The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Welcome to Picus Security's monthly cyber threat intelligence roundup!
Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.
Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.
By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions.
Top Four Most Targeted Regions in October
October 2023 witnessed a sharp rise in cyberattacks around the world, highlighting the urgent need for better cybersecurity defenses. Below, we detail the specific threat actors and malware campaigns that have targeted different regions including
-
North America,
-
the Middle East,
-
Europe, and
-
East Asia.
We also list the organizations that were impacted by these attacks, along with the relevant sources for this information.
From Sea to Cyber Sea: North America's Unwanted Leadership in the Hacking Hemisphere
The recent surge of cyberattacks in North America demonstrates sophisticated and varied threat vectors targeting multiple sectors.
Threat Actors & Attack Campaigns |
Malware & Tools |
SingularityMD Hacking Group [1], Aleksandr Derebenetc and Kirill Shipulin [2], LockBit Ransomware Group [3], Lazarus Group [4], Russian Speaking Attackers Targeting Departments of Defense and Justice [5], Akira Ransomware Group [6], Octo Tempest [7], Hunters International (with aliases Hive) [8], RansomedVC [9], Sandu Diaconu (with aliases WinD3str0y) [10], Black Basta Ransomware [11], Dark Angels [12], Cuba Ransomware Gang [13], 23andMe [14], North Korean Lazarus and Andariel [15], BianLian Extortion Group [16], ALPHV Ransomware Gang [17], Crambus Attack Campaign by APT34 [18] |
Xenomorph Malware [19], The SIGNBT and LPEClient Malware [4], LockBit Ransomware [3], Akira Ransomware [6], Black Basta Ransomware [11], Cuba Ransomware [13], BlackCat Ransomware [17] |
Table 1. North America as the Most Targeted Region by Threat Actors
The Defense and Justice Departments of the U.S. fell victim to a Russian-speaking hacking group [5] that exploited the MOVEit vulnerability, leading to the theft of 632,000 federal employees' email addresses. JFK Airport's taxi dispatch system was compromised by Russian hackers Aleksandr Derebenetc and Kirill Shipulin [2], who manipulated the queue system for financial gain.
Stanford University's encounter with the Akira ransomware [6] group resulted in the theft of 430GB of data, while the aerospace giant Boeing was reportedly breached by the LockBit ransomware group [3] through a zero-day vulnerability, threatening national security. Inside threats were highlighted by incidents at the NSA, ASML, and U.S. Immigration and Customs Enforcement, with employees using their access for illicit activities.
The financial sector saw the Xenomorph malware [19] campaign targeting U.S. banks by using phishing to capture personal data, while the Toronto Public Library experienced service disruptions due to a Black Basta ransomware [11] attack. In the healthcare sector, Hunters International [8] targeted Dr. Jaime Schwartz's plastic surgery clinic, leaking sensitive patient photos for ransom.
The integrity of the electoral process was threatened when the DC Board of Elections reported a potential theft of the entire voter roll by the RansomedVC gang [9]. The credential-selling marketplace E-Root was disrupted after the extradition of its admin, Sandu Diaconu (with aliases WinD3str0y) [10], to the U.S., impacting numerous sectors through the sale of illegal credentials.
Okta, an InfoSec company, suffered a breach via a third-party vendor, exposing the personal information of its employees [20]. Major ransomware attacks on conglomerates like Johnson Controls and public health departments, such as the Rock County Public Health Department, resulted in substantial demands and data theft [12].
The genetic testing company 23andMe disclosed a breach of 1.3 million clients' records [14], and North Korean hacker groups exploited a critical TeamCity vulnerability to breach networks [15], possibly for software supply chain attacks. The BianLian extortion group [16] claimed to breach Air Canada's network, and ALPHV ransomware gang [17] announced an attack on Florida's circuit court, exposing sensitive information.
Lastly, the Iranian Crambus espionage group [18] engaged in a prolonged campaign against a Middle Eastern government, demonstrating the extensive reach of state-sponsored cyber activities. These events reflect an alarming trend of increased cyber aggression, underscoring the need for advanced, comprehensive security measures across all affected sectors.
Geopolitical Tensions Are Mirrored in Cyberspace in Middle East
The Middle East continues to be a hotspot for diverse and sophisticated cyber threats, leveraging both novel and previously known malware to target a range of victims.
