Thought Leadership

Hacker Tracker: May 2023

Written By
Husnain Bajwa
Published On
May 22, 2023

Welcome to Hacker Tracker, where we give you the important details about recent high-profile cyberattacks. 

In recent news, we witnessed a notable event in the cyber landscape: the shutdown of Genesis Market. This underground marketplace was expected to disrupt the Initial Access Broker market. However, the impact of its closure seems to have been minimal, as the service resurfaced within just two weeks. This incident highlights the resilience and adaptability of cybercriminal networks.

Additionally, this past month saw the most significant supply chain attack for some time, carried out by a North Korean group. We’ve also seen a high number of ransomware incidents, a method that has become increasingly popular among cybercriminals. 

Read on for our reporting on how these hacks were carried out, and the impact that they’re having on the victims. 

3CX supply chain hack

When it happened 

Started in March, but is ongoing

What happened 

North Korean hackers exploited vulnerabilities in popular installer software 3CX, which is used by over 600,000 customers, including Mercedes Benz and American Express. However, despite the breadth of this attack, ‌the hackers ultimately only targeted a few cryptocurrency companies

Method of attack

The hackers planted malware in the Mac and Windows versions of 3CX and signed it off with the company's security keys, allowing the attack to go undetected initially. The malware was then pushed onto the machines of those using the corrupted versions of 3CX. Second-stage malware was later used to target a handful of cryptocurrency companies. 

Fallout so far

The attack was detected relatively quickly, but the extent of its success and its ultimate goals remain unclear. It doesn’t appear yet that any cryptocurrency has actually been stolen. This incident fits into a long-running campaign of cyberattacks by the North Korean hackers—dubbed “DeathNote”—that has seen tech, automotive, academic, and defense organizations targeted. 

Yum! Brands

When it happened 

January 13

What happened 

Yum! Brands, the parent company of popular fast-food chains such as KFC, Pizza Hut, and Taco Bell, suffered a ransomware attack that compromised employees' personal information. The attack was revealed in a breach notification letter.

Method of attack

This was a ransomware attack, where hackers breach an IT system, lock down its data, and demand a ransom in exchange for promises to return access to the system.

The fallout so far 

The cybercriminals stole data including names and ID card numbers, opening up the risk of identity theft for the affected employees. The attack also forced Yum! to shut down 300 restaurants temporarily, according to an SEC filing

Kodi

When it happened 

February 16 and February 21; the attack was disclosed on April 8

What happened 

The Kodi Foundation, an open-source media player software provider, has revealed that their MyBB forum database suffered a data breach. The attackers then attempted to sell the stolen user data and private messages on a cybercrime forum.

Method of attack 

The attackers stole the forum database by using an inactive staff member's login credentials—almost certainly stolen—to gain access to the Admin console. From there, they created and downloaded multiple database backups.

The fallout so far 

The hackers stole a great deal of forum data: public and staff posts, private messages, and forum member data like email addresses and passwords. This caused significant disruption, forcing Kodi to shut down the forum as they commission a new server and reset all passwords. 

Western Digital 

When it happened 

The attack occurred on March 26; it was disclosed on April 2 

What happened 

Western Digital, a leading maker of data storage devices, suffered a severe data breach, causing their online store to still be offline weeks later. 

Method of attack

An anonymous hacking group targeted Western Digital in a ransomware attack and extracted ten terabytes of data. Although they deny any affiliation with the ALPHV gang, the hackers have used the ALPHV data leak site to extort Western Digital, suggesting some connection between the two. 

The fallout so far

The hackers not only stole customer information like names, addresses, and encrypted credit card numbers stored in the system, but also gained access to private company data. The company has said it plans to bring its store back online on May 15. This has had a negative financial impact on the company, with revenue down 10% quarter-on-quarter.

Montana State University 

When it happened 

The attack occurred on April 20

What happened 

Montana State University suffered a devastating cyberattack. This forced the organization to shut down internet access temporarily, and the Montana National Guard was even forced to provide assistance. 

