Cyber Security Blog

May 2023: Recent Cyber Attacks, Data Breaches & Ransomware Attacks

Written by Aditi Uberoi | 1 June 2023

We're almost into the second half of the year but the cyber attacks, data breaches and ransomware attacks are nowhere close to abating. May 2023 saw a fair share of high-profile cybersecurity incidents. We also received some major updates on attacks that happened earlier in the year. This article contains all that information and more!

  1. Ransomware Attacks in May 2023
  2. Data Breaches in May 2023
  3. Cyber-Attacks in May 2023
  4. New Ransomware/Malware Detected in May 2023
  5. Vulnerabilities/Patches 
  6. Advisories issued, reports, analysis etc. in May 2023

Ransomware attacks continued their rampage in May 2023. Two cities, many healthcare organisations, an airline, educational institutions and tech giants - almost nobody seems to have been spared. Black Basta, LockBit, Black Cat continued to be the usual suspects with the new Money Message extortion gang making waves in every sector and demanding hefty ransoms. 

Data Breaches in May 2023 were no less damaging. While most data breaches in the month gone by have been the work of criminal threat actors, some were caused due to technical errors. Interestingly, Tesla's massive data breach was, apparently, the work of an insider. The data handed over to one of Germany's top news organisations, allegedly, contains information of customers, employees, and business partners as well as thousands of customer complaints regarding the carmaker’s driver assistance system. A damaging data leak indeed!  

And that's not all. Cyber Attacks continued to make news, be it on government websites, industry and education ministries and even on crypto exchanges.

The cost of these attacks and data breaches is immense and goes way beyond just monetary. While you do lose money in recovering from the attacks and/or in regulatory fines, you also lose customer trust once their information has been compromised. The inconvenience caused to them by business disruption is another critical factor to consider.

This is why it has become increasingly important to focus on your cybersecurity resilience and Business Continuity Management. Business Continuity can be achieved by reviewing or creating existing plans, policies and processes with the help of external cybersecurity experts like our Virtual Cyber Assistants

Executive training, enhancing board knowledge about the threats to their business, improving overall board engagement with cybersecurity are also critical. 

Ransomware Attacks in May 2023

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

May 03, 2023

City of Dallas

City of Dallas hit by Royal ransomware attack impacting IT services

Royal ransomware

The City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website. To reduce the impact, the City of Dallas shut down some of its IT systems.

Ransomware attack on City of Dallas

May 03, 2023

Bluefield University

Ransomware gang hijacks university alert system to issue threats

Avos ransomware gang

Hackers hijacked Bluefield University's emergency broadcast system, "RamAlert," to send students and staff SMS texts and email alerts that their data was stolen and would soon be released. The  impact on the IT systems caused all examinations to be postponed. The ransomware group, apparently, communicated with students via email and SMS to warn them that they have hacked the university network to exfiltrate 1.2 TB files including admission and personal data of thousands of students.

Bluefield university ransomware attack

May 04, 2023

Constellation Software

ALPHV gang claims ransomware attack on Constellation Software

ALPHV Ransomware

The ALPHV ransomware gang (aka BlackCat) added an entry to its data leak site, claiming that they breached the company's network and stole more than 1 TB worth of files including the company’s confidential data.

Constellation Software ransomware attack

May 07, 2023



Tech firm ABB

Multinational tech firm ABB hit by Black Basta ransomware attack

Black Basta ransomware 

The ransomware attack affected the company’s Windows Active Directory, and hundreds of devices. It also disrupted the company's operations, delayed projects and impacted factories. ABB revealed that the attackers had stolen data from compromised devices and that it would notify affected individuals if their information was impacted in the incident.



US govt contractor ABB confirms data theft

May 08, 2023

Intel

Intel investigating leak of Intel Boot Guard private keys after MSI breach

Money Message extortion gang

In March, the Money Message extortion gang attacked computer hardware maker MSI, claiming to have stolen 1.5TB of data during the attack, including firmware, source code, and databases. The gang demanded a $4,000,000 ransom and, after not being paid, began leaking the data for MSI on their data leak site. Now in May, they began leaking MSI's stolen data, including the source code for firmware used by the company's motherboards. Alex Matrosov, the CEO of firmware supply chain security platform Binarly, warned that the leaked source code contains the image signing private keys for 57 MSI products and Intel Boot Guard private keys for 116 MSI products.

Ransomware attack on Intel

May 09, 2023

Norton Healthcare

Norton Healthcare hit with demands from hackers after cyber event

Unknown

The attack forced Norton to shut down its systems so the threat actors sent a fax to Norton Healthcare including undisclosed threats and demand. 

