Top cybersecurity threats for
May 2023

1. Ransomware actors expand attack vectors: Top takeaways

• New macOS threats and PaperCut exploits detected in April
• U.S. remains the most targeted country
• A leading cybersecurity vendor shows how multi-layered defense helped limit the impact of the PaperCut breach

Verizon’s analysis of some of the most prominent ransomware leak sites revealed 365 new victims in April. To increase their profits and victim count, some of the biggest groups continue to innovate. LockBit is now targeting macOS machines in what is believed to be an industry first. And both LockBit and Clop were detected exploiting new vulnerabilities in servers for printing management software, PaperCut. 

The U.S. remained the most targeted country worldwide in April, according to Verizon. The latest attacks highlight the need to deploy robust, proactive defensive measures. Cybersecurity vendor Dragos, which withstood a ransomware attack in early May, explained how multi-layered protection, detection and response tooling helped to limit the impact of its breach.
 

2. Phishing concerns emerge over Google's new Top-Level Domains: Top takeaways

• Google's new Top-Level Domains (TLDs) include MOV and ZIP
• .MOV and .ZIP files will now automatically be converted into URLs by some apps
• Experts believe this might make phishing easier for cybercriminals

Google recently introduced two new TLDs, ZIP and MOV, which security experts believe may unwittingly provide an advantage to phishing actors. That's because the domains in question are also file extensions. Some messaging apps and social sites will now automatically convert them into links. The concern is that bad actors will create lookalike phishing domains with ZIP or MOV extensions, which victims may be more prone to clicking on.

Experts claim this adds unnecessary extra risk and confusion for users and opportunities for threat actors. They are already using the extensions to create new phishing campaigns, including one phishing page at microsoft-office[.]zip designed to steal Microsoft credentials. The news highlights the continued need for updated employee cybersecurity awareness training and effective web security.
 

3. Fears of new supply chain threat as hackers leak code-signing keys: Top takeaways

• A motherboard maker had its data leaked after a ransomware attack
• The leak included two private code-signing keys
• Experts warn these could be used to distribute malicious updates to countless users

A Taiwanese hardware manufacturer was breached by ransomware attackers back in April. Although the vendor played down the incident, the Money Message group subsequently posted a trove of information stolen from the firm on its leak site. Analysis by security experts revealed two private encryption keys amongst the data. The first signs MSI firmware updates to prove they're legitimate, and the second is used in an MSI-specific version of Intel Boot Guard also designed to prevent the loading of malicious firmware.

Experts have warned that threat actors could theoretically use these keys to self-sign malicious firmware and have it run on victim machines. Given the large number of B2B customers MSI has in the PC space, it could represent a significant threat. Although such an attack would be technically complex and require local access to a machine, it's not inconceivable that well-resourced actors will attempt it in a highly targeted operation.