November 2023: Regions and Industries at Risk

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.

Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.

By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions. 

Top Five Most Targeted Regions in November

November 2023 witnessed a sharp rise in cyberattacks around the world, highlighting the urgent need for better cybersecurity defenses. Below, we detail the specific threat actors and malware campaigns that have targeted various regions, including 

  1. North America, 

  2. the Middle East, 

  3. Europe, 

  4. East Asia, and 

  5. Southeast Asia.

We also list the organizations that were impacted by these attacks, along with the relevant sources for this information.

North America (U.S.) Cyber Incidents in November 2023

In November 2023, North America faced a surge in cyber threats, with multiple ransomware groups and state-sponsored actors targeting a wide range of sectors. 

Threat Actors & Attack Campaigns

Malware & Tools

NoEscape Ransomware Group ([1], [2]), Anonymous Sudan and Skynet [3], USDoD [4], BlueNoroff [5], Medusa Ransomware Group [6], Kimsuky APT (a.k.a Thallium, APT 43) [7], BlackBasta Ransomware Group [8], Lazarus APT [9], Cyber Av3ngers [10], Ukrainian Ransomware Gang [11], Cl0p Ransomware Gang ([12], [13]), BlackCat/ALPHV Ransomware Gang [14], Threat Actors Behind the Kansas Supreme Court, Office of Judicial Administration Attack [15], Diamond Sleet (formerly known as “Zinc”) [16], LockBit 3.0 Affiliates [17], SiegedSec [18], INC Ransomware Group [19], Play Ransomware Gang [20], Gamaredon [21], Anonymous Sudan (with Aliases Skynet) [22], SEO#LURKER [23], Scattered Spider (with aliases Octo Tempest, UNC3944) [24], Pwnp0ny [25], Snatch Ransomware Group [26], Rhysida Ransomware Gang [27] 

NoEscape Ransomware [1], Drovorub & Cobalt Strike Framework, ObjCShellz macOS Malware [5], Medusa Ransomware [6], Qakbot, Black Basta Malware [8], Cactus Ransomware [28], LockerGoga, MegaCortex, HIVE, Dharma Malware [11], Altera, Anydesk, TeamViewer, Action1 [17], LitterDrifter USB Worm [21], ZIP file (WinSCP_v.6.1.zip), DLL file (python311.dll), Python scripts (slv.py and wo15.py) [23],  

Table 1. North America as the Most Targeted Region by Threat Actors

The NoEscape Ransomware Group ([1], [2]) struck both Avianor Group in Canada and OE Federal Credit Union in the United States, compromising substantial data and impacting their online services. The Science History Institute also fell victim to NoEscape, losing 22 GB of data in a breach. Anonymous Sudan [3] launched a DDoS attack against OpenAI, while the USDoD [4] hacker leaked personal information from over 35 million LinkedIn users through web scraping.

North Korea-backed BlueNorOff [5] deployed sophisticated macOS malware against global financial and cryptocurrency sectors, with the Lazarus Group [9] using the virtual currency mixer Sinbad.io for laundering stolen virtual currency. The Medusa ransomware group [6] targeted the Canadian Psychological Association, employing pressure tactics with a countdown timer for ransom demands.

In the United States, the Kimsuky APT [7] faced sanctions for its cyberespionage activities, and the BlackCat/ALPHV Ransomware Gang [14] attacked Henry Schein, a major healthcare company, encrypting its systems and stealing sensitive data. The Kansas Supreme Court and Office of Judicial Administration suffered a data breach, and Diamond Sleet (Zinc) [16] executed a supply chain attack, impacting devices in the US and Japan.

LockBit 3.0 [17] affiliates exploited the "Citrix Bleed" vulnerability to breach organizations like Boeing, and Sieged Security (a.k.a SiegedSec) [18] claimed responsibility for a data breach at the Idaho National Laboratory. The INC Ransomware Group [19] expanded its attacks globally, targeting various organizations, including those in North America.

The PLAY Ransomware Group [20] attacked McHale Landscape Design, threatening to release sensitive data, and Gamaredon [21] developed a self-propagating USB worm called LitterDrifter [21], affecting the US among other countries. The SEO#LURKER [23] campaign targeted users in the US through malvertising, and Scattered Spider's [24] social engineering attacks on critical infrastructure sectors led to an advisory from the FBI and CISA. In addition, the NSA placed the hacking group "pwnp0ny" [25] on its most wanted list.

The Snatch Ransomware group [26] breached Tyson Foods, and the Rhysida Ransomware Gang [27] targeted various industry sectors across North America. 

These incidents collectively highlight the diverse and significant cyber threats faced by North America, emphasizing the need for robust cybersecurity measures and international cooperation to mitigate these evolving challenges.

Middle East Cyber Incidents in November 2023

The Middle East's cyber landscape in November 2023 was a complex tapestry of politically motivated attacks, state-sponsored espionage, and cybercriminal activities. 

Threat Actors & Attack Campaigns

Malware & Tools

Garnesia Team [29], MuddyWater APT [30], Scarred Manticore (significant overlaps with Storm-0861 and OilRig) [31], Threat Actors Exploiting the 'Citrix Bleed' Vulnerability [32], Agonizing Serpens (a.k.a Agrius, BlackShadow, and Pink Sandstorm) [33], Indian Cyber Force [34], Imperial Kitten (a.k.a TA456, Yellow Liderc) [35], BibiGun Hacktivist Group [36], Winter Vivern APT [37], ALPHV (BlackCat) Ransomware Gang [38], TA402 (a.k.a with Molerats, Gaza Cybergang, Frankenstein, WIRTE) [39], Cyber Toufan [40], Al-Toufan [41], WildCard APT [42], Appin Security Group (Indian hack-for-hire group) [43], Al-Aqsa Flood [44]