Norton Healthcare ransomware attack

May 12, 2023

Capita

Capita warns Universities Superannuation Scheme (USS), the largest private pension scheme in the UK, that they should assume data was stolen

Black Basta ransomware 

The servers accessed by the hackers held roughly 470,000 active, deferred, and retired members' personal information, including names, dates of birth, National Insurance numbers, and USS member numbers. Capita revealed that the attackers exfiltrated files from roughly 4% (then changed its statement to 0.1%) of its "server estate," including systems customer, supplier, or colleague data after gaining access to Capita's systems.

Capita ransomware attack

May 12, 2023

PharMerica

Ransomware gang steals data of 5.8 million PharMerica patients

Money Message ransomware

PharMerica said the threat actors have exposed data of over 5.8 million patients but the ransomware gang claimed to have stolen 4.7 TB of data during their attack on PharMerica, stating that it consisted of at least 1.6 million unique records of personal information which they have leaked on their extortion site

Ransomware attack on PharMerica

May 14, 2023

ScanSource

ScanSource says ransomware attack behind multi-day outages

Unknown

The ransomware attack impacted some of its systems, business operations, and customer portals. The company warned that there would be delays in the provision of services to customers in the forthcoming period, expected to affect operations in North America and Brazil.

ScanSource ransomware attack

May 14, 2023



Philadelphia Inquirer 

Philadelphia Inquirer operations disrupted after cyberattack. 

Cuba ransomware

The attack disrupted operations, with newspaper circulation halting while Inquirer.com was only slightly affected, with publishing and updating stories being impacted by intermittent delays. The threat actors. apparently, had access to an email and document storage system used by several News Corp businesses. This enabled them to compromise business documents and emails containing sensitive data, including employees' personal information. 

Cuba ransomware attack on Philadelphia Inquirer

May 17, 2023

Zimbra servers

MalasLocker ransomware targets Zimbra servers; demands charity donation

MalasLocker ransomware 

A new ransomware operation hacked Zimbra servers to steal emails and encrypt files and instead of demanding a ransom payment, the threat actors demanded a donation to charity to provide an encryptor and prevent data leaking.

Ransomware attack on Zimbra servers 

May 20, 2023

Arms maker Rheinmetall

Arms maker Rheinmetall confirms BlackBasta ransomware attack

BlackBasta ransomware 

The ransomware attack impacted its civilian business as BlackBasta posted Rheinmetall on its extortion site along with samples of the data the hackers claimed to have stolen from the arms maker. The published data samples include non-disclosure agreements, technical schematics, passport scans, and purchase orders.

Ransomware attack on German Arms maker Rheinmetall

May 20, 2023

Thomas Hardye School

Dorchester school IT system held to ransom in cyber attack

Unknown

Thomas Hardye School in Dorchester said its screens and systems had been locked. The school was unable to use email or accept payments following the ransomware attack.

Ransomware attack on Thomas Hardye School

May 24, 2023

SAS Airlines

SAS Airlines hit By cyber attack. Hackers demand $175,000

A group known as Anonymous Sudan 

The ransomware attack on Scandinavian Airlines (SAS) halted its app and made its website inoperable for nearly a full day. The ransomware gang reportedly first demanded $3,500 from the carrier before upping its demands to $175,000.

SAS Airlines ransomware attack

May 25, 2023

City of Augusta

BlackByte ransomware claims City of Augusta cyber attack

BlackByte ransomware

The city of Augusta in Georgia, U.S., confirmed an IT system outage. BlackByte ransomware group claimed to hold troves of sensitive data stolen from Augusta’s computers and also allegedly leaked a sample of 10 GB of data as proof of their breach containing payroll information, contact details, personally identifiable information (PII), physical addresses, contracts, city budget allocation data, and other types of details.

City of Augusta ransomware attack

May 26, 2023

Managed Care of North America (MCNA) Dental

MCNA Dental data breach impacts 8.9 million people after ransomware attack

LockBit ransomware

LockBit gang accessed the computer systems of MCNA Dental and stole 700GB of sensitive, confidential information. On April 7th, 2023, LockBit released all data on its website, making it available for download by anyone.

