNight Ransomware; Extension: .BrightNight (also appends filenames with victim's ID and developers' email address); ransom note: README.txt |
|
|
Zipp3rs Ransomware |
Zipp3rs Ransomware; Xorist ransomware family; Extension: .zipp3rs; Ransom notes: HOW TO DECRYPT FILES.txt and pop-up window |
A new version of Xorist ransomware family, Zipp3rs Ransomware |
|
Army Signal Ransomware |
Army Signal Ransomware; Extension: .SIGSCH; Ransom note: README_SIGSCH.txt |
|
|
The Phishing-as-a-Service (PhaaS) platform, 'Greatness' |
The Phishing-as-a-Service (PhaaS) platform named 'Greatness' has seen a spike in activity as it targets organisations using Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa. |
New 'Greatness' service simplifies Microsoft 365 phishing attacks |
|
Aurora, an information stealing malware |
A recently spotted malvertising campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information stealing malware. |
Fake in-browser Windows updates push Aurora info-stealer malware |
|
BPFDoor malware |
A new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption and reverse shell communications. |
Stealthier version of Linux BPFDoor malware spotted in the wild |
|
RA Group ransomware |
A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea. |
New RA Group ransomware targets U.S. orgs in double-extortion attacks |
|
MerDoor malware |
A new APT hacking group dubbed Lancefly uses a custom 'Merdoor' backdoor malware to target government, aviation, and telecommunication organisations in South and Southeast Asia. |
Stealthy MerDoor malware uncovered after five years of attacks |
|
Itlock Ransomware |
Itlock Ransomware; MedusaLocker ransomware family; Extension: .itlock20 (the number may differ); Ransom note: How_to_back_files.html |
New ransomware of MedusaLocker ransomware family, Itlock Ransomware |
|
Moneybird ransomware |
A suspected Iranian state-supported threat actor known as 'Agrius' is now deploying a new ransomware strain named 'Moneybird' against Israeli organisations. |
Iranian hackers use new Moneybird ransomware to attack Israeli orgs |
|
CosmicEnergy malware |
Mandiant security researchers have discovered a new malware called CosmicEnergy designed to disrupt industrial systems and linked to Russian cybersecurity outfit Rostelecom-Solar (formerly Solar Security). |
New Russian-linked CosmicEnergy malware targets industrial systems |
|
New Buhti ransomware |
A new ransomware operation named 'Buhti' uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively. |
New Buhti ransomware gang uses leaked Windows, Linux encryptors |
|
FAST Ransomware |
FAST Ransomware; Extension: .FAST (filenames are also appended with victim's ID and developers' email address); Ransom note: #FILEENCRYPTED.txt |
|
|
EXISC Ransomware |
EXISC Ransomware; Extension: .EXISC; Ransom note: Please Contact Us To Restore.txt |
|
|
QBot malware |
The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software. |
|
|
RomCom malware |
A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers. |
RomCom malware spread via Google Ads for ChatGPT, GIMP, more |
Vulnerabilities/Patches Discovered in May 2023
|
Date |
Flaws/Fixes |
Summary |
Source Link |
|
May 01, 2023 |
Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices |
Apple has launched the first Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices, with some users having issues installing them on their iPhones. |
Apple’s first Rapid Security Response patch fails to install on iPhones |
|
May 02, 2023 |
CVE-2018-9995 |
Hackers are actively exploiting an unpatched 2018 authentication bypass vulnerability in exposed TBK DVR (digital video recording) devices. |
Hackers exploit 5-year-old unpatched flaw in TBK DVR devices |
|
May 02, 2023 |
CVE-2023-30777 |
Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of instals, are vulnerable to cross-site scripting attacks (XSS). |
WordPress custom field plugin bug exposes over 1M sites to XSS attacks |
|
May 05, 2023 |
CVE-2023-0266 |
Android security updates released this month patch a high-severity vulnerability exploited as a zero-day to install commercial spyware on compromised devices. |
New Android updates fix kernel bug exploited in spyware attacks |