MuddyC2Go [30], LIONTAIL malware framework [31], HTTPSnoop backdoor, Tunna, FOXSHELL web shell, SDD backdoor [45], net.exe, netscan.exe, 7-zip, certutil, e.exe, d.dll, sh3.exe, FREEFIRE, Atera, AnyDesk, SplashTop [32], MultiLayer, PartialWasher, BFG Agonizer and Sqlextractor malware [33], IMAPLoader and StandardKeyboard [35], Windows Version Bibi-Wiper Malware [36], Protestware [46], Nitrogen malware [38], IronWind malware, version.dll, timeout.exe, gatherNetworkInfo.vbs [39], Stuxnet, CosmicEnergy, EKANS ransomware [47], SysJoker [48], DMADevice.exe, AppMessagingRegistrar.exe, Rustdown [42] [43], RedLine info stealer [49]

Table 2. Middle East as the Second Most Targeted Regions by Threat Actors and Malware Campaigns

The Garnesia Team's [29] DDoS attack on Tesla highlighted the intersection of cyber warfare and global politics. Iranian state-sponsored group MuddyWater [30] used the MuddyC2Go framework for espionage against Israeli targets, showcasing the strategic use of cyber operations in state conflicts. Similarly, the Scarred Manticore group [31], with ties to Iran, launched a sophisticated cyberespionage campaign across various Middle Eastern sectors using LIONTAIL malware.

The exploitation of the 'Citrix Bleed' vulnerability [32] by unidentified attackers was a stark reminder of the global vulnerability of even well-protected systems. Agonizing Serpens (a.k.a Agrius, BlackShadow, and Pink Sandstorm) [33], another Iranian group, targeted Israeli sectors with destructive wiper malware, reflecting a shift towards more aggressive cyber operations. The Indian Cyber Force's [34] attack on Qatar’s government systems underlined the role of cyber warfare in international conflicts. Meanwhile, Imperial Kitten (a.k.a TA456, Yellow Liderc) [35], associated with Iran's Islamic Revolutionary Guard Corps, continued targeting Israeli critical sectors, highlighting ongoing regional cyber tensions.

The emergence of the Windows Version Bibi-Wiper Malware [36] in Israeli systems signified the growing role of hacktivist groups in regional conflicts. The Winter Vivern APT's [37] exploitation of a Zimbra Collaboration Suite zero-day vulnerability demonstrated the global nature of cyber threats. The use of Protestware [46] in npm packages represented a new form of cyberactivism, embedding political messages in software. The ALPHV (BlackCat) Ransomware Gang's [38] malvertising campaign across the Americas and Europe exemplified the transnational nature of cyber threats.

TA402’s (a.k.a with Molerats, Gaza Cybergang, Frankenstein, WIRTE) [39] change in tactics, with direct attachments of malicious files in spear-phishing emails, indicated evolving cyberespionage methods. Cyber Toufan [40] and Al-Toufan’s attacks [41] on Israeli and Bahraini entities, respectively, showed the growing use of cyberattacks in geopolitical conflicts. The expansion of WildCard APT [42] into critical Israeli sectors with new malware variants underscored the continuous evolution of cyber threats. The Appin Security Group [43], an Indian hack-for-hire organization, highlighted the burgeoning market for cyber espionage. Lastly, the widespread use of Redline Stealer malware [49] underscored the persistent threat posed by cybercriminals in data theft for financial gain.

These incidents across the Middle East exemplify the diverse and dynamic nature of cyber threats, ranging from state-sponsored espionage to hacktivism and cybercrime, all converging to create a complex and challenging cyber environment. This situation underscores the critical need for robust cybersecurity measures and international cooperation to address and mitigate these evolving threats.

Europe Cyber Incidents in November 2023

In November 2023, Europe faced a surge in cyber incidents, showcasing the sophistication and diversity of cyber threats. These incidents reflect the complex landscape of cybersecurity in the region, marked by state-sponsored activities, ransomware campaigns, and targeted attacks exploiting software vulnerabilities.

Threat Actors & Attack Campaigns

Malware & Tools

Kimsuky APT [7], Ukrainian Ransomware Gang [11], INC Ransomware Group [19], Gamaredon [21], Winter Vivern APT [37], Medusa Ransomware Gang [50], LockBit Ransomware Gang [51], Sandworm Operation [52], Rhysida Ransomware [52], Gamaredon (also called Shuckworm, Actinium, and Primitive Bear) [53], NoName057(16) Hacktivist Group [54]

LockerGoga, MegaCortex, HIVE, Dharma Malware [11], BlazeStealer malware [55] 

Winter Vivern APT [37] exploited a zero-day vulnerability in Zimbra Collaboration Suite to compromise government emails in several countries. This campaign demonstrated the persistent threat posed by sophisticated state-sponsored groups capable of exploiting vulnerabilities in critical communication infrastructure. 

Medusa Ransomware Gang [50] targeted Toyota Financial Services (TFS) in a high-profile ransomware attack. By demanding a significant ransom and threatening data release, this incident highlighted the escalating threat ransomware groups pose to global corporations, particularly those with unpatched vulnerabilities. The LockBit Ransomware Gang [51] leveraged the Citrix Bleed vulnerability to attack large organizations, including major international corporations. This campaign underscored the critical need for timely patching of known vulnerabilities, given the widespread potential impact on various sectors.

BlazeStealer malware [55] distribution through deceptive Python packages revealed a cunning tactic to compromise systems. This attack strategy, targeting developers in open-source software environments, signified an evolving threat landscape where even seemingly secure software development processes can be exploited.

The Sandworm Operation [53] in Denmark targeted critical infrastructure, involving sophisticated techniques and possibly state-sponsored actors. This operation, exploiting vulnerabilities in firewall systems, demonstrated the potential for significant disruption to national infrastructure. Rhysida Ransomware Gang's [52] attack on the National British Library showcased the expanding scope of ransomware targets, affecting not only corporations but also cultural and educational institutions. The attack caused significant service disruptions, emphasizing the societal impact of such cyber threats.

Finally, the NoName Hacktivist Group's [54] attacks on key Latvian institutions reflected the geopolitical dimensions of cyber threats. The targeting of government and commercial entities in Latvia underscored the use of cyberattacks as instruments in broader political and international disputes.

These incidents in Europe highlight the multifaceted nature of cyber threats, where various actors exploit technological vulnerabilities for different motives, including financial gain, espionage, and political objectives. The complexity and severity of these threats underscore the need for robust, proactive cybersecurity measures and international collaboration to mitigate these evolving risks.

