May 2024: Biggest Cyber Attacks, Data Breaches & Ransomware Attacks
Date: 6 December 2024
Why did Dell, the UK Ministry of Defence, Australian Mortgage Lender FirstMac, WebTPA, Entertainment ticketing giant TicketMaster, ABN AMRO Bank and London Drugs make headlines in the month gone by? Either they were impacted by cyber crime or there were major updates on the impact they suffered from recent cyber attacks. We've covered all this news and more in our monthly roundup of the biggest cyber attacks, ransomware attacks and data breaches of May 2024, including news on vulnerabilities and malware discovered, and patches released.
- Ransomware Attacks in May 2024
- Data Breaches in May 2024
- Cyber Attacks in May 2024
- New Malware and Ransomware Discovered
- Vulnerabilities Discovered and Patches Released
- Advisories issued, reports, analysis etc. in May 2024
Each month, organisations from different industries and countries suffer serious blows on account of cyber crime. Apart from empowering our readers with knowledge and insights, we compile these monthly cyber attack lists to keep reminding ourselves and others that nobody is safe today.
Accepting that an attack is likely to happen eventually is wise. Learning from the experiences and mistakes of others is a valuable tool in the journey to enhanced cyber resilience. This help us understand what are the next steps to take to be as secure as possible.
Here are some things you can look at today if you want to dramatically improve your chances of bouncing back after a cyber-attack with minimal damage:
1. Have a plan of action to recover from a cybersecurity incident. In other words, get your Cyber Incident Response Plan in order. Make sure it's relevant, up-to-date and is easy to implement in the chaos that follows a cyber crime.
2. Invest in effective Cyber Incident Planning & Response training for your staff, especially the first responders. This not only fosters a cybersecurity-focused team culture with high awareness of good cyber hygiene practices. It also helps employees understand their roles and responsibilities in keeping the organisation safe and responding correctly in case of an incident.
3. Practise your cyber response plans with scenario-based Cyber Attack Tabletop Exercises. Keep yourself informed about current and new threats and emerging tactics of threat actors. Stay updated with the recent cyber attacks, ransomware attacks, and data breaches listed below for your easy reference.
Ransomware Attacks in May 2024
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
May 01, 2024 |
Simone Veil hospital in Cannes, France |
LockBit publishes confidential data stolen from Cannes hospital in France |
LockBit Ransomware |
The LockBit ransomware-as-a-service gang published what it claimed was confidential data stolen from Simone Veil hospital. The release of data from the Cannes hospital followed an announcement that it had received an extortion demand from LockBit. |
|
May 05, 2024 |
Wichita government |
Wichita government shuts down systems after ransomware attack |
LockBit Ransomware |
In an alert, Wichita government said several of its systems were encrypted with malware, forcing officials to disconnect and shut down some as a way to prevent the malware from spreading, and LockBit claimed the attack on Wichita. The city struggled with payment issues and airport disruption. |
|
May 08, 09, 29 2024 |
Catholic health system Ascension |
Catholic health system Ascension warns of disruptions following cyber attack |
BlackBasta Group |
One of the largest Catholic health systems in the U.S, Ascension faced a disruption to its clinical operations following a cyber attack. It published a notice saying it discovered unusual activity on network systems and immediately began an investigation, hired Mandiant and notified law enforcement soon after. |
|
May 09, 2024 |
Ohio Lottery |
500,000 Impacted by Ohio Lottery Ransomware Attack |
DragonForce |
The Ohio Lottery cyber attack conducted last year by a ransomware group has impacted 538,000 individuals as the hackers have since made available more than 90 Gb of files (in .bak backup format) allegedly stolen from the Ohio Lottery. They claim to have obtained more than 1.5 million records of employee and player information, including names, email and postal addresses, winnings, dates of birth, and social security numbers. |
|
May 12, 2024 |
British auction house Christie's |
Christie's takes website offline after cyber attack, delays live auction |
RansomHub |
British auction house Christie's said a cyber attack has forced it to take down its website and move one live auction. |
|
May 14, 2024 |
Singing River Health System |
Singing River Health System: Data of 895,000 stolen in ransomware attack |
Rhysida Ransomware |
