31 May 2024

6 min read

Europol hits major malware distribution networks | Cyber Intelligence Briefing: 31 May

May 2024
Cyber Intelligence Briefing

Top news stories this week


  1. Game over. Co-ordinated action by Europol dismantles multiple malware distribution networks.
  2. Resurrection. Stolen Ticketmaster data advertised on revived BreachForums site.
  3. Leaky business. Sav-Rx draws ire for late 2.8 million breach disclosure; BBC responds to own breach.
  4. Time to patch. Check Point issues emergency zero-day fix as researchers reveal Fortinet flaw.  
  5. Overloaded. Vulnerabilities remain unaddressed at the National Vulnerability Database due to operational shortages.
  6. Unmasked. Microsoft identifies new North Korean threat actor involved in job market scams. 

1. Operation Endgame: Europol shuts down major distribution networks for malware droppers

A coordinated international law enforcement operation has taken down the criminal infrastructure for various forms of dropper malware, including IcedID, Bumblebee, SystemBC, Smokeloader, and Pikabot. Dropper malware is used to install additional malicious software on a compromised system, often as a precursor to ransomware attacks. The operation successfully seized 2,000 domains, shut off over 100 malicious servers and led to four arrests.

So What?

The operation will cause major disruption for parts of the cybercriminal eco-system. Europol has stated that further action is planned.

[Researcher: Adelaide Parker] 

2. Stolen Ticketmaster data advertised on revived BreachForums site

The prominent cybercrime forum BreachForums has returned to the clearnet and dark web, two weeks after an FBI takedown. The hacking group ShinyHunters used the resurrected site to advertise data allegedly stolen from Ticketmaster for USD 500 million. The post claims the leak includes data from 560 million users, including names, addresses, phone numbers, and partial payment details.

So what?

The rapid resurgence of the seized domain highlights the importance of international cooperation and a holistic approach to tackling cyber crime.

[Researcher: Amy Gregan]

3. Sav-Rx and BBC face data breaches with distinct response strategies   

Prescription management firm Sav-Rx has alerted more than 2.8 million people that their data was likely exfiltrated during a breach that occurred back in October 2023. The details came to light after a third-party investigation in April into the initial response last year.

Separately, the BBC has launched an investigation after its pension scheme was victim to a data breach affecting over 25,000 people. The BBC has claimed that the source of the incident has been secured and has reported the incident to the ICO and Pensions Regulator.

So what?

It is important for companies to rapidly investigate and respond to data breaches. Undue delays could lead to regulatory fines and steeper third-party legal claims.

[Researcher: Lawrence Copson]

4. Check Point issues emergency zero-day fix as researchers reveal Fortinet flaw

American-Israeli software provider Check Point has released an emergency fix for a zero-day vulnerability that allows attackers to gain remote access on internet-exposed Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled. The vulnerability has been under exploitation for over a month.

Separately, security researchers have released a proof of concept for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which allows attackers to run commands remotely as the root user on any Internet-exposed and unpatched appliances.

So what?

Organisations using the affected products should follow vendor advice and patch immediately. 

[Researcher: Waithera Junghae]

5. Exploited vulnerabilities remain unclassified at the NVD due to operational shortages

Due to funding cuts 90% of vulnerability submissions to the US National Vulnerability Database (NVD) have not been analysed or enriched since February 2024. The NVD assigns a unique CVE number and severity rating to each vulnerability. The National Institute of Standards and Technology (NIST), which manages the NVD, has committed to clearing the backlog by September.


This slowdown gives threat actors an advantage in crafting exploits, as organisations worldwide rely on CVE information and associated ratings for their cyber security and patch management processes.

[Researcher: Aditya Ganjam Mahesh]

6. Microsoft reveals new North Korean threat actor behind job market scams 

Microsoft has identified a new North Korean threat actor, codenamed Moonstone Sleet, that creates fake company names and job opportunities to trick victims into downloading malicious tools and ransomware.  

So what?

Individuals should be cautious about responding to unsolicited job offers and avoid clicking on links or downloading attachments from unknown sources. 

[Researcher: Lena Krummeich]


The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.