From Silicon to Cyber Silk Road: East Asia Emerges as Fourth Most Hacked Region

In East Asia, the cyber threat landscape has been marked by technically sophisticated attacks, highlighting the region's vulnerability across various sectors. 

Threat Actors & Attack Campaigns

Malware & Tools

Diamond Sleet (formerly known as “Zinc”) [16], Medusa Ransomware Gang [50], Qilin Ransomware Group [56], Lazarus Group [57], LockBit Ransomware Gang [51], ALPHV/BlackCat Ransomware Group [58]

LambLoad Malware ([16], [59]), SmoothOperator [60], BlazeStealer malware [55], SugarGh0st RAT, Gh0st RAT [61], 

North Korea's Diamond Sleet [16] group orchestrated a complex supply chain attack, embedding malicious code in a legitimate application from CyberLink Corp. This attack, leveraging valid digital certificates, impacted devices globally, including in the US and Japan, showcasing advanced evasion techniques. 

The Qilin Ransomware Group [56], known for its targeted approach, disrupted the automotive industry by attacking Yanfeng Automotive Interiors, a major Chinese parts manufacturer. This attack likely caused ripple effects across the global automotive supply chain. Further, the Lazarus Group [57], also linked to North Korea, exploited a zero-day vulnerability in the MagicLine4NX software used in South Korea, underscoring their focus on high-impact cyber espionage and financial crimes, including cryptocurrency theft. 

The LockBit Ransomware Gang's [51] exploitation of the Citrix Bleed vulnerability demonstrated their ability to target a wide array of organizations by leveraging unpatched security flaws. Meanwhile, the distribution of BlazeStealer malware [55] through Python packages disguised as legitimate tools signified a growing trend of attackers exploiting software development environments for widespread system compromise. 

These varied and technically advanced cyber incidents across East Asia signify a dynamic and challenging cyber threat environment, demanding heightened vigilance and robust cybersecurity measures.

Southeast Asia

Southeast Asia's cyber landscape in November 2023 was shaped by a series of sophisticated cyberattacks and espionage campaigns. 

Threat Actors & Attack Campaigns

Malware & Tools

Gamaredon [21], Winter Vivern APT [37], Mustang Panda (with aliases Stately Taurus) [62], Appin Security Group (Indian hack-for-hire group) [43]

LitterDrifter USB Worm [21], FjordPhantom banking malware [63], RedLine info stealer [49], SugarGh0st RAT, Gh0st RAT [61], SpyLoan Android malware [64]

Russia-linked Gamaredon [21] developed LitterDrifter, a self-propagating USB worm, illustrating the group's focus on Ukraine and beyond. Winter Vivern APT [37] exploited a zero-day in Zimbra Collaboration Suite, compromising government emails in countries including Vietnam, reflecting the global reach of cyber threats. FjordPhantom [63], a novel Android banking malware, emerged in Southeast Asia, targeting banking customers through fake apps and sophisticated virtualization techniques.

Mustang Panda [62], a China-aligned group, launched spear-phishing campaigns against the Philippine government, showcasing the geopolitical nature of cyber espionage. The Indian hack-for-hire group Appin Security Group [43] has been conducting covert operations globally since 2009, using tools like MyCommando for data theft, indicating the growing market for cyber espionage. Meanwhile, the prevalence of Redline Stealer malware [49] among cybercriminals for stealing sensitive data highlights the ongoing threat in the region.

These incidents collectively demonstrate the diverse and complex nature of cyber threats in Southeast Asia, ranging from state-sponsored espionage to sophisticated malware attacks targeting financial and governmental institutions. This evolving threat landscape underscores the need for robust cybersecurity defenses and heightened vigilance across the region.

Top Five Most Targeted Sectors in November 2023

In this section, we will list the most targeted sectors: 

  1. Government and Administration, 

  2. Technology, 

  3. Finance, 

  4. Healthcare, and 

  5. Education. 

For each sector, we will provide the corresponding threat actors and APT (Advanced Persistent Threat) groups, as well as their malware campaigns.

Government and Administration: A Prime Focus for Targeting in November 2023

November 2023 witnessed a significant uptick in cyberattacks targeting government sectors globally, illustrating the diverse and sophisticated nature of these threats. 

Threat Actors & Attack Campaigns

Malware & Tools

Cyber Av3ngers Iran-based Hacktivist Group [10], Attackers Behind the KidSecurity Software [65], JackieChan/USInfoSearch [66], IntelBroker Hacker from CyberNiggers Threat Group [67], Play Ransomware Group [68], SiegedSec [18], Pwnp0ny [25], Indian Cyber Force [34], Al-Toufan Hacktivist Group [41], Gaza Cybergang [69], Mustang Panda (with aliases Stately Taurus) [62], LockBit Ransomware Gang [51], Sandworm Operation [52], Rhysida Ransomware [52], NoName057(16) Ransomware Group [54], Lazarus APT [9], Threat Actors Behind the Kansas Supreme Court, Office of Judicial Administration Attack [15], Indian Cyber Force [34], Sandworm Operation [52], NoName057(16) Ransomware Group [54], WildCard APT [42] 

PlayCrypt Ransomware [68], SysJoker and KandyKorn Malware, FjordPhantom Android banking malware [63], SmoothOperator [60]

The Cyber Av3ngers [10] targeted critical water infrastructure in Pennsylvania, reflecting the broader trend of infrastructure-focused cyber warfare, possibly influenced by global political conflicts. KidSecurity's major data breach, resulting from inadequate cybersecurity practices, exposed sensitive user data, highlighting the risks in applications managing personal information. 

USinfoSearch fell victim to a sophisticated data breach by JackieChan/USInfoSearch [66], showcasing the vulnerability of consumer data to exploitation. General Electric's encounter with a data breach by IntelBroker [67] from the CyberNiggers group raised alarms about the protection of sensitive corporate information. 

