Cyber Security Blog

May 2024: Biggest Cyber Attacks, Data Breaches & Ransomware Attacks

Written by Aditi Uberoi | 9 July 2024

Why did Dell, the UK Ministry of Defence, Australian Mortgage Lender FirstMac, WebTPA, Entertainment ticketing giant TicketMaster, ABN AMRO Bank and London Drugs make headlines in the month gone by? Either they were impacted by cyber crime or there were major updates on the impact they suffered from recent cyber attacks. We've covered all this news and more in our monthly roundup of the biggest cyber attacks, ransomware attacks and data breaches of May 2024, including news on vulnerabilities and malware discovered, and patches released. 

  1. Ransomware Attacks in May 2024
  2. Data Breaches in May 2024
  3. Cyber Attacks in May 2024
  4. New Malware and Ransomware Discovered
  5. Vulnerabilities Discovered and Patches Released 
  6. Advisories issued, reports, analysis etc. in May 2024

Each month, organisations from different industries and countries suffer serious blows on account of cyber crime. Apart from empowering our readers with knowledge and insights, we compile these monthly cyber attack lists to keep reminding ourselves and others that nobody is safe today. 

Accepting that an attack is likely to happen eventually is wise. Learning from the experiences and mistakes of others is a valuable tool in the journey to enhanced cyber resilience. This help us understand what are the next steps to take to be as secure as possible. 

Here are some things you can look at today if you want to dramatically improve your chances of bouncing back after a cyber-attack with minimal damage: 

1. Have a plan of action to recover from a cybersecurity incident. In other words, get your Cyber Incident Response Plan in order. Make sure it's relevant, up-to-date and is easy to implement in the chaos that follows a cyber crime. 

2. Invest in effective Cyber Incident Planning & Response training for your staff, especially the first responders. This not only fosters a cybersecurity-focused team culture with high awareness of good cyber hygiene practices. It also helps employees understand their roles and responsibilities in keeping the organisation safe and responding correctly in case of an incident. 

3. Practise your cyber response plans with scenario-based Cyber Attack Tabletop Exercises.  Keep yourself informed about current and new threats and emerging tactics of threat actors. Stay updated with the recent cyber attacks, ransomware attacks, and data breaches listed below for your easy reference. 

Ransomware Attacks in May 2024

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

May 01, 2024

Simone Veil hospital in Cannes, France

LockBit publishes confidential data stolen from Cannes hospital in France

LockBit Ransomware

The LockBit ransomware-as-a-service gang published what it claimed was confidential data stolen from Simone Veil hospital. The release of data from the Cannes hospital followed an announcement that it had received an extortion demand from LockBit.

Simone Veil hospital Cannes ransomware attack

May 05, 2024

Wichita government

Wichita government shuts down systems after ransomware attack

LockBit Ransomware

In an alert, Wichita government said several of its systems were encrypted with malware, forcing officials to disconnect and shut down some as a way to prevent the malware from spreading, and LockBit claimed the attack on Wichita. The city struggled with payment issues and airport disruption.


Wichita ransomware attack update

May 08, 09, 29  2024

Catholic health system Ascension

Catholic health system Ascension warns of disruptions following cyber attack

BlackBasta Group

One of the largest Catholic health systems in the U.S, Ascension faced a disruption to its clinical operations following a cyber attack. It published a notice saying it discovered unusual activity on network systems and immediately began an investigation, hired Mandiant and notified law enforcement soon after.



Ascension hospital ransomware attack update

May 09, 2024

Ohio Lottery

500,000 Impacted by Ohio Lottery Ransomware Attack

DragonForce

The Ohio Lottery cyber attack conducted last year by a ransomware group has impacted 538,000 individuals as the hackers have since made available more than 90 Gb of files (in .bak backup format) allegedly stolen from the Ohio Lottery. They claim to have obtained more than 1.5 million records of employee and player information, including names, email and postal addresses, winnings, dates of birth, and social security numbers.

Ohio Lottery ransomware attack update

May 12, 2024

British auction house Christie's

Christie's takes website offline after cyber attack, delays live auction

RansomHub

British auction house Christie's said a cyber attack has forced it to take down its website and move one live auction.

Christie’s ransomware attack and RansomHub 

May 14, 2024

Singing River Health System

Singing River Health System: Data of 895,000 stolen in ransomware attack

Rhysida Ransomware

The Singing River Health System is warning that it is now estimating that 895,204 people have been impacted by a ransomware attack it suffered in August 2023 as the threat actors have so far leaked roughly 80% of the data they claim to hold from the breach at Singing River, which allegedly includes a catalogue of 420,766 files totaling 754 GB in size.