The Singing River Health System is warning that it is now estimating that 895,204 people have been impacted by a ransomware attack it suffered in August 2023 as the threat actors have so far leaked roughly 80% of the data they claim to hold from the breach at Singing River, which allegedly includes a catalogue of 420,766 files totaling 754 GB in size. |
|
May 20, 2024 |
OmniVision |
OmniVision discloses data breach after 2023 ransomware attack |
Cactus ransomware |
OmniVision informed the authorities in California of a security breach incident that lasted between September 4 and September 30, 2023, when its systems were encrypted by ransomware as it said: "This in-depth investigation determined that an unauthorised party took some personal information from certain systems between September 4, 2023, and September 30, 2023." |
|
May 21, 2024 |
London Drugs |
LockBit says they stole data in London Drugs ransomware attack |
LockBit |
The LockBit ransomware gang claimed they were behind the April cyber attack on Canadian pharmacy chain London Drugs and have now threatened to publish stolen data online after allegedly failed negotiations. |
|
May 26, 2024 |
MediSecure |
Data Stolen From MediSecure for Sale on Dark Web |
Threat actor, Ansgar |
Just before the US holiday weekend, news broke that a threat actor put the information allegedly stolen from MediSecure up for sale on an underground forum, for $50,000. Threat actor Ansgar posted several screenshots as proof, claiming to be in the possession of 6.5 terabytes of files stolen from MediSecure, which contain names, addresses, email addresses, phone numbers, insurance numbers, prescription information, and login information. |
|
May 29, 2024 |
ABN AMRO |
ABN AMRO discloses data breach following an attack on a third-party provider |
Unknown |
Dutch bank ABN AMRO disclosed a data breach after third-party services provider AddComm suffered a ransomware attack. Unauthorised parties may have obtained access to data of a limited number of ABN AMRO clients. |
|
May 29, 2024 |
Ticketmaster/Live Nation |
Hackers claim Ticketmaster/Live Nation data breach, compromising details of over 550 million customers |
ShinyHunters |
The ShinyHunters hacking group shared the details of an alleged hack of Ticketmaster and Live Nation and was selling the data for a one-time price of US$500,000. The data was for sale on a popular clear web hacking forum, and ShinyHunters claimed to have the details of 560 million Ticketmaster customers in 16 different folders and files, each dozens of gigabytes in size. |
|
May 29, 2024 |
Seattle Public Library |
Ransomware attack on Seattle Public Library knocks out online systems |
Unknown |
A ransomware attack on the Seattle Public Library has brought services to a halt - knocking out the wireless network, computers for staff and patrons, and the entire online catalogue. |
Data Breaches in May 2024
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
May 01, 2024 |
Panda Restaurant Group |
Panda Restaurant Group disclosed a data breach |
Unknown |
Panda Restaurant Group disclosed a data breach that occurred in March, resulting in the theft of personal information belonging to its associates. The incident did not, apparently, impact the company’s in-store systems, operations or guest experience. |
|
May 01, 2024 |
Dropbox |
Dropbox says hacker accessed passwords, authentication info during breach |
Unknown |
The hacker accessed information related to all users of Dropbox Sign, including account settings, names and emails and for some users, phone numbers, hashed passwords and authentication information like API keys, OAuth tokens and multi-factor authentication methods were also exposed. |
|
May 06, 2024 |
MedStar Health |
Nearly 184,000 MedStar Health patients’ personal data possibly breached |
Unknown |
MedStar Health said the personal information of about 184,000 people was likely hacked when an outsider accessed emails and files belonging to three employees. The emails and files included patients’ names, mailing address, dates of birth, dates of service, provider names and health insurance information. |
|
May 06, 2024 |
NHS Dumfries and Galloway |
Stolen children’s health records posted online in extortion bid |
INC Ransom |
Another batch of sensitive patient data stolen from NHS Dumfries and Galloway, part of the Scottish healthcare system, has been published by criminals demanding an extortion payment from the local health board. The ransomware group calling itself INC Ransom subsequently claimed to hold terabytes of data exfiltrated from the organisation, publishing some of this data samples on its extortion site as evidence. |
|
May 06, 2024 |
UK Ministry of Defence |
MoD data breach: UK armed forces' personal details accessed in hack |
Unknown |