The Sandworm Operation [53] in Denmark targeted critical infrastructure, involving sophisticated techniques and possibly state-sponsored actors. This operation, exploiting vulnerabilities in firewall systems, demonstrated the potential for significant disruption to national infrastructure. The Play ransomware group's [68] targeting of various international companies underlined the pervasive risk of ransomware in the business sector. The healthcare industry, particularly in the United States, faced disruptions from WildCard APT's [42] ransomware attacks, emphasizing the criticality of cybersecurity in protecting essential services. 

Al-Toufan's [41] attack on Bahrain's key infrastructure and FjordPhantom's [63] targeting of banking apps in Southeast Asia demonstrated the geographical spread and technical sophistication of cyber threats. 

Mustang Panda's [62] spear-phishing campaign against the Philippine government, the LockBit Ransomware Gang's [51] exploitation of the Citrix Bleed vulnerability, and the NoName ransomware group's [54] attacks in Latvia further exemplified the global and multifaceted nature of cyber threats against government sectors, stressing the urgent need for enhanced cybersecurity measures and international collaboration to counter these evolving challenges.

Technology Emerges as the Second Most Targeted Sector

In November 2023, the technology sector faced diverse and sophisticated cyber threats, marking a significant escalation in cyber warfare.

Threat Actors & Attack Campaigns

Malware & Tools

Diamond Sleet (formerly known as “Zinc”) [16], Anonymous Sudan (aliases with Skynet) [22], Lazarus Group [57], Cerber Ransomware [70], Garnesia Team [29], USDoD [4], Agonizing Serpens (a.k.a Agrius, BlackShadow, and Pink Sandstorm) [33], Imperial Kitten (a.k.a TA456, Yellow Liderc) [35], Winter Vivern APT [37]

LambLoad Malware ([16], [59])

North Korea-linked Lazarus Group [57] exploited a zero-day vulnerability in MagicLine4NX software, targeting South Korean institutions in a pattern of espionage and financial gain. Simultaneously, Diamond Sleet [16] conducted a supply chain attack through CyberLink Corp, affecting devices in multiple countries, including the US and Japan, indicating their focus on data theft and persistent access. 

The Cerber ransomware group [70] exploited a vulnerability in Atlassian Confluence, deploying ransomware and highlighting an evolution in ransomware tactics. Garnesia Team's  [29] politically motivated DDoS attack on Tesla's website, possibly linked to Elon Musk's Israel visit, underlined the intersection of global politics and cyber warfare. 

Anonymous Sudan's [22] DDoS attack on OpenAI and the USDoD hacker's data breach of LinkedIn users emphasized the growing threats to AI platforms and social networking sites. Agonizing Serpens [33] and Imperial Kitten targeted Israeli sectors with destructive wiper malware and data theft, reflecting aggressive cyber operations in the region. Winter Vivern APT's [37] exploitation of a zero-day in Zimbra Collaboration Suite showcased the global reach of cyber threats. 

These incidents highlight the complex and dynamic nature of cyber threats in the technology sector, stressing the need for heightened cybersecurity measures and international collaboration.

Finance

In November 2023, the finance sector was a prime target for cyber threats, with multiple actors deploying sophisticated malware and ransomware. 

Threat Actors & Attack Campaigns

Malware & Tools

Lazarus APT [9], ALPHV/BlackCat Ransomware Group ([71], [72]), LockBit Ransomware [73], Medusa Ransomware Gang [50], N4ughtySecTU Group [74], NoEscape Ransomware Group ([1], [2]), BlueNoroff [5], INC Ransomware Group [19], Scarred Manticore (significant overlaps with Storm-0861 and OilRig) [31]

FjordPhantom Android banking malware [63], RedLine info stealer [49]


The Lazarus Group [9] utilized virtual currency mixer Sinbad.io for money laundering, emphasizing the growing intersection of cryptocurrency and cybercrime. The ALPHV/BlackCat Ransomware Group ([71], [72]) disrupted Fidelity National Financial's services, indicating the escalating impact of ransomware in the financial industry. The Medusa Ransomware Gang's [50] attack on Toyota Financial Services highlighted the sector's vulnerability to targeted ransomware operations.

The N4ughtySecTU Group's [74] targeting of major credit reporting agencies TransUnion and Experian underlined the criticality of safeguarding consumer data. FjordPhantom's Android banking malware [63] in Southeast Asia showcased the innovative methods being used to defraud banking customers, combining social engineering with sophisticated virtualization techniques. The prevalence of the RedLine info stealer malware [49] highlighted the ongoing threat to sensitive financial data.

NoEscape's ransomware ([1], [2]) attack on Avianor Group and OE Federal Credit Union stressed the significant risks of data breaches in the financial sector. BlueNorOff's [5] targeting of cryptocurrency exchanges and financial organizations globally with macOS malware ObjCShellz demonstrated the advanced capabilities of state-backed cybercriminals. INC Ransomware Group's [19] expansion to multiple international organizations underscored the global reach and sophistication of cyber threats in finance.

The Scarred Manticore's [31] cyber espionage campaign against financial sectors in the Middle East using the LIONTAIL malware framework signified the strategic use of cyber operations for geopolitical leverage. These incidents collectively underscore the urgent need for robust cybersecurity measures in the finance sector to protect against an increasingly complex and dangerous digital threat landscape.

Hacking the Halls of Learning: Education Sector Takes Fourth Place in Cyber Threats

In November 2023, the education sector ranked fourth in experiencing cyber threats, as institutions of various sizes were hit by a wave of cyberattacks. 

Threat Actors & Attack Campaigns

Malware & Tools

NoEscape Ransomware Group [2], ALPHV/BlackCat Ransomware Group [75], Agonizing Serpens (a.k.a Agrius, BlackShadow, and Pink Sandstorm) [33], WildCard APT [42], Rhysida Ransomware [52], WildCard APT [42]  

MultiLayer, PartialWasher, BFG Agonizer and Sqlextractor malware [33], SysJoker [48], DMADevice.exe, AppMessagingRegistrar.exe, Rustdown [42]


The NoEscape Ransomware Group [2] targeted the Science History Institute, resulting in the exposure of 22 GB of data. This group, known for its ransomware-as-a-service approach, employs double-extortion attacks targeting multiple systems. WildCard APT [42], initially focusing on Israel's educational sector, expanded its reach within critical sectors, developing new malware variants like DMADevice.exe, AppMessagingRegistrar.exe, and RustDown [42]. These tools illustrate the group's evolving tactics and continuous targeting of educational institutions.