Singing River Health System ransomware attack update

May 20, 2024

OmniVision

OmniVision discloses data breach after 2023 ransomware attack

Cactus ransomware

OmniVision informed the authorities in California of a security breach incident that lasted between September 4 and September 30, 2023, when its systems were encrypted by ransomware as it said: "This in-depth investigation determined that an unauthorised party took some personal information from certain systems between September 4, 2023, and September 30, 2023."

OmniVision ransomware attack update

May 21, 2024

London Drugs

LockBit says they stole data in London Drugs ransomware attack

LockBit

The LockBit ransomware gang claimed they were behind the April cyber attack on Canadian pharmacy chain London Drugs and have now threatened to publish stolen data online after allegedly failed negotiations.

London Drugs ransomware attack update with LockBit

May 26, 2024

MediSecure

Data Stolen From MediSecure for Sale on Dark Web

Threat actor, Ansgar

Just before the US holiday weekend, news broke that a threat actor put the information allegedly stolen from MediSecure up for sale on an underground forum, for $50,000. Threat actor Ansgar posted several screenshots as proof, claiming to be in the possession of 6.5 terabytes of files stolen from MediSecure, which contain names, addresses, email addresses, phone numbers, insurance numbers, prescription information, and login information.

MediSecure ransomware attack

May 29, 2024

ABN AMRO

ABN AMRO discloses data breach following an attack on a third-party provider

Unknown

Dutch bank ABN AMRO disclosed a data breach after third-party services provider AddComm suffered a ransomware attack. Unauthorised parties may have obtained access to data of a limited number of ABN AMRO clients.

ABN AMRO ransomware attack

May 29, 2024

Ticketmaster/Live Nation

Hackers claim Ticketmaster/Live Nation data breach, compromising details of over 550 million customers

ShinyHunters

The ShinyHunters hacking group shared the details of an alleged hack of Ticketmaster and Live Nation and was selling the data for a one-time price of US$500,000. The data was for sale on a popular clear web hacking forum, and ShinyHunters claimed to have the details of 560 million Ticketmaster customers in 16 different folders and files, each dozens of gigabytes in size.

Ticketmaster/Live Nation ransomware attack

May 29, 2024

Seattle Public Library

Ransomware attack on Seattle Public Library knocks out online systems

Unknown

A ransomware attack on the Seattle Public Library has brought services to a halt - knocking out the wireless network, computers for staff and patrons, and the entire online catalogue.

Seattle Public Library ransomware attack


 
Back to Top 



Data Breaches in May 2024

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

May 01, 2024

Panda Restaurant Group

Panda Restaurant Group disclosed a data breach

Unknown

Panda Restaurant Group disclosed a data breach that occurred in March, resulting in the theft of personal information belonging to its associates. The incident did not, apparently, impact the company’s in-store systems, operations or guest experience.

Panda Restaurant Group data breach

May 01, 2024

Dropbox

Dropbox says hacker accessed passwords, authentication info during breach

Unknown

The hacker accessed information related to all users of Dropbox Sign, including account settings, names and emails and for some users, phone numbers, hashed passwords and authentication information like API keys, OAuth tokens and multi-factor authentication methods were also exposed.

Dropbox data  breach

May 06, 2024

MedStar Health

Nearly 184,000 MedStar Health patients’ personal data possibly breached

Unknown

MedStar Health said the personal information of about 184,000 people was likely hacked when an outsider accessed emails and files belonging to three employees. The emails and files included patients’ names, mailing address, dates of birth, dates of service, provider names and health insurance information.

MedStar Health data breach

May 06, 2024

NHS Dumfries and Galloway

Stolen children’s health records posted online in extortion bid

INC Ransom

Another batch of sensitive patient data stolen from NHS Dumfries and Galloway, part of the Scottish healthcare system, has been published by criminals demanding an extortion payment from the local health board. The ransomware group calling itself INC Ransom subsequently claimed to hold terabytes of data exfiltrated from the organisation, publishing some of this data samples on its extortion site as evidence.

NHS Dumfries and Galloway data breach update

May 06, 2024

UK Ministry of Defence

MoD data breach: UK armed forces' personal details accessed in hack

Unknown

The personal information of an unknown number of serving UK military personnel has been accessed in a significant data breach. The hack targeted a payroll system used by the Ministry of Defence, which includes names and bank details of both current and some past armed forces members.