Method of attack 

The Royal Ransomware Group, which targets the education, healthcare, and communications sectors, has claimed responsibility for the attack. 

The fallout so far

The attackers claim to have stolen over 100GB of data, including sensitive personal and medical information belonging to students. Access to online services is still partially disrupted, according to the university’s latest update. This damaging incident is yet another example of educational and healthcare institutions being highly vulnerable to ransomware attackers. 

Eurocontrol 

When it happened 

April 19

What happened 

Europe's air traffic control agency, Eurocontrol, has been attacked by pro-Russian hacking group Killnet. But despite the scary headlines, the attack did not pose any direct threat to air traffic, instead targeting Eurocontrol's website.

Method of attack 

Killnet uses DDoS attacks, where organizations are flooded with junk internet traffic that overwhelms servers and prevents access by users.

The fallout so far 

This cyberattack led to limited disruptions in flight planning and forced some airlines to use alternative commercial solutions. Roughly 2,000 Eurocontrol employees experienced difficulties in accessing communication tools during the incident. However, despite causing operational issues, the attack did not disrupt the agency's internal systems, jeopardize air navigation safety, or cause delays in commercial flights. 

MSI

When it happened

Unclear when the attack took place, but it was disclosed on April 7

What happened 

Taiwanese hardware giant MSI, which makes everything from laptops to industrial systems, was targeted by a ransomware attack. 

Method of attack

This was a double extortion ransomware attack, where sensitive data was exfiltrated as well as encrypted, giving the attacker more leverage compared to a traditional ransomware attack. A relatively new gang, "Money Message," says they’ve stolen source code from the company's network.

The fallout so far 

The attackers have now leaked MSI’s private code signing keys on the dark web, reducing the effectiveness of Intel Boot Guard, a popular hardware-based security technology. This is concerning for the company and its customers as it raises the risk of a supply-chain attack

Other news 

Salesforce Community leaks

Numerous organizations, including banks and healthcare providers, are accidentally exposing private and sensitive information through a misconfiguration in their public Salesforce Community websites. 

Iranian hacking disguised

The Iran-based group MuddyWater has been launching destructive attacks on hybrid environments but disguising their operations as ransomware activities, according to the Microsoft Threat Intelligence team

Not-so-Charming Kitten

The Iranian state-sponsored Charming Kitten, the group behind recent attacks on critical infrastructure in the US and elsewhere, has now developed powerful malware called BellaCiao that is tailored to specific victims and harder to detect. 

Israel PM’s Facebook account hacked

Prime Minister Benjamin Netanyahu's official personal website was briefly taken offline by a distributed denial-of-service (DDoS) attack on Israel’s Independence Day, and unauthorized content was posted on his Facebook page. 

A month for patches

In April, major technology companies including Apple, Microsoft, and Google, as well as Firefox, SolarWinds, and Oracle, fixed critical security flaws—some of which had been actively exploited in cyberattacks.

Cisco's zero-day flaw

Cisco has revealed a zero-day vulnerability in its Prime Collaboration Deployment (PCD) software. The company plans to patch the security flaw this month—but unfortunately, no secure workaround is available in the meantime.

Malicious tech

Fighting back

It’s not all bad news, with authorities around the world successfully fighting back against cybercrime:

  • The UK's National Crime Agency (NCA) has created fake websites offering DDoS-for-hire services. Several thousand would-be cybercriminals accessed these sites, thinking they offer DDoS hacking tools. Instead, they receive a warning about the illegality of launching cyberattacks and their data is collected by investigators. 
  • The FBI has seized multiple domain names associated with Genesis Market, a cybercrime store that sold stolen data from millions of infected computers. These domain seizures were part of a larger operation that involved over a hundred arrests targeting individuals linked to Genesis Market.
  • Nexway, a multinational payment processing company, has been accused by the Federal Trade Commission (FTC) of illegally—and knowingly—facilitating fraudulent credit card payments for tech support scammers.
Get started with Device360 today
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Hacker Tracker: May 2023

Download

Welcome to Hacker Tracker, where we give you the important details about recent high-profile cyberattacks. 