The Rhysida Ransomware Group [52] attack on the National British Library caused a significant technology outage, disrupting services and threatening to auction off stolen data. This attack highlights the growing risk to institutions integral to global knowledge preservation. Agonizing Serpens [33], an Iranian hacking group, also targeted the Israeli higher education and tech sectors with novel wiper malware like MultiLayer, PartialWasher, and BFG Agonizer [33], aiming to steal sensitive data and intellectual property. 

This series of incidents in the education sector underscores the sector's vulnerability and the need for heightened cybersecurity measures to protect against these diverse and evolving threats.

Healthcare

In November 2023, the healthcare sector faced a barrage of cyberattacks, significantly impacting both service delivery and patient privacy. 

Threat Actors & Attack Campaigns

Malware & Tools

BlackCat/ALPHV Ransomware Gang [14], Threat Actors Behind Capital Health Outage [76], WildCard Threat Group [77], Cl0p Ransomware Gang [12], LockBit Ransomware [73], Threat Actors Behind the TruePill Data Breach [78], Medusa Ransomware Group [6]

SmoothOperator [60]

Henry Schein, a major healthcare company, suffered two cyberattacks by the ALPHV BlackCat Ransomware Gang [14], resulting in the theft of 35 terabytes of sensitive data and repeated system encryptions. Capital Health Hospitals in New Jersey experienced IT outages due to a cyberattack, reflecting the growing threat to healthcare infrastructure.

The WildCard APT [77] orchestrated ransomware attacks against several U.S. hospitals, including Portneuf Medical Center and Vanderbilt University Medical Center, leading to disrupted medical services and emergency room diversions. The Cl0p Ransomware Gang [12] breached Welltok, a medical patient communication service provider, exposing the data of nearly 8.5 million individuals, which included sensitive health information. This breach led to proposed federal class action lawsuits against Welltok for negligence.

The LockBit Ransomware Group [73] targeted U.S.-based Planet Home Lending and Community Dental, threatening to release sensitive data if their demands were not met. Truepill, a B2B pharmacy platform, notified customers of a data breach affecting 2.3 million individuals, involving unauthorized network access and compromising sensitive healthcare data.

The Medusa Ransomware Group [6] attacked the Canadian Psychological Association, adding pressure with a countdown timer on their dark web channel and demanding a ransom for the compromised data. These incidents across the healthcare sector highlight the critical need for enhanced cybersecurity measures to protect against evolving cyber threats and ensure the confidentiality and integrity of sensitive health information.

References

[1] S. Jain, “NoEscape Ransomware Strikes Again, Targeting Avianor Group and OE Federal Credit Union,” The Cyber Express, Nov. 08, 2023. Available: https://thecyberexpress.com/avianor-data-breach-sensitive-info-leaked/. [Accessed: Nov. 10, 2023]

[2] I. Tripathi, “NoEscape Ransomware Group Strikes Again, Claims Science History Institute Data Breach,” The Cyber Express, Nov. 30, 2023. Available: https://thecyberexpress.com/science-history-institute-data-leak/. [Accessed: Dec. 04, 2023]

[3] S. Jain, “OpenAI Cyberattack Claimed by Anonymous Sudan, ChatGPT Services Disrupted,” The Cyber Express, Nov. 08, 2023. Available: https://thecyberexpress.com/openai-cyberattack-unverified-claims/. [Accessed: Nov. 10, 2023]

[4] Waqas, “Hacker Leaks 35 Million Scraped LinkedIn User Records,” Hackread - Latest Cybersecurity News, Press Releases & Technology Today, Nov. 07, 2023. Available: https://www.hackread.com/hacker-leaks-scraped-linkedin-user-records/. [Accessed: Nov. 10, 2023]

[5] S. Gatlan, “BlueNoroff hackers backdoor Macs with new ObjCShellz malware,” BleepingComputer, Nov. 07, 2023. Available: https://www.bleepingcomputer.com/news/security/bluenoroff-hackers-backdoor-macs-with-new-objcshellz-malware/. [Accessed: Nov. 10, 2023]

[6] A. Khaitan, “Medusa Ransomware Group Claims Cyberattack on Canadian Psychological Association,” The Cyber Express, Nov. 06, 2023. Available: https://thecyberexpress.com/canadian-psychological-association-cyberattack/. [Accessed: Nov. 10, 2023]

[7] E. Kovacs, “US Sanctions North Korean Cyberespionage Group Kimsuky,” SecurityWeek, Dec. 01, 2023. Available: https://www.securityweek.com/us-sanctions-north-korean-cyberespionage-group-kimsuky/. [Accessed: Dec. 01, 2023]

[8] J. Gold, “Conti-linked ransomware takes in $107 million in ransoms: Report,” CSO Online, Nov. 30, 2023. Available: https://www.csoonline.com/article/1250278/conti-linked-ransomware-takes-in-107-million-in-ransoms-report.html. [Accessed: Dec. 01, 2023]

[9] S. Jain, “US Treasury Sanctions Sinbad.io for Alleged Role in Lazarus Group’s Money Laundering,” The Cyber Express, Nov. 30, 2023. Available: https://thecyberexpress.com/us-sanctions-virtual-currency-mixer-sinbad-io/. [Accessed: Dec. 01, 2023]

[10] J. L. Hardcastle, “Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew,” The Register, Nov. 29, 2023. Available: https://www.theregister.com/2023/11/29/water_authority_ciso_iran/. [Accessed: Dec. 04, 2023]

[11] Help Net Security, “Ukrainian ransomware gang behind high-profile attacks dismantled,” Help Net Security, Nov. 28, 2023. Available: https://www.helpnetsecurity.com/2023/11/28/ukrainian-ransomware-gang-high-profile-attacks-dismantled/. [Accessed: Dec. 04, 2023]

[12] M. K. McGee and R. Ross, “Welltok’s MOVEit Hack Affects Nearly 8.5 Million, So Far.” Available: https://www.govinfosecurity.com/welltoks-moveit-hack-affects-nearly-85-million-so-far-a-23693. [Accessed: Dec. 04, 2023]