UK Ministry of Defence Data Breach

May 08, 2024

University System of Georgia

University System of Georgia Says 800,000 Impacted by MOVEit Hack

Clop Ransomware

University System of Georgia notified 800,000 individuals that their personal and financial information was compromised in the May 2023 MOVEit hack.

University System of Georgia data breach and MOVEit hack

May 08, 2024

Dell

Dell warns of data breach, 49 million customers allegedly affected

A BreachForum user named Menelik

Dell warned customers of a data breach after a threat actor claimed to have stolen information for approximately 49 million customers as the computer maker began emailing data breach notifications to customers, stating that a Dell portal containing customer information related to purchases was breached.

Dell data breach

May 13, 2024

City of Helsinki

Helsinki suffers data breach after hackers exploit unpatched flaw

Unknown

The City of Helsinki is investigating a data breach in its education division, which it discovered in late April 2024, impacting tens of thousands of students, guardians, and personnel as an unauthorised actor gained access to a network drive after exploiting a vulnerability in a remote access server.

City of Helsinki data breach

May 14, 2024

Firstmac Limited

Largest non-bank lender in Australia warns of a data breach

New Embargo group

Firstmac Limited is warning customers that it suffered a data breach a day after the new Embargo cyber-extortion group leaked over 500 GB of data allegedly stolen from the firm. Embargo leaked all data they claimed to have stolen from Firstmac's systems, including documents, source code, email addresses, phone numbers, and database backups.

Firstmac Limited data breach

May 16, 2024

The WebTPA Employer Services (WebTPA)

WebTPA data breach impacts 2.4 million insurance policyholders

Unknown

WebTPA data breach disclosed earlier this month is impacting close to 2.5 million individuals, the U.S. Department of Health and Human Services noted.

WebTPA data breach

May 22, 2024

Northern Ireland police

Northern Ireland police faces £750k fine after exposing staff information

Human error

The United Kingdom's Information Commissioner Office (ICO) intends to impose a fine of £750,000 ($954,000) on the Police Service of Northern Ireland (PSNI) for exposing the entire workforce's personal details by mistakenly publishing a spreadsheet online.

Northern Ireland police data leak

May 24, 2024

Prescriptions management company Sav-Rx

Nearly 3 million affected by Sav-Rx data breach

Unknown

Nearly three million people had sensitive information leaked during an October cyber attack on the prescriptions management company Sav-Rx. In filings to regulators and a notice on its website, the company said names, addresses, eligibility data, insurance identification numbers and Social Security numbers were accessed when hackers breached their network on October 3.

Sav-Rx data breach

May 24, 2024

Cencora

Cencora data breach exposes US patient information from 11 drug companies

Unknown

Some of the largest drug companies in the world have disclosed data breaches due to a February 2024 cyber attack at Cencora, whom they partner with for pharmaceutical and business services. The California Attorney General's office published multiple data breach notification samples submitted in the past couple of days by some of the largest pharmaceutical firms in the United States, all attributing their data exposure to the February Cencora incident.

Cencora data breach

May 28, 2024

First American

First American December data breach impacts 44,000 people

Unknown

​First American Financial Corporation revealed that a December cyber attack led to a breach impacting 44,000 individuals.

First American data breach attack update

May 29, 2024

Cooler Master

Cooler Master hit by data breach exposing customer information

A threat actor by the alias 'Ghostr' 

Computer hardware manufacturer Cooler Master suffered a data breach after a threat actor breached the company's website and claimed to steal the Fanzone member information of 500,000 customers.The threat actor who goes by the alias 'Ghostr' claimed to have stolen 103 GB of data from Cooler Master on May 18th, 2024.

Cooler Master data breach


Back to Top 

Cyber Attacks in May 2024

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

May 06, 2024

Final Fantasy game

Final Fantasy game servers hit by multiple DDoS attacks

Unknown

Players of the popular video game series Final Fantasy faced trouble logging in due to a series of ongoing DDoS attacks flooding its servers with a large volume of junk traffic.

Cyber attack on Final Fantasy 

May 07, 2024

French radiologist, Coradix-Magnescan

Patient appointments imperilled by cyber attack on French radiologist

Unknown

Coradix-Magnescan, a French company that provides medical radiological imaging, warned patients it is currently dealing with a cyber attack that risks “complicating” their appointments.

Cyber attack on a French radiologist,  Coradix-Magnescan

May 08, 2024

British Columbia government networks

British Columbia investigating cyber attacks on government networks

Unknown

The Government of British Columbia investigated multiple "cybersecurity incidents" that have impacted the Canadian province's government networks.