MCNA Dental ransomware attack


Ransomware attacks are only rising in number and complexity with every new month. We are now also dealing with the sprouting of new and sophisticated ransomware and extortion gangs. While there is no escaping them, you can mitigate their impact and minimize their likelihood by using some of these FREE ransomware resources created by our cybersecurity experts

  1. Ransomware Mitigation Checklist
  2. Ransomware Response Checklist
  3. Ransomware Response Workflow Guide  

Back to Top 



Data Breaches in May 2023

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

May 01, 2023

T-Mobile

T-Mobile discloses second data breach since the beginning of 2023.

Unknown

This incident affected 836 T-Mobile customers and it is believed that threat actors gained access to their sensitive personal information.

T-Mobile second data breach in 2023

May 02, 2023

Paediatric mental health provider Brightline

Brightline data breach impacts 783K paediatric mental health patients

Clop Ransomware

Paediatric mental health provider Brightline is warning patients that it suffered a data breach impacting 783,606 people. A ransomware gang, allegedly, stole data using a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform.

Paediatric healthcare provider Brightline data breach incident

May 08, 2023

Cybersecurity firm Dragos

Cybersecurity firm Dragos discloses cybersecurity incident, extortion attempt

Undisclosed

The hackers got access to the company's SharePoint cloud service and contract management system and gained access by compromising the personal email address of a new sales employee prior to their start date. They subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process. After breaching Dragos' SharePoint cloud platform, the attackers downloaded "general use data" and accessed 25 intel reports that were usually only available to customers.

Cybersecurity firm Dragos data breach

May 09, 2023

Food distribution giant Sysco

Food distribution giant Sysco warns of data breach after cyberattack

Unknown

The data breach affected 126,243 individuals who had their names and other personal identifiers exposed together with Social Security Numbers. The investigation determined that the threat actor extracted certain company data, including data relating to operation of the business, customers, employees and personal data. The company believes the employees' data stolen from its systems during the breach is a combination of the following: personal information provided to Sysco for payroll purposes, including name, social security number, account numbers, or similar info.

Food distribution giant Sysco data breach

May 10, 2023

Seoul National University Hospital (SNUH)

North Korean hackers breached major hospital in Seoul to steal data

Kimsuky hacking group (apparently)

The cyber attack resulted in data exposure for 831,000 individuals, most of whom were patients and 17,000 of the impacted people were current and former hospital employees.

Seoul National University Hospital data breach

May 11, 2023

U.S. tech company and Siemens subsidiary Brightly Software

Brightly warns of SchoolDude data breach exposing credentials

Unknown

This security incident has affected an account on Brightly Software’s SchoolDude application (schooldude.com), an online platform used by educational institutions for placing and tracking maintenance work orders as the incident involved an unauthorised actor obtaining certain account information from the SchoolDude user database. The company believed the threat actors have stolen customer account information, including names, email addresses, account passwords, phone numbers (where available), and school district names.

Brightly Software data breach

May 12, 2023

Toyota

Car location data of 2 million customers, apparently, exposed for ten years

Human Error (Misconfiguration of the cloud environment)

A data breach, allegedly, exposed the car location information of 2,150,000 customers for ten years. The incident exposed the information of customers who used the company's T-Connect G-Link, G-Link Lite, or G-BOOK services between January 2, 2012, and April 17, 2023.

Toyota data breach

May 12, 2023

Discord

Discord discloses data breach after support agent got hacked

Unknown

In this attack, the account of a third-party support agent was compromised. The breach exposed the agent's support ticket queue, which contained user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets.

Discord data breach

May 12, 2023

airBaltic

Latvian airline accidentally exposes passenger info to others due to a 'technical error'

Technical Error

Due to a technical error, the reservation details of some of its passengers were exposed to other airBaltic passengers. The exposed information may have included the passengers' full names, birth dates, email addresses, etc.

airBaltic data breach

May 12, 2023

Luxottica

Luxottica confirms 2021 data breach after info of 70 M leaks online

Unknown hacking group using Sin (GOD) title on breach forums 

Threat actors leaked previously stolen data containing 305 million lines (records), 74.4 million unique email addresses, and 2.6 million unique domain email addresses.

Luxottica data breach

May 16, 2023

U.S. Transportation Department (USDOT)

Data of 237,000 US government employees, apparently, breached

Unknown

The personal information of 237,000 current and former federal government employees has been exposed in a data breach in the U.S. Transportation Department (USDOT).

U.S. Transportation Department (USDOT) data breach

May 19, 2023

M&S pension scheme and Diageo pension scheme

M&S and Diageo pension schemes hit by Capita cyber attack

Unknown

Capita warned the pension schemes of Marks and Spencer, Diageo, Unilever and Rothesay that their members’ personal data was likely to have been stolen by hackers during a cyber attack at the UK outsourcer.