[13] I. Tripathi, “Legal Eagles Exposed: 27,000 NYC Bar Association Members Data Leaked,” The Cyber Express, Nov. 23, 2023. Available: https://thecyberexpress.com/nyc-bar-association-data-breach-27000-records/. [Accessed: Dec. 04, 2023]

[14] S. Gatlan, “Healthcare giant Henry Schein hit twice by BlackCat ransomware,” BleepingComputer, Nov. 27, 2023. Available: https://www.bleepingcomputer.com/news/security/healthcare-giant-henry-schein-hit-twice-by-blackcat-ransomware/. [Accessed: Dec. 04, 2023]

[15] K. Ragupathy, “Kansas Court Hack: Attackers Stole Sensitive Data From Systems,” Cyber Security News, Nov. 27, 2023. Available: https://cybersecuritynews.com/kansas-court-hack/. [Accessed: Dec. 04, 2023]

[16] “Website.” Available: https://thecyberwire.com/stories/c5ee63b6d65746389ab580269ea97798/dprk-supply-chain-attacks

[17] Z. Zorz, “How LockBit used Citrix Bleed to breach Boeing and other targets,” Help Net Security, Nov. 22, 2023. Available: https://www.helpnetsecurity.com/2023/11/22/lockbit-citrix-bleed/. [Accessed: Dec. 04, 2023]

[18] Waqas, “Hackers Leak Thousands of Idaho National Lab Employees’ PII Data,” Hackread - Latest Cybersecurity News, Press Releases & Technology Today, Nov. 24, 2023. Available: https://www.hackread.com/hackers-leak-idaho-national-lab-employee-pii-data/. [Accessed: Dec. 04, 2023]

[19] S. Jain, “INC Ransomware Group Broadens Reach, Targets 7 New Victims,” The Cyber Express, Nov. 23, 2023. Available: https://thecyberexpress.com/inc-ransomware-group-target-7-new-victims/. [Accessed: Dec. 04, 2023]

[20] S. Jain, “PLAY Ransomware Claims Attacking McHale Landscape Design, Sets Nov 25 Deadline,” The Cyber Express, Nov. 23, 2023. Available: https://thecyberexpress.com/mchale-landscape-design-cyberattack/. [Accessed: Dec. 04, 2023]

[21] I. Arghire, “Russia’s LitterDrifter USB Worm Spreads Beyond Ukraine,” SecurityWeek, Nov. 20, 2023. Available: https://www.securityweek.com/russias-litterdrifter-usb-worm-spreads-beyond-ukraine/. [Accessed: Dec. 04, 2023]

[22] S. Jain, “OpenAI Fired Sam Altman Over Cyberattack, Claims Anonymous Sudan,” The Cyber Express, Nov. 20, 2023. Available: https://thecyberexpress.com/openai-cyberattack-sparks-ceo-ousting/. [Accessed: Dec. 04, 2023]

[23] 2023 newsroom Nov 17, “Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware,” The Hacker News, Nov. 17, 2023. Available: https://thehackernews.com/2023/11/beware-malicious-google-ads-trick.html. [Accessed: Dec. 04, 2023]

[24] C. Riotta and R. Ross, “CISA, FBI Issue New Warning Following Las Vegas Cyberattack.” Available: https://www.govinfosecurity.com/cisa-fbi-issue-new-warning-following-las-vegas-cyberattack-a-23616. [Accessed: Dec. 04, 2023]

[25] S. Jain, “NSA Launches Hunt for Notorious Hacking Group pwnp0ny – Offers Reward for Information,” The Cyber Express, Nov. 16, 2023. Available: https://thecyberexpress.com/nsa-most-wanted-hunt-for-pwnp0ny-hackers/. [Accessed: Dec. 04, 2023]

[26] S. Jain, “Tyson Foods Cyberattack: Snatch Ransomware Targets Global Food Industry Giant,” The Cyber Express, Nov. 16, 2023. Available: https://thecyberexpress.com/tyson-foods-data-breach-cybersecurity-alert/. [Accessed: Dec. 04, 2023]

[27] S. Gatlan, “FBI and CISA warn of opportunistic Rhysida ransomware attacks,” BleepingComputer, Nov. 15, 2023. Available: https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-opportunistic-rhysida-ransomware-attacks/. [Accessed: Dec. 04, 2023]

[28] E. Kovacs, “Qlik Sense Vulnerabilities Exploited in Ransomware Attacks,” SecurityWeek, Nov. 30, 2023. Available: https://www.securityweek.com/qlik-sense-vulnerabilities-exploited-in-ransomware-attacks/. [Accessed: Dec. 01, 2023]

[29] A. Chopra, “Anti-Israel Hacktivist Group Claims Tesla Cyberattack After Elon Musk’s Israel Visit,” The Cyber Express, Nov. 28, 2023. Available: https://thecyberexpress.com/tesla-cyberattack-elon-musks-visit-to-israel/. [Accessed: Dec. 04, 2023]

[30] 2023 newsroom Nov 09, “MuddyC2Go: New C2 Framework Iranian Hackers Using Against Israel,” The Hacker News, Nov. 09, 2023. Available: https://thehackernews.com/2023/11/muddyc2go-new-c2-framework-iranian.html. [Accessed: Dec. 05, 2023]

[31] Eswar, “Iranian APT Group Utilize IIS-based Backdoors to Compromise Windows servers,” Cyber Security News, Nov. 01, 2023. Available: https://cybersecuritynews.com/iranian-group-utilize-iis/. [Accessed: Dec. 05, 2023]

[32] B. Toulas, “Hackers use Citrix Bleed flaw in attacks on govt networks worldwide,” BleepingComputer, Nov. 01, 2023. Available: https://www.bleepingcomputer.com/news/security/hackers-use-citrix-bleed-flaw-in-attacks-on-govt-networks-worldwide/. [Accessed: Dec. 05, 2023]

[33] 2023newsroom Nov 06, “Iranian Hackers Launch Destructive Cyber Attacks on Israeli Tech and Education Sectors,” The Hacker News, Nov. 06, 2023. Available: https://thehackernews.com/2023/11/iranian-hackers-launches-destructive.html. [Accessed: Dec. 05, 2023]