Cyber attack on the government of British Columbia 

May 08, 2024

AT&T

AT&T delays Microsoft 365 email delivery due to spam wave

Unknown

AT&T's email servers blocked connections from Microsoft 365 due to a "high volume" spam wave originating from Microsoft's service.

Spam wave cyber attack on AT&T 

May 19, 2024

American Radio Relay League

American Radio Relay League cyber attack takes Logbook of the World offline

Unknown

The American Radio Relay League (ARRL) warns it suffered a cyber attack, which disrupted its IT systems and online operations, including email and the Logbook of the World.

American Radio Relay League (ARRL) cyber attack

May 21, 2024

Gala Games Blockchain

$22 million in crypto swiped from Gala Games blockchain platform

Unknown

More than $22 million worth of cryptocurrency was stolen from the Gala Games after someone compromised the blockchain platform.

Gala Games blockchain cyber attack

May 23, 2024

Courtroom recording software, Justice AV Solutions (JAVS)

Courtroom recording software compromised with backdoor installer

Unknown

A popular brand of recording software (JAVS) used widely in courtrooms, jails and prisons has been compromised by hackers, allowing them to gain full control of a system through a backdoor implanted in an update to the tool.

Justice AV Solutions (JAVS) cyber attack

May 29, 2024

North American University

Free Piano phish targets American university students, staff

Unknown

A large-scale phishing campaign is using an unusual lure to earn at least $900,000 by tricking email recipients into believing they're about to receive a baby grand piano for free.

Free piano phishing cyber attack on North American university

May 29, 2024

Okta

Okta warns of credential stuffing attacks targeting its CORS feature

Unknown

Okta warned that a Customer Identity Cloud (CIC) feature is being targeted in credential stuffing attacks, stating that numerous customers have been targeted since April.

Okta credential stuffing cyber attacks

May 29, 2024

Russian delivery company CDEK

Major Russian delivery company down for three days due to cyber attack

Head Mare

A hacker group claimed responsibility for an attack that has disrupted service for days at CDEK, one of Russia’s largest delivery companies as the hackers, who call themselves Head Mare, said they encrypted the company’s servers with ransomware and destroyed backup copies of its corporate systems.

CDEK cyber attack


Back to Top 

Back to Top 

New Ransomware/Malware Discovered in May 2024

New Ransomware

Summary

Source Link

New Lunar malware

Security researchers discovered two previously unseen backdoors dubbed LunarWeb and LunarMail that were used to compromise a European government's diplomatic institutions abroad.

Russian hackers use new Lunar malware to breach a European govt's agencies

Linux malware, Gomir

The North Korean hacker group Kimsuki has been using a new Linux malware called Gomir that is a version of the GoBear backdoor delivered via trojanised software installers.

Kimsuky hackers deploy new Linux backdoor in attacks on South Korea

Banking malware Grandoreiro

The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks.

Banking malware Grandoreiro returns after police disruption

BiBi Wiper malware

A new version of the BiBi Wiper malware is now deleting the disk partition table to make data restoration harder, extending the downtime for targeted victims.

New BiBi Wiper version also destroys the disk partition table

ShrinkLocker ransomware

A new ransomware strain called ShrinkLocker creates a new boot partition to encrypt corporate systems using Windows BitLocker.

New ShrinkLocker ransomware uses BitLocker to encrypt your files

 Back to Top 

Vulnerabilities/Patches Discovered in May 2024

Date

New Malware/Flaws/Fixes

Summary

Source Link

May 01, 2024

CVE-2023-7028

​CISA warned that attackers are actively exploiting a maximum-severity GitLab vulnerability that allows them to take over accounts via password resets.

CISA says GitLab account takeover bug is actively exploited in attacks

May 01, 2024

CVE-2024-26305, CVE-2024-26304, CVE-2024-33511, CVE-2024-33512

HPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.

HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

May 09, 2024

CVE-2024-31497

Citrix notified customers this week to manually mitigate a PuTTY SSH client vulnerability that could allow attackers to steal a XenCenter admin's private SSH key.

Citrix warns admins to manually mitigate PuTTY SSH client bug

May 18, 2024

CVE-2024-4761, CVE-2024-4947

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its 'Known Exploited Vulnerabilities' catalogue, one impacting Google Chrome and two affecting some D-Link routers.