The personal information of an unknown number of serving UK military personnel has been accessed in a significant data breach. The hack targeted a payroll system used by the Ministry of Defence, which includes names and bank details of both current and some past armed forces members. |
|
May 08, 2024 |
University System of Georgia |
University System of Georgia Says 800,000 Impacted by MOVEit Hack |
Clop Ransomware |
University System of Georgia notified 800,000 individuals that their personal and financial information was compromised in the May 2023 MOVEit hack. |
|
May 08, 2024 |
Dell |
Dell warns of data breach, 49 million customers allegedly affected |
A BreachForum user named Menelik |
Dell warned customers of a data breach after a threat actor claimed to have stolen information for approximately 49 million customers as the computer maker began emailing data breach notifications to customers, stating that a Dell portal containing customer information related to purchases was breached. |
|
May 13, 2024 |
City of Helsinki |
Helsinki suffers data breach after hackers exploit unpatched flaw |
Unknown |
The City of Helsinki is investigating a data breach in its education division, which it discovered in late April 2024, impacting tens of thousands of students, guardians, and personnel as an unauthorised actor gained access to a network drive after exploiting a vulnerability in a remote access server. |
|
May 14, 2024 |
Firstmac Limited |
Largest non-bank lender in Australia warns of a data breach |
New Embargo group |
Firstmac Limited is warning customers that it suffered a data breach a day after the new Embargo cyber-extortion group leaked over 500 GB of data allegedly stolen from the firm. Embargo leaked all data they claimed to have stolen from Firstmac's systems, including documents, source code, email addresses, phone numbers, and database backups. |
|
May 16, 2024 |
The WebTPA Employer Services (WebTPA) |
WebTPA data breach impacts 2.4 million insurance policyholders |
Unknown |
WebTPA data breach disclosed earlier this month is impacting close to 2.5 million individuals, the U.S. Department of Health and Human Services noted. |
|
May 22, 2024 |
Northern Ireland police |
Northern Ireland police faces £750k fine after exposing staff information |
Human error |
The United Kingdom's Information Commissioner Office (ICO) intends to impose a fine of £750,000 ($954,000) on the Police Service of Northern Ireland (PSNI) for exposing the entire workforce's personal details by mistakenly publishing a spreadsheet online. |
|
May 24, 2024 |
Prescriptions management company Sav-Rx |
Nearly 3 million affected by Sav-Rx data breach |
Unknown |
Nearly three million people had sensitive information leaked during an October cyber attack on the prescriptions management company Sav-Rx. In filings to regulators and a notice on its website, the company said names, addresses, eligibility data, insurance identification numbers and Social Security numbers were accessed when hackers breached their network on October 3. |
|
May 24, 2024 |
Cencora |
Cencora data breach exposes US patient information from 11 drug companies |
Unknown |
Some of the largest drug companies in the world have disclosed data breaches due to a February 2024 cyber attack at Cencora, whom they partner with for pharmaceutical and business services. The California Attorney General's office published multiple data breach notification samples submitted in the past couple of days by some of the largest pharmaceutical firms in the United States, all attributing their data exposure to the February Cencora incident. |
|
May 28, 2024 |
First American |
First American December data breach impacts 44,000 people |
Unknown |
First American Financial Corporation revealed that a December cyber attack led to a breach impacting 44,000 individuals. |
|
May 29, 2024 |
Cooler Master |
Cooler Master hit by data breach exposing customer information |
A threat actor by the alias 'Ghostr' |
Computer hardware manufacturer Cooler Master suffered a data breach after a threat actor breached the company's website and claimed to steal the Fanzone member information of 500,000 customers.The threat actor who goes by the alias 'Ghostr' claimed to have stolen 103 GB of data from Cooler Master on May 18th, 2024. |
Cyber Attacks in May 2024
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
May 06, 2024 |
Final Fantasy game |
Final Fantasy game servers hit by multiple DDoS attacks |
Unknown |
Players of the popular video game series Final Fantasy faced trouble logging in due to a series of ongoing DDoS attacks flooding its servers with a large volume of junk traffic. |
|
May 07, 2024 |
French radiologist, Coradix-Magnescan |
Patient appointments imperilled by cyber attack on French radiologist |
Unknown |
Coradix-Magnescan, a French company that provides medical radiological imaging, warned patients it is currently dealing with a cyber attack that risks “complicating” their appointments. |