[34] I. Tripathi, “Hacker Group ‘Indian Cyber Force’ Launches Retaliatory Cyber Strike on Qatar Government Portal,” The Cyber Express, Nov. 08, 2023. Available: https://thecyberexpress.com/cyberattack-on-qatar-government-portal-indians/. [Accessed: Dec. 05, 2023]

[35] J. Chakravarti and R. Ross, “Iranian Hackers Target Israeli Logistics and IT Companies.” Available: https://www.govinfosecurity.com/iranian-hackers-target-israeli-logistics-companies-a-23562. [Accessed: Dec. 05, 2023]

[36] 2023newsroom Nov 13, “New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks,” The Hacker News, Nov. 13, 2023. Available: https://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html. [Accessed: Dec. 05, 2023]

[37] E. Kovacs, “Zimbra Zero-Day Exploited to Hack Government Emails,” SecurityWeek, Nov. 16, 2023. Available: https://www.securityweek.com/zimbra-zero-day-exploited-to-hack-government-emails/. [Accessed: Dec. 06, 2023]

[38] D. Ahmed, “ALPHV (BlackCat) Ransomware Using Google Ads to Target Victims,” Hackread - Latest Cybersecurity News, Press Releases & Technology Today, Nov. 16, 2023. Available: https://www.hackread.com/alphv-blackcat-ransomware-gang-google-ads/. [Accessed: Dec. 06, 2023]

[39] L. Constantin, “Palestine-aligned cyberespionage actor shifts infection chain tactics,” CSO Online, Nov. 16, 2023. Available: https://www.csoonline.com/article/1247798/palestine-aligned-cyberespionage-actor-shifts-infection-chain-tactics.html. [Accessed: Dec. 06, 2023]

[40] I. Tripathi, “Cyber Toufan Claims Ikea Israel Data Breach, 400K Users Allegedly Exposed,” The Cyber Express, Nov. 22, 2023. Available: https://thecyberexpress.com/cyber-toufan-ikea-israel-data-breach-400k/. [Accessed: Dec. 06, 2023]

[41] “Website.” Available: https://thecyberexpress.com/cyberattack-on-bahrain-airport-by-al-toufan/

[42] Guru, “APT Hackers Behind SysJoker Attacking Critical Industrial Sectors,” Cyber Security News, Nov. 28, 2023. Available: https://cybersecuritynews.com/sysjoker-critical-industrial-sectors/. [Accessed: Dec. 06, 2023]

[43] 2023newsroom Nov 20, “Indian Hack-for-Hire Group Targeted U.S., China, and More for Over 10 Years,” The Hacker News, Nov. 20, 2023. Available: https://thehackernews.com/2023/11/indian-hack-for-hire-group-targeted-us.html. [Accessed: Dec. 04, 2023]

[44] R. Ramachandran, “Hackers breach Israeli Defense Ministry,” Latest Cyber Security News, Leading Cyber Security News, Nov. 29, 2023. Available: https://cybersafe.news/hackers-breach-israeli-defense-ministry/. [Accessed: Dec. 07, 2023]

[45] 2023newsroom Nov 01, “Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East,” The Hacker News, Nov. 01, 2023. Available: https://thehackernews.com/2023/11/iranian-cyber-espionage-group-targets.html. [Accessed: Dec. 05, 2023]

[46] Waqas, “New Protestware Uses npm Packages to Call for Peace in Gaza and Ukraine,” Hackread - Latest Cybersecurity News, Press Releases & Technology Today, Nov. 16, 2023. Available: https://www.hackread.com/protestware-npm-packages-peace-gaza-ukraine/. [Accessed: Dec. 06, 2023]

[47] Z. Zorz, “Why cyber war readiness is critical for democracies,” Help Net Security, Nov. 17, 2023. Available: https://www.helpnetsecurity.com/2023/11/17/global-cyber-war-readiness/. [Accessed: Dec. 06, 2023]

[48] Guru, “SysJoker Malware Attacking Windows, Linux and Mac Users Abusing OneDrive,” Cyber Security News, Nov. 27, 2023. Available: https://cybersecuritynews.com/sysjoker-malware-attacking-windows-linux-and-mac-users-abusing-onedrive/. [Accessed: Dec. 06, 2023]

[49] M. J. Schwartz and R. Ross, “Info Stealers Thrive in Hot Market for Stolen Data.” Available: https://www.govinfosecurity.com/info-stealers-thrive-in-hot-market-for-stolen-data-a-23586. [Accessed: Dec. 06, 2023]

[50] B. Toulas, “Toyota confirms breach after Medusa ransomware threatens to leak data,” BleepingComputer, Nov. 16, 2023. Available: https://www.bleepingcomputer.com/news/security/toyota-confirms-breach-after-medusa-ransomware-threatens-to-leak-data/. [Accessed: Dec. 06, 2023]

[51] B. Toulas, “LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed,” BleepingComputer, Nov. 14, 2023. Available: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-exploits-citrix-bleed-in-attacks-10k-servers-exposed/. [Accessed: Dec. 06, 2023]

[52] C. Jones, “Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks,” The Register, Nov. 13, 2023. Available: https://www.theregister.com/2023/11/13/inside_denmarks_hell_week_as/. [Accessed: Dec. 06, 2023]

[53] “Website.” Available: https://thecyberwire.com/stories/87d9604c2c214843b6a734cf3bc74b7d/ukraine-at-d674

[54] A. Khaitan, “NoName Ransomware Group Claims Cyberattack on Latvia’s Critical Entities,” The Cyber Express, Nov. 23, 2023. Available: https://thecyberexpress.com/cyberattack-on-latvia/. [Accessed: Dec. 06, 2023]

[55] Guru, “Watch Out For Malicious Python Packages That Can Hijack Your Computer,” Cyber Security News, Nov. 10, 2023. Available: https://cybersecuritynews.com/malicious-python-packages-hijack/. [Accessed: Dec. 06, 2023]