|
May 06, 2023 |
CVE-2023-27350 |
A new proof-of-concept (PoC) exploit for an actively exploited PaperCut vulnerability was released that bypasses all known detection rules. |
|
|
May 09, 2023 |
8 Elevation of Privilege Vulnerabilities, 4 Security Feature Bypass Vulnerabilities, 12 Remote Code Execution Vulnerabilities, 8 Information Disclosure Vulnerabilities, 5 Denial of Service Vulnerabilities, 1 Spoofing Vulnerability Three Zero-days: CVE-2023-29336 CVE-2023-24932 CVE-2023-29325 |
In Microsoft's May 2023 Patch Tuesday, there were three zero-day vulnerabilities and a total of 38 flaws patched. |
Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws |
|
May 09, 2023 |
Windows 10 KB5026361 and KB5026362 cumulative updates |
Microsoft has released the Windows 10 KB5026361 and KB5026362 cumulative updates for versions 22H2, version 21H2, version 21H1, and 1809 to fix problems and add new features to the operating system. |
|
|
May 09, 2023 |
Windows 11 22H2 KB5026372 cumulative update |
Microsoft has released the Windows 11 22H2 KB5026372 cumulative update to fix security vulnerabilities and introduce 20 changes, improvements, and bug fixes. |
Windows 11 KB5026372 cumulative update released with 20 changes |
|
May 09, 2023 |
CVE-2023-24932 |
Microsoft has released security updates to address a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware to infect fully patched Windows systems. |
Microsoft issues optional fix for Secure Boot zero-day used by malware |
|
May 09, 2023 |
CVE-2023-25717 |
A new malware botnet named 'AndoryuBot' is targeting a critical-severity flaw in the Ruckus Wireless Admin panel to infect unpatched Wi-Fi access points for use in DDoS attacks. |
Critical Ruckus RCE flaw exploited by new DDoS botnet malware |
|
May 11, 2023 |
CVE-2023-32243 |
One of WordPress's most popular Elementor plugins, "Essential Addons for Elementor," was found to be vulnerable to an unauthenticated privilege escalation that could allow remote attacks to gain administrator rights on the site. |
|
|
May 11, 2023 |
CVE-2023-29324 |
Microsoft fixed a security vulnerability that could be used by remote attackers to bypass recent patches for a critical Outlook zero-day security flaw abused in the wild. |
Microsoft patches bypass for recently fixed Outlook zero-click bug |
|
May 12, 2023 |
CVE-2023-25717 |
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet. |
CISA warns of critical Ruckus bug used to infect Wi-Fi access points |
|
May 14, 2023 |
CVE-2023-30777 |
Hackers are actively exploiting a recently fixed vulnerability in the WordPress Advanced Custom Fields plugin roughly 24 hours after a proof-of-concept (PoC) exploit was made public. |
Hackers target Wordpress plugin flaw after PoC exploit released |
|
May 18, 2023 |
CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 |
Apple has addressed three new zero-day vulnerabilities exploited in attacks to hack into iPhones, Macs, and iPads. |
Apple fixes three new zero-days exploited to hack iPhones, Macs |
|
May 19, 2023 |
CVE-2023-21492 |
CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection. |
|
|
May 22, 2023 |
CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 |
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) ordered federal agencies to address three recently patched zero-day flaws affecting iPhones, Macs, and iPads known to be exploited in attacks. |
CISA orders govt agencies to patch iPhone bugs exploited in attacks |
|
May 24, 2023 |
CVE-2023-2825 |
GitLab has released an emergency security update, version 16.0.1, to address a maximum severity (CVSS v3.1 score: 10.0) path traversal flaw tracked as CVE-2023-2825. |
GitLab 'strongly recommends' patching max severity flaw ASAP |
|
May 25, 2023 |
CVE-2023-32165, CVE-2023-32169 |
D-Link has fixed two critical-severity vulnerabilities in its D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code. |
|
|
May 25, 2023 |
CVE-2023-33009, CVE-2023-33010 |
Zyxel is warning customers of two critical-severity vulnerabilities in several of its firewall and VPN products that attackers could leverage without authentication. |
Zyxel warns of critical vulnerabilities in firewall and VPN devices |
