Cyber Security Today, May 20, 2022 – A look inside the Wizard Spider hacking gang

Welcome to Cyber Security Today. It’s Friday May 20th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

One of the wealthiest cybercrime groups known for using the Conti and Ryuk ransomware has estimated assets of over hundreds of millions of dollars. That’s the assessment of researchers for the Swiss-based firm called ProDaft. This week it released a report on the workings of the gang, dubbed Wizard Spider. Researchers say it is capable of hiring specialist talent, building new digital infrastructure and purchasing access to advanced exploits. They believe it has an application for cracking stolen hashed passwords. The gang apparently also hires telephone operators to cold-call victims and scare them into paying. IT administrators should note the gang usually starts attacks by spreading malware through mass email campaigns and through compromised business email conversations. The implication is many attacks can be stopped by scanning email for malicious attachments and by holding regular employee security awareness training sessions.

There’s more in the full report here.

Application programming interfaces, or APIs, help connect IT systems and software. But they don’t have to be open to the internet. If they are, those APIs could be leveraged by hackers. Researchers at the Shadowserver Foundation warned this week that too many Kubernetes APIs appear to be open on the internet — over 380,000 of them. And of those over 200,00 are in the U.S. If your APIs are open to the internet without permission either have an access authorization process in place or block the APIs with a firewall.

More on APIs: Researchers at Synopsis have discovered two serious vulnerabilities in the admin panel of Strapi. It’s an open-source headless content management system application tool that allows users to quickly build APIs. An authenticated hacker with access to the admin panel could view private and sensitive data, such as email and password reset tokens. Strapi users should upgrade to the latest version of the tool.

VMware has issued patches to fix serious vulnerabilities in five of its products. These are Workspace One Access, Identity Manager, vRealize Automation, vRealize Suite Lifecycle Manager and Cloud Foundation. The most critical is an authentication bypass vulnerability in Workspace One Access, Identity Manager and vRealize Automation.

WordPress developers who use the Tatsu Builder plugin are reminded to update to the latest version. It plugs a major vulnerability. The patch has been available since April 7th. However, according to security researchers at WordFence hackers are doing a lot of hunting around the internet for unpatched versions of this plugin.

Finally, threat actors have found a new way to infect the computers of groups using the Zoom videoconferencing platform. They are spoofing reminders of known community and school board meetings sent to users with what looks like a conferencing invitation. But the reminder attachment is a malicious PDF. Victims are fooled because the reminder is for a real upcoming and publicly announced meeting. Researchers at Avanan, who discovered this scam, say anyone receiving a reminder of a streaming public meeting should check the sender’s address before clicking on an attachment, hover over any link to see what the destination is and check with the administrators of the community association or school board if they in fact sent that email.

That’s if for now. But remember later today the Week in Review podcast will be out. David Shipley of Beauceron Security and I will talk about an international survey of CISOs and advice from intelligence agencies about thwarting common cyber attacks.

Links to details about podcast stories are in the text version at That’s where you’ll also find other stories of mine.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Sponsored By:

Cyber Security Today Podcast