M&S and Diageo pension schemes data breach 

May 22, 2023

Apria Healthcare

Apria Healthcare says potentially 2M people affected by IT security breach

Unknown

Personal and financial data describing almost 1.9 million Apria Healthcare patients and employees may have been accessed by criminals who breached the company's networks over a series of months in 2019 and 2021.

Apria Healthcare data breach

May 22, 2023

Mazars Group

Mazars Group allegedly breached by BlackCat cybercrooks

BlackCat ransomware group

Russia-linked ransomware syndicate ALPHV/BlackCat claims to have stolen sensitive data from Mazars Group. A post on the gang’s dark web blog says that cyber criminals accessed over 700 GB of data, including agreements, financial records, and other sensitive information.

Mazars Group data breach

May 22, 2023

Automotive supplier Gentex

Gentex confirms data breach by Dunghill ransomware gang

Dunghill ransomware gang

The ransomware gang published 5 TB of sensitive corporate data, which reportedly includes emails, client documents, and personal data of approximately 10,000 Gentex employees, such as Social Security numbers.

Gentex data breach

May 23, 2023

Zivame

Zivame data breach: Personal info of 1.5 million users on sale for $500

Unknown

Hackers put personal details of 1.5 million users of e-commerce retailer Zivame, mostly women, on sale online for as little as $500 in cryptocurrencies.

The details include personal information such as names, email, phone numbers, as well as addresses of customers.

Zivame data breach

May 23, 2023

Harvard Pilgrim

Harvard Pilgrim says customers' information compromised in cyber attack

Unknown

The company said information was taken from Harvard Pilgrim systems from March 28 to April 3, including names, addresses, Social Security numbers, taxpayer ID numbers, and medical information and history.

Harvard Pilgrim data breach

May 24, 2023

Adur and Worthing council

Adur and Worthing council contractor in data breach

Unknown

The personal information of about 100 people could have been leaked in the data breach.

Adur and Worthing council data breach

May 24, 2023

NT patient health 

Thousands of identifiable NT patient health files sent to overseas-based software vendor in government data breach

Human Error

The Northern Territory government has breached the privacy of thousands of public health patients by sending identifiable medical records to a software vendor with offices in Europe, South America and China.

The Northern Territory government 

May 26, 2023

Tesla

Report: ‘Massive’ Tesla leak reveals data breaches, thousands of safety complaints

A Whistleblower

According to Germany’s Handelsblatt, Tesla has failed to adequately protect data from customers, employees and business partners and has received thousands of customer complaints regarding the carmaker’s driver assistance system. A whistleblower leaked 100 gigabytes of confidential data including tables containing more than 100,000 names of former and current employees. The data also, allegedly, contains the social security number of the Tesla CEO, Elon Musk, along with private email addresses, phone numbers, salaries of employees, bank details of customers and secret details from production.

Tesla data breach

Back to Top 

Cyber Attacks in May 2023

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

May 01, 2023

Level Finance Crypto

Level Finance crypto exchange hacked after two security audits

Unknown

Hackers exploited a Level Finance smart contract vulnerability. They managed to drain 214,000 LVL tokens from the decentralised exchange and swapped them for 3,345 BNB, worth approximately $1,100,000.

Level Finance crypto cyber attack

May 01, 2023

Packagist, PHP packages repository

Researcher hijacks popular Packagist PHP packages to get a job

A researcher with the pseudonym 'neskafe3v1'

A researcher hijacked over a dozen Packagist packages. Some of these packages have been installed over 500 million times over the course of their lifetime. He claimed that by hijacking these packages he hopes to get a job.

Cyber attack on Packagist PHP packages

May 10, 2023

Suzuki Motorcycle India

Suzuki Motorcycle India plant shut for a week due to cyber-attack

Unknown

Suzuki Motorcycle India has been forced to halt production at its factories due to a “cyber-attack” on its operations. Due to this halt, it is estimated to have incurred a production loss of over 20,000 vehicles in this timeframe.

Suzuki Motorcycle India cyber attack

May 18, 2023

Various Pakistani Embassy websites

Indian hacktivist, Kerala Cyber Xtractors, strike back: 10 Pakistani Embassy websites hacked in a counter cyberattack

Kerala Cyber Xtractors

Indian hackers brought down 10 Pakistani Embassy websites worldwide with DDoS attacks in a counter cyber attack as Pakistani hacker group Team Insane PK claimed credit for attacking 23 Indian government and private organisation websites.