[56] B. Toulas, “Qilin ransomware claims attack on automotive giant Yanfeng,” BleepingComputer, Nov. 28, 2023. Available: https://www.bleepingcomputer.com/news/security/qilin-ransomware-claims-attack-on-automotive-giant-yanfeng/. [Accessed: Dec. 06, 2023]

[57] B. Toulas, “UK and South Korea: Hackers use zero-day in supply-chain attack,” BleepingComputer, Nov. 24, 2023. Available: https://www.bleepingcomputer.com/news/security/uk-and-south-korea-hackers-use-zero-day-in-supply-chain-attack/. [Accessed: Dec. 06, 2023]

[58] I. Arghire, “Japan Aviation Electronics Targeted in Ransomware Attack,” SecurityWeek, Nov. 09, 2023. Available: https://www.securityweek.com/japan-aviation-electronics-targeted-in-ransomware-attack/. [Accessed: Dec. 06, 2023]

[59] E. Kovacs, “North Korean Software Supply Chain Attack Hits North America, Asia,” SecurityWeek, Nov. 24, 2023. Available: https://www.securityweek.com/north-korean-software-supply-chain-attack-hits-north-america-asia/. [Accessed: Dec. 04, 2023]

[60] A. Asokan and R. Ross, “North Korean Hacking Alert Sounded by UK and South Korea.” Available: https://www.govinfosecurity.com/north-korean-hacking-alert-sounded-by-uk-south-korea-a-23682. [Accessed: Dec. 06, 2023]

[61] “Website.” Available: https://thecyberwire.com/newsletters/daily-briefing/12/227

[62] A. More and R. Ross, “Breach Roundup: Filipinos Under Fire From ‘Mustang Panda.’” Available: https://www.govinfosecurity.com/breach-roundup-filipinos-under-fire-from-mustang-panda-a-23680. [Accessed: Dec. 06, 2023]

[63] Waqas, “Android Banking Malware FjordPhantom Steals Funds Via Virtualization,” Hackread - Latest Cybersecurity News, Press Releases & Technology Today, Nov. 30, 2023. Available: https://www.hackread.com/fjordphantom-android-malware-targeting-banking-apps/. [Accessed: Dec. 06, 2023]

[64] B. Toulas, “SpyLoan Android malware on Google Play downloaded 12 million times,” BleepingComputer, Dec. 05, 2023. Available: https://www.bleepingcomputer.com/news/security/spyloan-android-malware-on-google-play-downloaded-12-million-times/. [Accessed: Dec. 07, 2023]

[65] “Website.” Available: https://cybernews.com/security/kidsecurity-parental-control-data-leak/

[66] “ID Theft Service Resold Access to USInfoSearch Data.” Available: https://krebsonsecurity.com/2023/11/id-theft-service-resold-access-to-usinfosearch-data/. [Accessed: Dec. 04, 2023]

[67] I. Tripathi, “General Electric Data Breach: Hacker Claims Sale of Leaked GE Information,” The Cyber Express, Nov. 29, 2023. Available: https://thecyberexpress.com/general-electric-data-sale-intelbroker/. [Accessed: Dec. 04, 2023]

[68] I. Tripathi, “Play Ransomware Group Lists 17 Victims, 14 US-Based Companies Named,” The Cyber Express, Nov. 29, 2023. Available: https://thecyberexpress.com/play-ransomware-attack-us-uk-canada-netherland/. [Accessed: Dec. 04, 2023]

[69] B. Toulas, “New Rust-based SysJoker backdoor linked to Hamas hackers,” BleepingComputer, Nov. 26, 2023. Available: https://www.bleepingcomputer.com/news/security/new-rust-based-sysjoker-backdoor-linked-to-hamas-hackers/. [Accessed: Dec. 06, 2023]

[70] M. Bagwe and R. Ross, “Cerber Ransomware Operators Exploit Latest Atlassian Bug.” Available: https://www.govinfosecurity.com/cerber-ransomware-operators-exploit-latest-atlassian-bug-a-23552. [Accessed: Dec. 06, 2023]

[71] I. Arghire, “Fidelity National Financial Takes Down Systems Following Cyberattack,” SecurityWeek, Nov. 27, 2023. Available: https://www.securityweek.com/fidelity-national-financial-takes-down-systems-following-cyberattack/. [Accessed: Dec. 04, 2023]

[72] N. Goud, “Ransomware news currently trending on Google,” Cybersecurity Insiders, Dec. 04, 2023. Available: https://www.cybersecurity-insiders.com/ransomware-news-currently-trending-on-google/. [Accessed: Dec. 04, 2023]

[73] S. Jain, “LockBit Ransomware Group Targets New Victims, Threatens to Expose Sensitive Data,” The Cyber Express, Nov. 17, 2023. Available: https://thecyberexpress.com/cyberattack-on-planet-home-lending-by-lockbit/. [Accessed: Dec. 04, 2023]

[74] S. Skiti, “Hackers demand $60m from TransUnion and Experian, claiming data theft,” Business Day, Nov. 23, 2023. Available: https://www.timeslive.co.za/news/south-africa/2023-11-23-hackers-demand-60m-from-transunion-experian-for-new-sa-data-theft/. [Accessed: Dec. 06, 2023]

[75] S. Jain, “The Walker School Hit by ALPHV Ransomware: Ransom Demanded,” The Cyber Express, Nov. 17, 2023. Available: https://thecyberexpress.com/walker-school-data-breach-by-aalphv/. [Accessed: Dec. 04, 2023]

[76] S. Gatlan, “Capital Health Hospitals hit by cyberattack causing IT outages,” BleepingComputer, Nov. 30, 2023. Available: https://www.bleepingcomputer.com/news/security/capital-health-hospitals-hit-by-cyberattack-causing-it-outages/. [Accessed: Dec. 04, 2023]

[77] “Website.” Available: https://thecyberwire.com/podcasts/daily-podcast/1955/notes

[78] B. Toulas, “Pharmacy provider Truepill data breach hits 2.3 million customers,” BleepingComputer, Nov. 14, 2023. Available: https://www.bleepingcomputer.com/news/security/pharmacy-provider-truepill-data-breach-hits-23-million-customers/. [Accessed: Dec. 04, 2023]