|
May 08, 2024 |
British Columbia government networks |
British Columbia investigating cyber attacks on government networks |
Unknown |
The Government of British Columbia investigated multiple "cybersecurity incidents" that have impacted the Canadian province's government networks. |
|
May 08, 2024 |
AT&T |
AT&T delays Microsoft 365 email delivery due to spam wave |
Unknown |
AT&T's email servers blocked connections from Microsoft 365 due to a "high volume" spam wave originating from Microsoft's service. |
|
May 19, 2024 |
American Radio Relay League |
American Radio Relay League cyber attack takes Logbook of the World offline |
Unknown |
The American Radio Relay League (ARRL) warns it suffered a cyber attack, which disrupted its IT systems and online operations, including email and the Logbook of the World. |
|
May 21, 2024 |
Gala Games Blockchain |
$22 million in crypto swiped from Gala Games blockchain platform |
Unknown |
More than $22 million worth of cryptocurrency was stolen from the Gala Games after someone compromised the blockchain platform. |
|
May 23, 2024 |
Courtroom recording software, Justice AV Solutions (JAVS) |
Courtroom recording software compromised with backdoor installer |
Unknown |
A popular brand of recording software (JAVS) used widely in courtrooms, jails and prisons has been compromised by hackers, allowing them to gain full control of a system through a backdoor implanted in an update to the tool. |
|
May 29, 2024 |
North American University |
Free Piano phish targets American university students, staff |
Unknown |
A large-scale phishing campaign is using an unusual lure to earn at least $900,000 by tricking email recipients into believing they're about to receive a baby grand piano for free. |
Free piano phishing cyber attack on North American university |
May 29, 2024 |
Okta |
Okta warns of credential stuffing attacks targeting its CORS feature |
Unknown |
Okta warned that a Customer Identity Cloud (CIC) feature is being targeted in credential stuffing attacks, stating that numerous customers have been targeted since April. |
|
May 29, 2024 |
Russian delivery company CDEK |
Major Russian delivery company down for three days due to cyber attack |
Head Mare |
A hacker group claimed responsibility for an attack that has disrupted service for days at CDEK, one of Russia’s largest delivery companies as the hackers, who call themselves Head Mare, said they encrypted the company’s servers with ransomware and destroyed backup copies of its corporate systems. |
New Ransomware/Malware Discovered in May 2024
New Ransomware |
Summary |
Source Link |
New Lunar malware |
Security researchers discovered two previously unseen backdoors dubbed LunarWeb and LunarMail that were used to compromise a European government's diplomatic institutions abroad. |
Russian hackers use new Lunar malware to breach a European govt's agencies |
Linux malware, Gomir |
The North Korean hacker group Kimsuki has been using a new Linux malware called Gomir that is a version of the GoBear backdoor delivered via trojanised software installers. |
Kimsuky hackers deploy new Linux backdoor in attacks on South Korea |
Banking malware Grandoreiro |
The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks. |
|
BiBi Wiper malware |
A new version of the BiBi Wiper malware is now deleting the disk partition table to make data restoration harder, extending the downtime for targeted victims. |
New BiBi Wiper version also destroys the disk partition table |
ShrinkLocker ransomware |
A new ransomware strain called ShrinkLocker creates a new boot partition to encrypt corporate systems using Windows BitLocker. |
New ShrinkLocker ransomware uses BitLocker to encrypt your files |
Vulnerabilities/Patches Discovered in May 2024
Date |
New Malware/Flaws/Fixes |
Summary |
Source Link |
May 01, 2024 |
CVE-2023-7028 |
CISA warned that attackers are actively exploiting a maximum-severity GitLab vulnerability that allows them to take over accounts via password resets. |
CISA says GitLab account takeover bug is actively exploited in attacks |
May 01, 2024 |
CVE-2024-26305, CVE-2024-26304, CVE-2024-33511, CVE-2024-33512 |
HPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system. |
HPE Aruba Networking fixes four critical RCE flaws in ArubaOS |
May 09, 2024 |
CVE-2024-31497 |
Citrix notified customers this week to manually mitigate a PuTTY SSH client vulnerability that could allow attackers to steal a XenCenter admin's private SSH key. |
Citrix warns admins to manually mitigate PuTTY SSH client bug |
May 18, 2024 |
CVE-2024-4761, CVE-2024-4947 |
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its 'Known Exploited Vulnerabilities' catalogue, one impacting Google Chrome and two affecting some D-Link routers. |
|
May 20, 2024 |
CVE-2024-4323 |
