Top cybersecurity threats for
May 2023

On the third Wednesday of every month, the Verizon Threat Research Advisory Center (VTRAC) holds a Monthly Intelligence Briefing (MIB) to discuss the current cybersecurity threat landscape. Below is the summary of their most recent briefing and here is the May recording of the briefing.

Listen now

optimize inventory2


1. Ransomware actors expand their attack vectors

Security alert


2. Phishing concerns emerge over Google's new Top-Level Domains

laptop hackers


3. Fears of new supply chain threat as hackers leak code-signing keys



Top cybersecurity news


May 2023 cybersecurity and threat intelligence news you should know about.


Like what you're reading?


If you’d like to receive new articles, solutions briefs, whitepapers and more—just let us know.

Sign up

The information provided will be used in accordance with terms set out in our Privacy Policy.



The MIB deep dive, according to the VTRAC experts


1. Ransomware actors expand attack vectors: Top takeaways

  • New macOS threats and PaperCut exploits detected in April
  • U.S. remains the most targeted country
  • A leading cybersecurity vendor shows how multi-layered defense helped limit the impact of the PaperCut breach

Verizon’s analysis of some of the most prominent ransomware leak sites revealed 365 new victims in April. To increase their profits and victim count, some of the biggest groups continue to innovate. LockBit is now targeting macOS machines in what is believed to be an industry first. And both LockBit and Clop were detected exploiting new vulnerabilities in servers for printing management software, PaperCut. 

The U.S. remained the most targeted country worldwide in April, according to Verizon. The latest attacks highlight the need to deploy robust, proactive defensive measures. Cybersecurity vendor Dragos, which withstood a ransomware attack in early May, explained how multi-layered protection, detection and response tooling helped to limit the impact of its breach.
 

2. Phishing concerns emerge over Google's new Top-Level Domains: Top takeaways

  • Google's new Top-Level Domains (TLDs) include MOV and ZIP
  • .MOV and .ZIP files will now automatically be converted into URLs by some apps
  • Experts believe this might make phishing easier for cybercriminals

Google recently introduced two new TLDs, ZIP and MOV, which security experts believe may unwittingly provide an advantage to phishing actors. That's because the domains in question are also file extensions. Some messaging apps and social sites will now automatically convert them into links. The concern is that bad actors will create lookalike phishing domains with ZIP or MOV extensions, which victims may be more prone to clicking on.

Experts claim this adds unnecessary extra risk and confusion for users and opportunities for threat actors. They are already using the extensions to create new phishing campaigns, including one phishing page at microsoft-office[.]zip designed to steal Microsoft credentials. The news highlights the continued need for updated employee cybersecurity awareness training and effective web security.
 

3. Fears of new supply chain threat as hackers leak code-signing keys: Top takeaways

  • A motherboard maker had its data leaked after a ransomware attack
  • The leak included two private code-signing keys
  • Experts warn these could be used to distribute malicious updates to countless users

A Taiwanese hardware manufacturer was breached by ransomware attackers back in April. Although the vendor played down the incident, the Money Message group subsequently posted a trove of information stolen from the firm on its leak site. Analysis by security experts revealed two private encryption keys amongst the data. The first signs MSI firmware updates to prove they're legitimate, and the second is used in an MSI-specific version of Intel Boot Guard also designed to prevent the loading of malicious firmware.

Experts have warned that threat actors could theoretically use these keys to self-sign malicious firmware and have it run on victim machines. Given the large number of B2B customers MSI has in the PC space, it could represent a significant threat. Although such an attack would be technically complex and require local access to a machine, it's not inconceivable that well-resourced actors will attempt it in a highly targeted operation.

Related briefings

Learn more about the ever-evolving nature of security threats and complex risk environments.


Related products

Rapid Response Retainer to help accelerate response to serious attacks.

SASE Management to help neutralize the cybersecurity risk from hybrid workers.

Mobile Threat Defense to help safeguard data for you, your remote workforce and your customers.

Managed Detection and Response to help you quickly identify and respond to security incidents.


  • Learn more

Let's get started.