Cyber attack on Pakistani embassies’ websites

May 24, 2023

WordPress websites

Hackers target 1.5M WordPress sites with cookie consent plugin exploit

Unknown

The impact may include unauthorised access to sensitive information, session hijacking, malware infections via redirects to malicious websites, or a complete compromise of the target's system.

XSS attack on wordpress websites 

May 26, 2023

The open media solution, Emby

Emby shuts down user media servers hacked in recent attack

Unknown

The attackers targeted Internet-exposed private Emby servers and infiltrated those configured to allow admin logins without a password on the local network. To mitigate the impact, Emby remotely shut down an undisclosed number of user-hosted media server instances. 

Cyber attack on the open media solutions provider Emby

May 26, 2023

Italy's Industry Ministry



Italy's Industry Ministry reports 'heavy' cyberattack

Unknown

The Italian Industry Ministry's web portal and applications were hit by a "heavy cyberattack" and remained out of order.

Cyber attack on Italy's Industry Ministry

May 27, 2023

Senegalese government websites

Senegalese government websites hit with cyber attack

A group of hackers called Mysterious Team

Hackers made multiple Senegalese government websites go offline by hitting them with denial-of-service (DDoS) attacks.

Cyber attack on Senegalese government websites

May 28, 2023

Jimbos Protocol

Flash loan attack on Jimbos Protocol steals over $7.5 million

Unknown

Jimbos Protocol, an Arbitrum-based DeFi project, has suffered a flash loan attack that resulted in the loss of more than 4000 ETH tokens, currently valued at over $7,500,000. Following the hack, though, Jimbos’ price collapsed quickly, going from $0.238 to just $0.0001.

Jimbos Protocol cyber attack

May 30, 2023

Greece's Education Ministry

Cyber attack in Greece disrupts high school exams, causes political spat

Unknown

Greece's Education Ministry said it has been targeted in a cyberattack described as the most extensive in the country's history, aimed at disabling a centralised high school examination platform. It said the DDoS attacks aimed at overwhelming the platform for almost two days as the attack involved computers from 114 countries, causing outages and delays in high school exams but failing to cripple the system, the ministry said. The outages left students waiting in classrooms for hours for the exams to start and touched off a political spat, following an inconclusive general election earlier this month.

Cyber attack on Greece’s Education Ministry


Back to Top 

New Ransomware/Malware Discovered in May 2023

New Ransomware

Summary

Source Link

LOBSHOT Malware

A new malware known as ‘LOBSHOT’ distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC.

New LOBSHOT malware gives hackers hidden VNC access to Windows devices

Stop/Djvu Ransomware version- v0700

Stop/Djvu Ransomware (v0700); Extension: .saba; Ransom note: _readme.txt

New version of Stop/Djvu ransomware, v0700

H3r ransomware

H3r ransomware; Dharma/CrySis ransomware family; Extension: .h3r (also appends filenames with victim's unique ID and developers' email address); Ransom notes: info.txt and pop-up window (Info.hta)

A new variant of Dharma/CrySis ransomware family, H3r Ransomware 

BOOM ransomware

BOOM ransomware; Phobos ransomware family; Extension: .BOOM (also appends filenames with victim's unique ID and developers' email address); Ransom notes: info.txt and info.hta

A new variant of Phobos ransomware family, BOOM ransomware

CrypBits256 Ransomware

CrypBits256 Ransomware; Xorist ransomware family; Extension: .CrypBits256PT2; Ransom notes: pop-up window and HOW TO DECRYPT FILES.txt

A new variant of Xorist ransomware family, CrypBits256 Ransomware

Zhong Ransomware

Zhong Ransomware; Extension: .zhong; Ransom note: Restore.txt

A new ransomware, Zhong Ransomware

BlackSuit ransomware 

New BlackSuit ransomware targets Windows, Linux. Extension: .blacksuit. ReadMe file name: README.BlackSuit.txt.

New BlackSuit ransomware 

Rec_rans Ransomware

Rec_rans Ransomware; Extension: .rec_rans; Ransom note: HOW_TO_RECOVERY_FILES.txt; Changes the desktop wallpaper

New Rec_rans Ransomware

NodeStealer

Facebook discovered and disrupted the operation of a new information-stealing malware distributed on Meta called 'NodeStealer,' allowing threat actors to steal browser cookies to hijack accounts on the platform, as well as Gmail and Outlook accounts.