In recent news, we witnessed a notable event in the cyber landscape: the shutdown of Genesis Market. This underground marketplace was expected to disrupt the Initial Access Broker market. However, the impact of its closure seems to have been minimal, as the service resurfaced within just two weeks. This incident highlights the resilience and adaptability of cybercriminal networks.

Additionally, this past month saw the most significant supply chain attack for some time, carried out by a North Korean group. We’ve also seen a high number of ransomware incidents, a method that has become increasingly popular among cybercriminals. 

Read on for our reporting on how these hacks were carried out, and the impact that they’re having on the victims. 

3CX supply chain hack

When it happened 

Started in March, but is ongoing

What happened 

North Korean hackers exploited vulnerabilities in popular installer software 3CX, which is used by over 600,000 customers, including Mercedes Benz and American Express. However, despite the breadth of this attack, ‌the hackers ultimately only targeted a few cryptocurrency companies

Method of attack

The hackers planted malware in the Mac and Windows versions of 3CX and signed it off with the company's security keys, allowing the attack to go undetected initially. The malware was then pushed onto the machines of those using the corrupted versions of 3CX. Second-stage malware was later used to target a handful of cryptocurrency companies. 

Fallout so far

The attack was detected relatively quickly, but the extent of its success and its ultimate goals remain unclear. It doesn’t appear yet that any cryptocurrency has actually been stolen. This incident fits into a long-running campaign of cyberattacks by the North Korean hackers—dubbed “DeathNote”—that has seen tech, automotive, academic, and defense organizations targeted. 

Yum! Brands

When it happened 

January 13

What happened 

Yum! Brands, the parent company of popular fast-food chains such as KFC, Pizza Hut, and Taco Bell, suffered a ransomware attack that compromised employees' personal information. The attack was revealed in a breach notification letter.

Method of attack

This was a ransomware attack, where hackers breach an IT system, lock down its data, and demand a ransom in exchange for promises to return access to the system.

The fallout so far 

The cybercriminals stole data including names and ID card numbers, opening up the risk of identity theft for the affected employees. The attack also forced Yum! to shut down 300 restaurants temporarily, according to an SEC filing

Kodi

When it happened 

February 16 and February 21; the attack was disclosed on April 8

What happened 

The Kodi Foundation, an open-source media player software provider, has revealed that their MyBB forum database suffered a data breach. The attackers then attempted to sell the stolen user data and private messages on a cybercrime forum.

Method of attack 

The attackers stole the forum database by using an inactive staff member's login credentials—almost certainly stolen—to gain access to the Admin console. From there, they created and downloaded multiple database backups.

The fallout so far 

The hackers stole a great deal of forum data: public and staff posts, private messages, and forum member data like email addresses and passwords. This caused significant disruption, forcing Kodi to shut down the forum as they commission a new server and reset all passwords. 

Western Digital 

When it happened 

The attack occurred on March 26; it was disclosed on April 2 

What happened 

Western Digital, a leading maker of data storage devices, suffered a severe data breach, causing their online store to still be offline weeks later. 

Method of attack

An anonymous hacking group targeted Western Digital in a ransomware attack and extracted ten terabytes of data. Although they deny any affiliation with the ALPHV gang, the hackers have used the ALPHV data leak site to extort Western Digital, suggesting some connection between the two. 

The fallout so far

The hackers not only stole customer information like names, addresses, and encrypted credit card numbers stored in the system, but also gained access to private company data. The company has said it plans to bring its store back online on May 15. This has had a negative financial impact on the company, with revenue down 10% quarter-on-quarter.

Montana State University 

When it happened 

The attack occurred on April 20

What happened 

Montana State University suffered a devastating cyberattack. This forced the organization to shut down internet access temporarily, and the Montana National Guard was even forced to provide assistance. 

