SOCRadar® Cyber Intelligence Inc. | Major Cyberattacks in Review: May 2023

Resources

Jun 07, 2023

10 Mins Read

Major Cyberattacks in Review: May 2023

Throughout May 2023, the cybersecurity landscape witnessed a surge in notable cyberattacks.

These incidents encompassed supply chain attacks, data breaches, and cryptocurrency thefts, underscoring the persistent threats faced by organizations worldwide.

It is imperative to remain informed about the nature of these attacks, their implications, and the strategies implemented to mitigate their impact. In this blog post, we delve into the significant cyberattacks that unfolded in May 2023.

Ukrainian Hacktivists Claim Hack on Russian Foundation Skolkovo

Ukrainian hackers have breached the systems of the Skolkovo Foundation, an organization responsible for overseeing a high-tech business area near Moscow. The hackers gained limited access to certain information systems, including the organization’s file-hosting service on physical servers.

The attack is part of a broader virtual conflict between Ukraine and Russia, with Ukrainian hacktivists targeting Russian websites.

A group of Ukrainian hacktivists claimed responsibility for the attack, sharing screenshots of the systems they accessed on Telegram and leaving a message for Skolkovo, telling them to “stay tuned.” There were no reported compromises of critical user data; however, Skolkovo is an important target as it represents Russia’s efforts to rival Silicon Valley, and the incident is seen as a significant cyberattack for the company.

Exposed’s Admin Leaks RaidForums Members Database With Nearly 480K Records

The RaidForums database has been publicly released, providing valuable insights into the users of the infamous forum. After the FBI seized RaidForums and arrested its administrator, the hacker community shifted to BreachForums, which was also later taken down due to law enforcement.

To fill the gap in the market, a new hacking forum called Exposed emerged and quickly gained popularity. The administrator of Exposed recently revealed the RaidForums member database, containing information for nearly 479,000 members. The exact timing and reasons behind the data dump remain unclear, but the database covers registrations between March 2015 and September 2020.

To learn more about the RaidForums leak, check out our blog post here.

DeFi Platform Jimbos Protocol Loses $7.5M in Cyber Attack

The DeFi (decentralized finance) platform, Jimbos Protocol, fell victim to a hack that resulted in a loss of 4,000 Ether (ETH), valued at approximately $7.5 million. The attack exploited a vulnerability related to the lack of slippage control on liquidity conversions, allowing attackers to manipulate prices to their advantage.

As a result of the attack, the price of Jimbos Protocol’s native token, Jimbo (JIMBO), dropped by 40%.

Data Breach of Dental Health Insurer Exposes Information of 9M+ Patients

In March, MCNA Insurance Company, an insurance provider for state Medicaid agencies and children’s health insurance programs, discovered and reported a data breach that affected nearly 9 million patients. The company detected unauthorized access to certain systems, which were infected with malicious code.

The breach impacted over 100 organizations, including the Arkansas Department of Human Services, the City of New York Management Benefit Fund, the Florida Healthy Kids Corporation, the Idaho Department of Health and Welfare, the Iowa Department of Human Services, the Louisiana Department of Health, Nebraska Department of Health and Human Services.

Personal information, such as names, dates of birth, addresses, contact details, social security numbers, and insurance information, was compromised. The attackers also accessed health data, including details about dental and orthodontic care.

The extent of the compromise varied among individuals. As of now, the incident has not been included on the U.S. Department of Health and Human Services’ list of major health data breaches.

Security breaches in the US healthcare industry are on the rise. To learn more, read our blog: Hacked Healthcare: Rising Security Breaches in the US.

Luxottica Data Leak: Over 70M Customers’ Information Exposed

The world’s largest eyewear company, Luxottica, has revealed that it was the victim of a major cyberattack. On April 30 and May 12, hackers exposed the personal information of over 70 million customers on forums for free. The leak revealed 74.4 million unique email addresses, 2.6 million unique domain email addresses, and 305 million records. Among the compromised personal data is customer contact information such as names, addresses, phone numbers, emails, and dates of birth.

Luxottica confirmed that in November 2022, it discovered the distribution of specific retail customer data, allegedly obtained through a third-party connected to its customers, which is thought to be the source of the leak.

Check out our blog post for more information on the Luxottica cyber attack.

LockBit Ransomware Leaks 1.5TB of Data Stolen From Bank Syariah Indonesia

The LockBit ransomware group has released 1.5 terabytes of personal and financial data obtained from Bank Syariah Indonesia (BSI) after failed ransom negotiations. The stolen records include information from around 15 million customers and employees of the country’s largest Islamic bank. Following the cyberattack, BSI has restored its key banking services under the supervision of Bank Indonesia.

The bank initially attributed the disruptions to IT maintenance, but LockBit claims the cyberattack caused the issues. Screenshots of conversations between the bank and the ransomware group show negotiations for a $10 million ransom, with LockBit demanding $20 million before ceasing communication.