A critical Fluent Bit vulnerability that can be exploited in denial-of-service and remote code execution attacks impacts all major cloud providers and many technology giants. |
|
May 21, 2024 |
CVE-2024-29849 |
Veeam warned customers to patch a critical security vulnerability that allows unauthenticated attackers to sign into any account via the Veeam Backup Enterprise Manager (VBEM). |
Veeam warns of critical Backup Enterprise Manager auth bypass bug |
May 23, 2024 |
CVE-2024-5274 |
Google has released a new emergency security update to address the eighth zero-day vulnerability in Chrome browser confirmed to be actively exploited in the wild. |
Google fixes eighth actively exploited Chrome zero-day this year |
May 23, 2024 |
CVE-2024-4835 |
GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks. |
|
May 27, 2024 |
CVE-2024-23108 |
Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which was patched in February. |
Exploit released for maximum severity Fortinet RCE bug, patch now |
Warnings/Advisories/Reports/Analysis
News Type |
Summary |
Source Link |
Report |
A Ukrainian hacker has been sentenced to almost 14 years in prison for infecting thousands of victims with REvil ransomware and demanding over $700 million in ransom payments. |
Ukrainian sentenced to almost 14 years for infecting thousands with REvil ransomware |
Report |
Law enforcement shut down 12 phone fraud call centres in Albania, Bosnia and Herzegovina, Kosovo, and Lebanon, behind thousands of scam calls daily. |
Police shuts down 12 fraud call centres, arrests 21 suspects |
Report |
The ransomware service LockBit’s darknet extortion site, which had been shuttered earlier this year after being infiltrated by law enforcement, reappeared with police teasing fresh information about the criminals involved. |
LockBit's seized darknet site resurrected by police, teasing new revelations |
Report |
LockBitSupp, the pseudonymous leader of the LockBit ransomware group, was identified as a Russian national called Dmitry Khoroshev. The United States, United Kingdom and Australia imposed financial sanctions against him. |
LockBitSupp identified as Dmitry Khoroshev and indicted for ransomware crimes |
Report |
Zscaler says that they discovered an exposed "test environment" that was taken offline for analysis after rumours circulated that a threat actor was selling access to the company's systems. |
Zscaler takes "test environment" offline after rumours of a breach |
Report |
Britain’s central government, local government and utilities sector were each impacted by more ransomware attacks last year than in all previous years combined. |
UK hit by more ransomware and cyberattacks last year than ever before |
Report |
A group called “first-class Russian hackers” defaced potentially hundreds of local and regional British newspaper websites as the group published a news story titled “PERVOKLASSNIY RUSSIAN HACKERS ATTACK” on the sites of titles owned by Newsquest Media Group. |
'Russian' hackers deface potentially hundreds of local British news sites |
Report |
The Federal Communications Commission (FCC) put an entity it is calling Royal Tiger in its crosshairs for facilitating fraudulent robocalls across international networks, making it the first group targeted through a new threat analysis and designation system. |
FCC designates first robocall threat actor under new classification system |
Report |
Anne Keast-Butler, director of signals and cyber intelligence agency GCHQ, warned that the Kremlin’s partnership with criminal groups was also contributing to “suspected physical surveillance and sabotage operations.” And NCSC said it developed new guidance with the insurance industry about how ransomware victims should respond to incidents. |
|
Report |
The website and Telegram page for the notorious BreachForums platform, a popular bazaar for stolen data and cybercriminal tools, appears to have been seized. |
|
Warning |
The Australian government warned of a “large-scale ransomware data breach” affecting healthcare data in the country. |
Australian government warns of 'large-scale ransomware data breach' |
Report |
Hacktivist operations are using leaked ransomware builders to launch attacks on critical infrastructure in the Philippines - part of a trend among politically motivated groups who are increasingly trying to disrupt life in the Southeast Asian nation. |
Hacktivists turn to ransomware in attacks on Philippines government |
Warning |
Rockwell Automation warned customers to disconnect all industrial control systems (ICSs) not designed for online exposure from the Internet due to increasing malicious activity worldwide. |
Rockwell Automation warns admins to take ICS devices offline |
Report |
An Indian national pleaded guilty to wire fraud conspiracy for stealing over $37 million through a fake Coinbase website. |
Indian man stole $37 million in crypto using fake Coinbase Pro site |