Method of attack 

The Royal Ransomware Group, which targets the education, healthcare, and communications sectors, has claimed responsibility for the attack. 

The fallout so far

The attackers claim to have stolen over 100GB of data, including sensitive personal and medical information belonging to students. Access to online services is still partially disrupted, according to the university’s latest update. This damaging incident is yet another example of educational and healthcare institutions being highly vulnerable to ransomware attackers. 

Eurocontrol 

When it happened 

April 19

What happened 

Europe's air traffic control agency, Eurocontrol, has been attacked by pro-Russian hacking group Killnet. But despite the scary headlines, the attack did not pose any direct threat to air traffic, instead targeting Eurocontrol's website.

Method of attack 

Killnet uses DDoS attacks, where organizations are flooded with junk internet traffic that overwhelms servers and prevents access by users.

The fallout so far 

This cyberattack led to limited disruptions in flight planning and forced some airlines to use alternative commercial solutions. Roughly 2,000 Eurocontrol employees experienced difficulties in accessing communication tools during the incident. However, despite causing operational issues, the attack did not disrupt the agency's internal systems, jeopardize air navigation safety, or cause delays in commercial flights. 

MSI

When it happened

Unclear when the attack took place, but it was disclosed on April 7

What happened 

Taiwanese hardware giant MSI, which makes everything from laptops to industrial systems, was targeted by a ransomware attack. 

Method of attack

This was a double extortion ransomware attack, where sensitive data was exfiltrated as well as encrypted, giving the attacker more leverage compared to a traditional ransomware attack. A relatively new gang, "Money Message," says they’ve stolen source code from the company's network.

The fallout so far 

The attackers have now leaked MSI’s private code signing keys on the dark web, reducing the effectiveness of Intel Boot Guard, a popular hardware-based security technology. This is concerning for the company and its customers as it raises the risk of a supply-chain attack

Other news 

Salesforce Community leaks

Numerous organizations, including banks and healthcare providers, are accidentally exposing private and sensitive information through a misconfiguration in their public Salesforce Community websites. 

Iranian hacking disguised

The Iran-based group MuddyWater has been launching destructive attacks on hybrid environments but disguising their operations as ransomware activities, according to the Microsoft Threat Intelligence team

Not-so-Charming Kitten

The Iranian state-sponsored Charming Kitten, the group behind recent attacks on critical infrastructure in the US and elsewhere, has now developed powerful malware called BellaCiao that is tailored to specific victims and harder to detect. 

Israel PM’s Facebook account hacked

Prime Minister Benjamin Netanyahu's official personal website was briefly taken offline by a distributed denial-of-service (DDoS) attack on Israel’s Independence Day, and unauthorized content was posted on his Facebook page. 

A month for patches

In April, major technology companies including Apple, Microsoft, and Google, as well as Firefox, SolarWinds, and Oracle, fixed critical security flaws—some of which had been actively exploited in cyberattacks.

Cisco's zero-day flaw

Cisco has revealed a zero-day vulnerability in its Prime Collaboration Deployment (PCD) software. The company plans to patch the security flaw this month—but unfortunately, no secure workaround is available in the meantime.

Malicious tech

Fighting back

It’s not all bad news, with authorities around the world successfully fighting back against cybercrime:

  • The UK's National Crime Agency (NCA) has created fake websites offering DDoS-for-hire services. Several thousand would-be cybercriminals accessed these sites, thinking they offer DDoS hacking tools. Instead, they receive a warning about the illegality of launching cyberattacks and their data is collected by investigators. 
  • The FBI has seized multiple domain names associated with Genesis Market, a cybercrime store that sold stolen data from millions of infected computers. These domain seizures were part of a larger operation that involved over a hundred arrests targeting individuals linked to Genesis Market.
  • Nexway, a multinational payment processing company, has been accused by the Federal Trade Commission (FTC) of illegally—and knowingly—facilitating fraudulent credit card payments for tech support scammers.