Massive Data Breach at PharMerica Affects 5.8 Million Patients

Pharmacy services provider PharMerica encountered a significant data breach impacting 5.8 million patients. The breach took place in March 2023 and was attributed to the Money Message ransomware group.

Money Message claimed responsibility for the breach and stated that they obtained 4.7 terabytes of data, which included over 1.6 million distinct personal information records.

During the breach, hackers successfully accessed personal information such as names, addresses, social security numbers, and medical data. The stolen data, which also included records from PharMerica’s merger partner BrightSpring, was made available on an extortion site and a hacking forum.

In response, PharMerica is providing identity protection services to the individuals affected by the breach. You can find the notification regarding the data breach here.

Discord Data Breach

Discord has revealed a data breach resulting from the compromise of a third-party customer service agent’s account.

This incident led to unauthorized access to the support ticket queue, which contained user email addresses, messages, and associated attachments exchanged with Discord support.

As a response, Discord promptly deactivated the compromised account and conducted a thorough examination of the affected system for any signs of malware.

Discord has taken the initiative to notify the affected users and advises them to stay vigilant regarding suspicious messages or activities, such as potential fraud or phishing attempts.

Toyota Data Breach: 2 Million Customers Impacted

Toyota Motor Corporation has revealed a security breach that compromised the information of over 2 million customers between November 6, 2013, and April 17, 2023.

The breach occurred as a result of a misconfigured database, which allowed unauthorized access without authentication.

The breach primarily affected customers who utilized T-Connect G-Link, G-Link Lite, or G-BOOK services. The exposed data included:

Vehicle identification numbers.
Chassis numbers.
Vehicle location information.
Video footage captured by the car’s installed camera.

Toyota has emphasized that the exposed information does not enable the identification of vehicle owners, and no instances of misuse have been discovered thus far.

LockBit Ransomware Operation Exposes 600GB Data of Fullerton India

The LockBit 3.0 ransomware group has released 600 gigabytes of critical data stolen from Fullerton India, a major Indian lender, after demanding a $3 million ransom.

Fullerton India had experienced a malware attack and temporarily operated offline but resumed services with enhanced cybersecurity measures.

The ransomware group listed Fullerton India as a victim on their data leak site, claiming to have stolen loan agreements. Ritesh Bhatia, a cybercrime researcher, confirmed the data leak.

Fullerton India’s refusal to negotiate with the ransomware group led to the implementation of triple-extortion tactics by the group to pressure the company into paying the ransom.

In a triple extortion attack, cybercriminals demand payment not only from the initial target but also from anyone affected by the potential disclosure of the target’s data.

Brightline Healthcare Data Breach Affects Over 780K Patients

Brightline, a pediatric mental health provider, confirmed that protected health information (PHI) was stolen from its GoAnywhere MFT service. The perpetrator of the data breach, which affected 783,606 people, was the Cl0p ransomware group.

On March 16, Cl0p ransomware listed the provider on their extortion site. Brightline was one of the 129 businesses compromised by the threat actor in March.

Among the stolen data, there is personal information such as full names, physical addresses, dates of birth, member identification numbers, dates of health plan coverage, and employer names. According to the most recent update, the Cl0p ransomware group has deleted Brightline’s data from their leak site. However, it is unclear whether the threat actor still has access to the data.

Read more about the GoAnywhere MFT attacks on our blog.

Data Breach Exposes 900,000 Customers of Georgia-based USPS Job Access Company

An extensive online company operating from Georgia, which claimed to offer access to jobs at the United States Postal Service (USPS) in exchange for millions of dollars, has exposed its internal IT operations and a database containing nearly 900,000 customer records.

The leaked information reveals that Pakistan’s network’s chief technology officer has been compromised for the past year.

Additionally, it has been discovered that the entire operation was established by the owners of a telemarketing firm based in Tennessee, which has been promoting USPS employment websites since 2016.

Smart Contract Exploit Results in $1.1 Million Token Theft from Level Finance

Hackers successfully exploited a vulnerability in a smart contract used by Level Finance, a decentralized exchange, resulting in the theft of 214,000 LVL tokens.

The stolen tokens were swapped for approximately $1.1 million worth of BNB. Level Finance stated that the attack did not impact its liquidity pool or the DAO treasury, but the value of the LVL token dropped by around 50% following the incident.

The compromised smart contract, named ‘LevelReferralControllerV2,’ had a logic bug that allowed users to repeatedly claim referral rewards within a specific time period.

Australian Law Firm HWL Ebsworth Hit by Ransomware Attack

Australian law firm HWL Ebsworth has been targeted in a ransomware attack by hackers linked to Russia. The BlackCat (ALPHV) ransomware group claimed to have accessed client information and employee data, posting on their website that they had hacked 4TB of company data.

The stolen data includes employee CVs, IDs, financial reports, accounting information, client documents, credit card details, and a complete network map. The Australian Financial Review initially reported the incident.