Facebook disrupts new NodeStealer information-stealing malware

btc-A Ransomware

btc-A Ransomware; Xorist ransomware family; Extension: .btc-Apt2; Ransom notes: pop-up window and HOW TO DECRYPT FILES.txt

A new variant of Xorist ransomware family, btc-A Ransomware

Fleckpe Malware

A new Android subscription malware named 'Fleckpe' has been spotted on Google Play, the official Android app store, disguised as legitimate apps downloaded over 620,000 times.

New Fleckpe Android malware installed 600K times on Google Play

ReconShark Malware

The North Korean Kimsuky hacking group has been observed to be employing a new version of its reconnaissance malware, now called 'ReconShark,' in a cyberespionage campaign with a global reach.

Kimsuky hackers use new recon tool to find security gaps

New Android FluHorse malware

A new Android malware called 'FluHorse' has been discovered, targeting users in Eastern Asia with malicious apps that imitate legitimate versions.

New Android FluHorse malware steals your passwords, 2FA codes

New Cactus ransomware 

A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”

New Cactus ransomware encrypts itself to evade antivirus

Akira ransomware

The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.

Akira, a  new ransomware operation targets corporate networks worldwide

Suffering Ransomware

Suffering Ransomware; GlobeImposter ransomware family; Extension: .Suffering; Ransom note: how_to_back_files.html

A new version of GlobeImposter ransomware family, Suffering Ransomware

Solix Ransomware

Solix Ransomware; Extension: .Solix; Ransom note: pop-up window

New Solix Ransomware

Newlocker Ransomware

Newlocker Ransomware; MedusaLocker ransomware family; Extension: .newlocker; Ransom note: HOW_TO_RECOVER_DATA.html

A new version of MedusaLocker ransomware family, Newlocker Ransomware

BrightNight Ransomware

BrightNight Ransomware; Extension: .BrightNight (also appends filenames with victim's ID and developers' email address); ransom note: README.txt

New BrightNight Ransomware

Zipp3rs Ransomware

Zipp3rs Ransomware; Xorist ransomware family; Extension: .zipp3rs; Ransom notes: HOW TO DECRYPT FILES.txt and pop-up window

A new version of Xorist ransomware family, Zipp3rs Ransomware

Army Signal Ransomware

Army Signal Ransomware; Extension: .SIGSCH; Ransom note: README_SIGSCH.txt

New Army Signal Ransomware

The Phishing-as-a-Service (PhaaS) platform, 'Greatness'

The Phishing-as-a-Service (PhaaS) platform named 'Greatness' has seen a spike in activity as it targets organisations using Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa.

New 'Greatness' service simplifies Microsoft 365 phishing attacks

Aurora, an information stealing malware

A recently spotted malvertising campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information stealing malware.

Fake in-browser Windows updates push Aurora info-stealer malware

BPFDoor malware

A new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption and reverse shell communications.

Stealthier version of Linux BPFDoor malware spotted in the wild

RA Group ransomware

A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea.

New RA Group ransomware targets U.S. orgs in double-extortion attacks

MerDoor malware 

A new APT hacking group dubbed Lancefly uses a custom 'Merdoor' backdoor malware to target government, aviation, and telecommunication organisations in South and Southeast Asia.

Stealthy MerDoor malware uncovered after five years of attacks

Itlock Ransomware

Itlock Ransomware; MedusaLocker ransomware family; Extension: .itlock20 (the number may differ); Ransom note: How_to_back_files.html

New ransomware of MedusaLocker ransomware family, Itlock Ransomware

Moneybird ransomware

A suspected Iranian state-supported threat actor known as 'Agrius' is now deploying a new ransomware strain named 'Moneybird' against Israeli organisations.

Iranian hackers use new Moneybird ransomware to attack Israeli orgs

CosmicEnergy malware

Mandiant security researchers have discovered a new malware called CosmicEnergy designed to disrupt industrial systems and linked to Russian cybersecurity outfit Rostelecom-Solar (formerly Solar Security).

New Russian-linked CosmicEnergy malware targets industrial systems

New Buhti ransomware

A new ransomware operation named 'Buhti' uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.

New Buhti ransomware gang uses leaked Windows, Linux encryptors

FAST Ransomware

FAST Ransomware; Extension: .FAST (filenames are also appended with victim's ID and developers' email address); Ransom note: #FILEENCRYPTED.txt

New FAST Ransomware

EXISC Ransomware

EXISC Ransomware; Extension: .EXISC; Ransom note: Please Contact Us To Restore.txt

New EXISC Ransomware

QBot malware

The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software.