Hacker Tracker: May 2023

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Welcome to Hacker Tracker, where we give you the important details about recent high-profile cyberattacks. 

In recent news, we witnessed a notable event in the cyber landscape: the shutdown of Genesis Market. This underground marketplace was expected to disrupt the Initial Access Broker market. However, the impact of its closure seems to have been minimal, as the service resurfaced within just two weeks. This incident highlights the resilience and adaptability of cybercriminal networks.

Additionally, this past month saw the most significant supply chain attack for some time, carried out by a North Korean group. We’ve also seen a high number of ransomware incidents, a method that has become increasingly popular among cybercriminals. 

Read on for our reporting on how these hacks were carried out, and the impact that they’re having on the victims. 

3CX supply chain hack

When it happened 

Started in March, but is ongoing

What happened 

North Korean hackers exploited vulnerabilities in popular installer software 3CX, which is used by over 600,000 customers, including Mercedes Benz and American Express. However, despite the breadth of this attack, ‌the hackers ultimately only targeted a few cryptocurrency companies

Method of attack

The hackers planted malware in the Mac and Windows versions of 3CX and signed it off with the company's security keys, allowing the attack to go undetected initially. The malware was then pushed onto the machines of those using the corrupted versions of 3CX. Second-stage malware was later used to target a handful of cryptocurrency companies. 

Fallout so far

The attack was detected relatively quickly, but the extent of its success and its ultimate goals remain unclear. It doesn’t appear yet that any cryptocurrency has actually been stolen. This incident fits into a long-running campaign of cyberattacks by the North Korean hackers—dubbed “DeathNote”—that has seen tech, automotive, academic, and defense organizations targeted. 

Yum! Brands

When it happened 

January 13

What happened 

Yum! Brands, the parent company of popular fast-food chains such as KFC, Pizza Hut, and Taco Bell, suffered a ransomware attack that compromised employees' personal information. The attack was revealed in a breach notification letter.

Method of attack

This was a ransomware attack, where hackers breach an IT system, lock down its data, and demand a ransom in exchange for promises to return access to the system.

The fallout so far 

The cybercriminals stole data including names and ID card numbers, opening up the risk of identity theft for the affected employees. The attack also forced Yum! to shut down 300 restaurants temporarily, according to an SEC filing

Kodi

When it happened 

February 16 and February 21; the attack was disclosed on April 8

What happened 

The Kodi Foundation, an open-source media player software provider, has revealed that their MyBB forum database suffered a data breach. The attackers then attempted to sell the stolen user data and private messages on a cybercrime forum.

Method of attack 

The attackers stole the forum database by using an inactive staff member's login credentials—almost certainly stolen—to gain access to the Admin console. From there, they created and downloaded multiple database backups.

The fallout so far 

The hackers stole a great deal of forum data: public and staff posts, private messages, and forum member data like email addresses and passwords. This caused significant disruption, forcing Kodi to shut down the forum as they commission a new server and reset all passwords. 

Western Digital 

When it happened 

The attack occurred on March 26; it was disclosed on April 2 

What happened 

Western Digital, a leading maker of data storage devices, suffered a severe data breach, causing their online store to still be offline weeks later. 

Method of attack

An anonymous hacking group targeted Western Digital in a ransomware attack and extracted ten terabytes of data. Although they deny any affiliation with the ALPHV gang, the hackers have used the ALPHV data leak site to extort Western Digital, suggesting some connection between the two. 

The fallout so far

The hackers not only stole customer information like names, addresses, and encrypted credit card numbers stored in the system, but also gained access to private company data. The company has said it plans to bring its store back online on May 15. This has had a negative financial impact on the company, with revenue down 10% quarter-on-quarter.

Montana State University 

When it happened 

The attack occurred on April 20

What happened 

Montana State University suffered a devastating cyberattack. This forced the organization to shut down internet access temporarily, and the Montana National Guard was even forced to provide assistance. 