CISA warns of hackers exploiting Chrome, EoL D-Link bugs

May 20, 2024

CVE-2024-4323

​A critical Fluent Bit vulnerability that can be exploited in denial-of-service and remote code execution attacks impacts all major cloud providers and many technology giants.

Critical Fluent Bit flaw impacts all major cloud providers

May 21, 2024

CVE-2024-29849

Veeam warned customers to patch a critical security vulnerability that allows unauthenticated attackers to sign into any account via the Veeam Backup Enterprise Manager (VBEM).

Veeam warns of critical Backup Enterprise Manager auth bypass bug

May 23, 2024

CVE-2024-5274

Google has released a new emergency security update to address the eighth zero-day vulnerability in Chrome browser confirmed to be actively exploited in the wild. 

Google fixes eighth actively exploited Chrome zero-day this year

May 23, 2024

CVE-2024-4835

GitLab patched a high-severity vulnerability that unauthenticated attackers could exploit to take over user accounts in cross-site scripting (XSS) attacks.

High-severity GitLab flaw lets attackers take over accounts

May 27, 2024

CVE-2024-23108

Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which was patched in February. 

Exploit released for maximum severity Fortinet RCE bug, patch now

 Back to Top

Warnings/Advisories/Reports/Analysis

News Type

Summary

Source Link

Report

A Ukrainian hacker has been sentenced to almost 14 years in prison for infecting thousands of victims with REvil ransomware and demanding over $700 million in ransom payments.

Ukrainian sentenced to almost 14 years for infecting thousands with REvil ransomware

Report

Law enforcement shut down 12 phone fraud call centres in Albania, Bosnia and Herzegovina, Kosovo, and Lebanon, behind thousands of scam calls daily.

Police shuts down 12 fraud call centres, arrests 21 suspects

Report

The ransomware service LockBit’s darknet extortion site, which had been shuttered earlier this year after being infiltrated by law enforcement, reappeared with police teasing fresh information about the criminals involved.

LockBit's seized darknet site resurrected by police, teasing new revelations

Report

LockBitSupp, the pseudonymous leader of the LockBit ransomware group, was identified as a Russian national called Dmitry Khoroshev. The United States, United Kingdom and Australia imposed financial sanctions against him.

LockBitSupp identified as Dmitry Khoroshev and indicted for ransomware crimes

Report

Zscaler says that they discovered an exposed "test environment" that was taken offline for analysis after rumours circulated that a threat actor was selling access to the company's systems.

Zscaler takes "test environment" offline after rumours of a breach

Report

Britain’s central government, local government and utilities sector were each impacted by more ransomware attacks last year than in all previous years combined.

UK hit by more ransomware and cyberattacks last year than ever before

Report

A group called “first-class Russian hackers” defaced potentially hundreds of local and regional British newspaper websites as the group published a news story titled “PERVOKLASSNIY RUSSIAN HACKERS ATTACK” on the sites of titles owned by Newsquest Media Group. 

'Russian' hackers deface potentially hundreds of local British news sites

Report

The Federal Communications Commission (FCC) put an entity it is calling Royal Tiger in its crosshairs for facilitating fraudulent robocalls across international networks, making it the first group targeted through a new threat analysis and designation system.

FCC designates first robocall threat actor under new classification system

Report

Anne Keast-Butler, director of signals and cyber intelligence agency GCHQ, warned that the Kremlin’s partnership with criminal groups was also contributing to “suspected physical surveillance and sabotage operations.” And NCSC said it developed new guidance with the insurance industry about how ransomware victims should respond to incidents.

UK government on ransomware attacks 

Report

The website and Telegram page for the notorious BreachForums platform, a popular bazaar for stolen data and cybercriminal tools, appears to have been seized.

Feds seize BreachForums platform, Telegram page

Warning

The Australian government warned of a “large-scale ransomware data breach” affecting healthcare data in the country.

Australian government warns of 'large-scale ransomware data breach'

Report

Hacktivist operations are using leaked ransomware builders to launch attacks on critical infrastructure in the Philippines - part of a trend among politically motivated groups who are increasingly trying to disrupt life in the Southeast Asian nation.

Hacktivists turn to ransomware in attacks on Philippines government

Warning

Rockwell Automation warned customers to disconnect all industrial control systems (ICSs) not designed for online exposure from the Internet due to increasing malicious activity worldwide.

Rockwell Automation warns admins to take ICS devices offline

Report

An Indian national pleaded guilty to wire fraud conspiracy for stealing over $37 million through a fake Coinbase website.

Indian man stole $37 million in crypto using fake Coinbase Pro site

Back to Top