QBot malware abuses Windows WordPad EXE to infect devices

RomCom malware

A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers.

RomCom malware spread via Google Ads for ChatGPT, GIMP, more

Back to Top 

Vulnerabilities/Patches Discovered in May 2023

Date

Flaws/Fixes

Summary

Source Link

May 01, 2023

Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices

Apple has launched the first Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices, with some users having issues installing them on their iPhones.

Apple’s first Rapid Security Response patch fails to install on iPhones

May 02, 2023

CVE-2018-9995

Hackers are actively exploiting an unpatched 2018 authentication bypass vulnerability in exposed TBK DVR (digital video recording) devices.

Hackers exploit 5-year-old unpatched flaw in TBK DVR devices

May 02, 2023

CVE-2023-30777

Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of instals, are vulnerable to cross-site scripting attacks (XSS).

WordPress custom field plugin bug exposes over 1M sites to XSS attacks

May 05, 2023

CVE-2023-0266

Android security updates released this month patch a high-severity vulnerability exploited as a zero-day to install commercial spyware on compromised devices.

New Android updates fix kernel bug exploited in spyware attacks

May 06, 2023

CVE-2023-27350

A new proof-of-concept (PoC) exploit for an actively exploited PaperCut vulnerability was released that bypasses all known detection rules.

New PaperCut RCE exploit bypasses existing detections

May 09, 2023

8 Elevation of Privilege Vulnerabilities,

4 Security Feature Bypass Vulnerabilities,

12 Remote Code Execution Vulnerabilities,

8 Information Disclosure Vulnerabilities,

5 Denial of Service Vulnerabilities,

1 Spoofing Vulnerability


Three Zero-days:

CVE-2023-29336 

CVE-2023-24932

CVE-2023-29325

In Microsoft's May 2023 Patch Tuesday, there were three zero-day vulnerabilities and a total of 38 flaws patched.

Microsoft May 2023 Patch Tuesday fixes 3 zero-days, 38 flaws

May 09, 2023

Windows 10 KB5026361 and KB5026362 cumulative updates 

Microsoft has released the Windows 10 KB5026361 and KB5026362 cumulative updates for versions 22H2, version 21H2, version 21H1, and 1809 to fix problems and add new features to the operating system.

Windows 10 KB5026361 and KB5026362 updates released

May 09, 2023

Windows 11 22H2 KB5026372 cumulative update 

Microsoft has released the Windows 11 22H2 KB5026372 cumulative update to fix security vulnerabilities and introduce 20 changes, improvements, and bug fixes.

Windows 11 KB5026372 cumulative update released with 20 changes

May 09, 2023

CVE-2023-24932

Microsoft has released security updates to address a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware to infect fully patched Windows systems.

Microsoft issues optional fix for Secure Boot zero-day used by malware

May 09, 2023

CVE-2023-25717

A new malware botnet named 'AndoryuBot' is targeting a critical-severity flaw in the Ruckus Wireless Admin panel to infect unpatched Wi-Fi access points for use in DDoS attacks.

Critical Ruckus RCE flaw exploited by new DDoS botnet malware

May 11, 2023

CVE-2023-32243

One of WordPress's most popular Elementor plugins, "Essential Addons for Elementor," was found to be vulnerable to an unauthenticated privilege escalation that could allow remote attacks to gain administrator rights on the site.

WordPress Elementor plugin bug allows attacks on 1M sites

May 11, 2023

CVE-2023-29324

Microsoft fixed a security vulnerability that could be used by remote attackers to bypass recent patches for a critical Outlook zero-day security flaw abused in the wild.

Microsoft patches bypass for recently fixed Outlook zero-click bug

May 12, 2023

CVE-2023-25717

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet.

CISA warns of critical Ruckus bug used to infect Wi-Fi access points

May 14, 2023

CVE-2023-30777

Hackers are actively exploiting a recently fixed vulnerability in the WordPress Advanced Custom Fields plugin roughly 24 hours after a proof-of-concept (PoC) exploit was made public.

Hackers target Wordpress plugin flaw after PoC exploit released

May 18, 2023

CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373

Apple has addressed three new zero-day vulnerabilities exploited in attacks to hack into iPhones, Macs, and iPads.

Apple fixes three new zero-days exploited to hack iPhones, Macs

May 19, 2023

CVE-2023-21492

CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection.

CISA warns of Samsung ASLR bypass flaw exploited in attacks

May 22, 2023

CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) ordered federal agencies to address three recently patched zero-day flaws affecting iPhones, Macs, and iPads known to be exploited in attacks.