Method of attack 

The Royal Ransomware Group, which targets the education, healthcare, and communications sectors, has claimed responsibility for the attack. 

The fallout so far

The attackers claim to have stolen over 100GB of data, including sensitive personal and medical information belonging to students. Access to online services is still partially disrupted, according to the university’s latest update. This damaging incident is yet another example of educational and healthcare institutions being highly vulnerable to ransomware attackers. 

Eurocontrol 

When it happened 

April 19

What happened 

Europe's air traffic control agency, Eurocontrol, has been attacked by pro-Russian hacking group Killnet. But despite the scary headlines, the attack did not pose any direct threat to air traffic, instead targeting Eurocontrol's website.

Method of attack 

Killnet uses DDoS attacks, where organizations are flooded with junk internet traffic that overwhelms servers and prevents access by users.

The fallout so far 

This cyberattack led to limited disruptions in flight planning and forced some airlines to use alternative commercial solutions. Roughly 2,000 Eurocontrol employees experienced difficulties in accessing communication tools during the incident. However, despite causing operational issues, the attack did not disrupt the agency's internal systems, jeopardize air navigation safety, or cause delays in commercial flights. 

MSI

When it happened

Unclear when the attack took place, but it was disclosed on April 7

What happened 

Taiwanese hardware giant MSI, which makes everything from laptops to industrial systems, was targeted by a ransomware attack. 

Method of attack

This was a double extortion ransomware attack, where sensitive data was exfiltrated as well as encrypted, giving the attacker more leverage compared to a traditional ransomware attack. A relatively new gang, "Money Message," says they’ve stolen source code from the company's network.

The fallout so far 

The attackers have now leaked MSI’s private code signing keys on the dark web, reducing the effectiveness of Intel Boot Guard, a popular hardware-based security technology. This is concerning for the company and its customers as it raises the risk of a supply-chain attack

Other news 

Salesforce Community leaks

Numerous organizations, including banks and healthcare providers, are accidentally exposing private and sensitive information through a misconfiguration in their public Salesforce Community websites. 

Iranian hacking disguised

The Iran-based group MuddyWater has been launching destructive attacks on hybrid environments but disguising their operations as ransomware activities, according to the Microsoft Threat Intelligence team

Not-so-Charming Kitten

The Iranian state-sponsored Charming Kitten, the group behind recent attacks on critical infrastructure in the US and elsewhere, has now developed powerful malware called BellaCiao that is tailored to specific victims and harder to detect. 

Israel PM’s Facebook account hacked

Prime Minister Benjamin Netanyahu's official personal website was briefly taken offline by a distributed denial-of-service (DDoS) attack on Israel’s Independence Day, and unauthorized content was posted on his Facebook page. 

A month for patches

In April, major technology companies including Apple, Microsoft, and Google, as well as Firefox, SolarWinds, and Oracle, fixed critical security flaws—some of which had been actively exploited in cyberattacks.

Cisco's zero-day flaw

Cisco has revealed a zero-day vulnerability in its Prime Collaboration Deployment (PCD) software. The company plans to patch the security flaw this month—but unfortunately, no secure workaround is available in the meantime.

Malicious tech

Fighting back

It’s not all bad news, with authorities around the world successfully fighting back against cybercrime:

  • The UK's National Crime Agency (NCA) has created fake websites offering DDoS-for-hire services. Several thousand would-be cybercriminals accessed these sites, thinking they offer DDoS hacking tools. Instead, they receive a warning about the illegality of launching cyberattacks and their data is collected by investigators. 
  • The FBI has seized multiple domain names associated with Genesis Market, a cybercrime store that sold stolen data from millions of infected computers. These domain seizures were part of a larger operation that involved over a hundred arrests targeting individuals linked to Genesis Market.
  • Nexway, a multinational payment processing company, has been accused by the Federal Trade Commission (FTC) of illegally—and knowingly—facilitating fraudulent credit card payments for tech support scammers.