|
May 27, 2023 |
CVE-2023-2868 |
CISA warned of a recently patched zero-day vulnerability exploited last week to hack into Barracuda Email Security Gateway (ESG) appliances. |
CISA warns govt agencies of recently patched Barracuda zero-day |
|
May 30, 2023 |
CVE-2023-28782 |
The premium WordPress plugin 'Gravity Forms,' currently used by over 930,000 websites, is vulnerable to unauthenticated PHP Object Injection. |
Barracuda zero-day abused since 2022 to drop new malware, steal data |
|
May 30, 2023 |
CVE-2023-32369 |
Apple has recently addressed a vulnerability that lets attackers with root privileges bypass System Integrity Protection (SIP) to install "undeletable" malware and access the victim's private data by circumventing Transparency, Consent, and Control (TCC) security checks. |
Microsoft finds macOS bug that lets hackers bypass SIP root restrictions |
Warnings/Advisories/Reports/Analysis
|
News |
Summary |
Source Link |
|
Report |
An international law enforcement operation codenamed 'SpecTor' has arrested 288 dark web vendors and customers worldwide, with police seizing €50.8 million ($55.9M) in cash and cryptocurrency. |
Police operation 'SpecTor' arrests 288 dark web drug vendors and buyers |
|
Report |
The FBI and Ukrainian police have seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors. |
FBI seizes 9 crypto exchanges used to launder ransomware payments |
|
Report |
The U.S. Justice Department announced today the seizure of 13 more domains linked to DDoS-for-hire platforms, also known as 'booter' or 'stressor' services. |
QR codes used in fake parking tickets, surveys to steal your money |
|
Report |
The U.S. Justice Department has filed charges against a Russian citizen named Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) for involvement in three ransomware operations that targeted victims across the United States. |
Russian ransomware affiliate charged with attacks on critical infrastructure |
|
Report |
A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organisations. |
Hackers infect TP-Link router firmware to attack EU entities |
|
Report |
The Department of Justice revealed today that an 18-year-old man named Joseph Garrison from Wisconsin had been charged with hacking into the accounts of around 60,000 users of the DraftKings sports betting website in November 2022. |
18-year-old charged with hacking 60,000 DraftKings betting accounts |
|
Report |
A large cybercrime enterprise tracked as the "Lemon Group" has reportedly pre-installed malware known as 'Guerilla' on almost 9 million Android-based smartphones, watches, TVs, and TV boxes. |
Cybercrime gang pre-infects millions of Android devices with malware |
|
Report |
Dish Network, an American television provider, most likely paid a ransom after being hit by a ransomware attack in February based on the wording used in data breach notification letters sent to impacted employees. |
Dish Network likely paid ransom after recent ransomware attack |
|
Report |
U.S. tech giant Meta has been hit with a record €1.2 billion fine for not complying with the EU’s privacy rulebook. |
|
|
Report |
A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called "Hot Pixels," which can retrieve pixels from the content displayed in the target's browser and infer the navigation history. |
Hot Pixels attack checks CPU temp, power changes to steal data |
|
Report |
NHS trusts are, allegedly, sharing intimate details about patients’ medical conditions, appointments and treatments with Facebook without consent. |
NHS data breach: trusts shared patient details with Facebook without consent |
|
Report |
A new 'File Archivers in the Browser' phishing kit abuses ZIP domains by displaying fake WinRAR or Windows File Explorer windows in the browser to convince users to launch malicious files. |
Clever ‘File Archiver In The Browser’ phishing trick uses ZIP domains |
|
Report |
Bristol Community College negligently failed to protect the personal information of more than 56,000 students in connection with a December data breach, faced a new proposed federal class action. |
Massachusetts Community College Faces Lawsuit Over Data Breach |