CISA orders govt agencies to patch iPhone bugs exploited in attacks

May 24, 2023

CVE-2023-2825

GitLab has released an emergency security update, version 16.0.1, to address a maximum severity (CVSS v3.1 score: 10.0) path traversal flaw tracked as CVE-2023-2825.

GitLab 'strongly recommends' patching max severity flaw ASAP

May 25, 2023

CVE-2023-32165, CVE-2023-32169

D-Link has fixed two critical-severity vulnerabilities in its D-View 8 network management suite that could allow remote attackers to bypass authentication and execute arbitrary code.

D-Link fixes auth bypass and RCE flaws in D-View 8 software

May 25, 2023

CVE-2023-33009, CVE-2023-33010

Zyxel is warning customers of two critical-severity vulnerabilities in several of its firewall and VPN products that attackers could leverage without authentication.

Zyxel warns of critical vulnerabilities in firewall and VPN devices

May 27, 2023

CVE-2023-2868

CISA warned of a recently patched zero-day vulnerability exploited last week to hack into Barracuda Email Security Gateway (ESG) appliances.

CISA warns govt agencies of recently patched Barracuda zero-day

May 30, 2023

CVE-2023-28782

The premium WordPress plugin 'Gravity Forms,' currently used by over 930,000 websites, is vulnerable to unauthenticated PHP Object Injection.

Barracuda zero-day abused since 2022 to drop new malware, steal data

May 30, 2023

CVE-2023-32369

Apple has recently addressed a vulnerability that lets attackers with root privileges bypass System Integrity Protection (SIP) to install "undeletable" malware and access the victim's private data by circumventing Transparency, Consent, and Control (TCC) security checks.

Microsoft finds macOS bug that lets hackers bypass SIP root restrictions

 Back to Top 

Warnings/Advisories/Reports/Analysis

News

Summary

Source Link

Report

An international law enforcement operation codenamed 'SpecTor' has arrested 288 dark web vendors and customers worldwide, with police seizing €50.8 million ($55.9M) in cash and cryptocurrency.

Police operation 'SpecTor' arrests 288 dark web drug vendors and buyers

Report

The FBI and Ukrainian police have seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors.

FBI seizes 9 crypto exchanges used to launder ransomware payments

Report

The U.S. Justice Department announced today the seizure of 13 more domains linked to DDoS-for-hire platforms, also known as 'booter' or 'stressor' services.

QR codes used in fake parking tickets, surveys to steal your money

Report

The U.S. Justice Department has filed charges against a Russian citizen named Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) for involvement in three ransomware operations that targeted victims across the United States.

Russian ransomware affiliate charged with attacks on critical infrastructure

Report

A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organisations.

Hackers infect TP-Link router firmware to attack EU entities

Report

The Department of Justice revealed today that an 18-year-old man named Joseph Garrison from Wisconsin had been charged with hacking into the accounts of around 60,000 users of the DraftKings sports betting website in November 2022.

18-year-old charged with hacking 60,000 DraftKings betting accounts

Report

A large cybercrime enterprise tracked as the "Lemon Group" has reportedly pre-installed malware known as 'Guerilla' on almost 9 million Android-based smartphones, watches, TVs, and TV boxes.

Cybercrime gang pre-infects millions of Android devices with malware

Report

Dish Network, an American television provider, most likely paid a ransom after being hit by a ransomware attack in February based on the wording used in data breach notification letters sent to impacted employees.

Dish Network likely paid ransom after recent ransomware attack

Report

U.S. tech giant Meta has been hit with a record €1.2 billion fine for not complying with the EU’s privacy rulebook.

EU hits Meta with record €1.2B privacy fine

Report

A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called "Hot Pixels," which can retrieve pixels from the content displayed in the target's browser and infer the navigation history.

Hot Pixels attack checks CPU temp, power changes to steal data

Report

NHS trusts are, allegedly, sharing intimate details about patients’ medical conditions, appointments and treatments with Facebook without consent. 

NHS data breach: trusts shared patient details with Facebook without consent

Report

A new 'File Archivers in the Browser' phishing kit abuses ZIP domains by displaying fake WinRAR or Windows File Explorer windows in the browser to convince users to launch malicious files.

Clever ‘File Archiver In The Browser’ phishing trick uses ZIP domains

Report

Bristol Community College negligently failed to protect the personal information of more than 56,000 students in connection with a December data breach, faced a new proposed federal class action.

Massachusetts Community College Faces Lawsuit Over Data Breach

Back to Top