Hacker Tracker: May 2023

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Welcome to Hacker Tracker, where we give you the important details about recent high-profile cyberattacks. 

In recent news, we witnessed a notable event in the cyber landscape: the shutdown of Genesis Market. This underground marketplace was expected to disrupt the Initial Access Broker market. However, the impact of its closure seems to have been minimal, as the service resurfaced within just two weeks. This incident highlights the resilience and adaptability of cybercriminal networks.

Additionally, this past month saw the most significant supply chain attack for some time, carried out by a North Korean group. We’ve also seen a high number of ransomware incidents, a method that has become increasingly popular among cybercriminals. 

Read on for our reporting on how these hacks were carried out, and the impact that they’re having on the victims. 

3CX supply chain hack

When it happened 

Started in March, but is ongoing

What happened 

North Korean hackers exploited vulnerabilities in popular installer software 3CX, which is used by over 600,000 customers, including Mercedes Benz and American Express. However, despite the breadth of this attack, ‌the hackers ultimately only targeted a few cryptocurrency companies

Method of attack

The hackers planted malware in the Mac and Windows versions of 3CX and signed it off with the company's security keys, allowing the attack to go undetected initially. The malware was then pushed onto the machines of those using the corrupted versions of 3CX. Second-stage malware was later used to target a handful of cryptocurrency companies. 

Fallout so far

The attack was detected relatively quickly, but the extent of its success and its ultimate goals remain unclear. It doesn’t appear yet that any cryptocurrency has actually been stolen. This incident fits into a long-running campaign of cyberattacks by the North Korean hackers—dubbed “DeathNote”—that has seen tech, automotive, academic, and defense organizations targeted. 

Yum! Brands

When it happened 

January 13

What happened 

Yum! Brands, the parent company of popular fast-food chains such as KFC, Pizza Hut, and Taco Bell, suffered a ransomware attack that compromised employees' personal information. The attack was revealed in a breach notification letter.

Method of attack

This was a ransomware attack, where hackers breach an IT system, lock down its data, and demand a ransom in exchange for promises to return access to the system.

The fallout so far 

The cybercriminals stole data including names and ID card numbers, opening up the risk of identity theft for the affected employees. The attack also forced Yum! to shut down 300 restaurants temporarily, according to an SEC filing

Kodi

When it happened 

February 16 and February 21; the attack was disclosed on April 8

What happened 

The Kodi Foundation, an open-source media player software provider, has revealed that their MyBB forum database suffered a data breach. The attackers then attempted to sell the stolen user data and private messages on a cybercrime forum.

Method of attack 

The attackers stole the forum database by using an inactive staff member's login credentials—almost certainly stolen—to gain access to the Admin console. From there, they created and downloaded multiple database backups.

The fallout so far 

The hackers stole a great deal of forum data: public and staff posts, private messages, and forum member data like email addresses and passwords. This caused significant disruption, forcing Kodi to shut down the forum as they commission a new server and reset all passwords. 

Western Digital 

When it happened 

The attack occurred on March 26; it was disclosed on April 2 

What happened 

Western Digital, a leading maker of data storage devices, suffered a severe data breach, causing their online store to still be offline weeks later. 

Method of attack

An anonymous hacking group targeted Western Digital in a ransomware attack and extracted ten terabytes of data. Although they deny any affiliation with the ALPHV gang, the hackers have used the ALPHV data leak site to extort Western Digital, suggesting some connection between the two. 

The fallout so far

The hackers not only stole customer information like names, addresses, and encrypted credit card numbers stored in the system, but also gained access to private company data. The company has said it plans to bring its store back online on May 15. This has had a negative financial impact on the company, with revenue down 10% quarter-on-quarter.

Montana State University 

When it happened 

The attack occurred on April 20

What happened 

Montana State University suffered a devastating cyberattack. This forced the organization to shut down internet access temporarily, and the Montana National Guard was even forced to provide assistance. 

Method of attack 

The Royal Ransomware Group, which targets the education, healthcare, and communications sectors, has claimed responsibility for the attack. 

The fallout so far

The attackers claim to have stolen over 100GB of data, including sensitive personal and medical information belonging to students. Access to online services is still partially disrupted, according to the university’s latest update. This damaging incident is yet another example of educational and healthcare institutions being highly vulnerable to ransomware attackers. 

Eurocontrol 

When it happened 

April 19

What happened 

Europe's air traffic control agency, Eurocontrol, has been attacked by pro-Russian hacking group Killnet. But despite the scary headlines, the attack did not pose any direct threat to air traffic, instead targeting Eurocontrol's website.

Method of attack 

Killnet uses DDoS attacks, where organizations are flooded with junk internet traffic that overwhelms servers and prevents access by users.

The fallout so far 

This cyberattack led to limited disruptions in flight planning and forced some airlines to use alternative commercial solutions. Roughly 2,000 Eurocontrol employees experienced difficulties in accessing communication tools during the incident. However, despite causing operational issues, the attack did not disrupt the agency's internal systems, jeopardize air navigation safety, or cause delays in commercial flights. 

MSI

When it happened

Unclear when the attack took place, but it was disclosed on April 7

What happened 

Taiwanese hardware giant MSI, which makes everything from laptops to industrial systems, was targeted by a ransomware attack. 

Method of attack

This was a double extortion ransomware attack, where sensitive data was exfiltrated as well as encrypted, giving the attacker more leverage compared to a traditional ransomware attack. A relatively new gang, "Money Message," says they’ve stolen source code from the company's network.

The fallout so far 

The attackers have now leaked MSI’s private code signing keys on the dark web, reducing the effectiveness of Intel Boot Guard, a popular hardware-based security technology. This is concerning for the company and its customers as it raises the risk of a supply-chain attack

Other news 

Salesforce Community leaks

Numerous organizations, including banks and healthcare providers, are accidentally exposing private and sensitive information through a misconfiguration in their public Salesforce Community websites. 

Iranian hacking disguised

The Iran-based group MuddyWater has been launching destructive attacks on hybrid environments but disguising their operations as ransomware activities, according to the Microsoft Threat Intelligence team

Not-so-Charming Kitten

The Iranian state-sponsored Charming Kitten, the group behind recent attacks on critical infrastructure in the US and elsewhere, has now developed powerful malware called BellaCiao that is tailored to specific victims and harder to detect. 

Israel PM’s Facebook account hacked

Prime Minister Benjamin Netanyahu's official personal website was briefly taken offline by a distributed denial-of-service (DDoS) attack on Israel’s Independence Day, and unauthorized content was posted on his Facebook page. 

A month for patches

In April, major technology companies including Apple, Microsoft, and Google, as well as Firefox, SolarWinds, and Oracle, fixed critical security flaws—some of which had been actively exploited in cyberattacks.

Cisco's zero-day flaw

Cisco has revealed a zero-day vulnerability in its Prime Collaboration Deployment (PCD) software. The company plans to patch the security flaw this month—but unfortunately, no secure workaround is available in the meantime.

Malicious tech

Fighting back

It’s not all bad news, with authorities around the world successfully fighting back against cybercrime:

  • The UK's National Crime Agency (NCA) has created fake websites offering DDoS-for-hire services. Several thousand would-be cybercriminals accessed these sites, thinking they offer DDoS hacking tools. Instead, they receive a warning about the illegality of launching cyberattacks and their data is collected by investigators. 
  • The FBI has seized multiple domain names associated with Genesis Market, a cybercrime store that sold stolen data from millions of infected computers. These domain seizures were part of a larger operation that involved over a hundred arrests targeting individuals linked to Genesis Market.
  • Nexway, a multinational payment processing company, has been accused by the Federal Trade Commission (FTC) of illegally—and knowingly—facilitating fraudulent credit card payments for tech support scammers.
Book

Hacker Tracker: May 2023

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.