Threat Actors & Attack Campaigns |
Malware & Tools |
Rhysida Ransomware Group [21], Threat Actors Behind the Attack Campaign Targeting Azerbaijani Entities [22], Budworm APT [23], Scarred Manticore Attack Campaign [24], Tortoiseshell (with aliases Crimson Sandstorm, Imperial Kitten, TA456, Yellow Liderc) [25], Crambus Attack Campaign by APT34 [18], Scarred Manticore [26], OilRig Threat Actor [27], Kazakhstan’s State-owned Attacker YoroTrooper [28] |
Bibi-Linux Wiper Malware [29], Rhysida Ransomware [21], LIONTAIL Malware [24], IMAP Loader [25], PowerExchange Backdoor [18], Malicious “RedAlert - Rocket Alerts” Application [30], Ballistic Bobcat Backdoor, Redline Stealer and Private Loader [31] |
Table #. Middle East as the Second Most Targeted Regions by Threat Actors and Malware Campaigns
In Israel, organizations faced the new BiBi-Linux wiper [29], which destroys data on compromised Linux systems.
The Rhysida ransomware group attacked Kuwait’s Ministry of Finance [21], but reportedly did not access financial data. Azerbaijani entities were lured into spyware infections through emails feigning to contain information about the Azerbaijan-Armenia conflict [22]. Meanwhile, the Iranian APT group Scarred Manticore used the LIONTAIL malware [24] to execute a cyber espionage campaign against various sectors in Saudi Arabia, UAE, Jordan, and others, through IIS-based backdoors.
Continuing Iran's cyber activity in the region, the Tortoiseshell group launched IMAPLoader
malware [25] attacks against the maritime, shipping, and logistics industries in the Mediterranean. In parallel, the Iranian espionage group Crambus (aka OilRig, APT34) compromised a Middle Eastern government over eight months, employing PowerExchange, a PowerShell backdoor [18], and using the Plink tool for remote access, along with modifying firewall rules for maintaining access.
Hacktivist movements in the Israel-Hamas conflict also saw the deployment of scareware and malware like Redline Stealer and PrivateLoader [31], leading to data leaks and disruptions. An Iranian cyber-espionage group, Ballistic Bobcat, deployed a novel backdoor targeting entities in Brazil, Israel, and the UAE.
These incidents collectively indicate that threat actors are not only persistent but also constantly evolving their malware and tactics to exploit geopolitical tensions and organizational vulnerabilities within the Middle East.
Cyber Storms Over Europe: The Continent Rises as Hackers' Third Favorite Target
Cybersecurity landscapes across Europe are under siege by a range of threat actors deploying sophisticated malware and ransomware attacks.
Threat Actors & Attack Campaigns |
Malware & Tools |
Hunters International Ransomware-as-a-Service (RaaS) [32], Threat Actors Behind British Mobile Virtual Network Operator Company Lyca Mobile Breach [33], Winter Vivern Cyber Spy Group (with aliases Fancy Bear) [34], Sandu Diaconu (with aliases WinD3str0y) [10], UAC-0165 [35], TA473 Cyberespionage Group [36], Sandworm APT [37], Void Rabisu APT [38] |
Xenomorph Android Malware [19], RomCom Malware [38] |
The Xenomorph malware [19] has notably been targeting banks in Spain, Portugal, Italy, and Belgium, with cybercriminals focusing on financial gain. This malware is adept at stealing personal information using deceptive overlays and has evolved to include features that avoid detection and simulate user actions. It has also been distributed in conjunction with other malware families, indicating a collaborative and dangerous malware ecosystem.
Hunters International [32], a new ransomware-as-a-service operation, has emerged as a potential successor to the Hive ransomware group. The group has already claimed a UK school as a victim, exposing sensitive data on nearly 50,000 files.
Meanwhile, Lyca Mobile in the UK suffered a breach that led to significant customer disruption [33], hinting at compromised client passwords and forced system shutdowns as a precautionary response.
The espionage landscape is also brimming with activity as the Winter Vivern group, also known with aliases Fancy Bear, exploits zero-day vulnerabilities to target European governments [34]. Their methods demonstrate a high level of sophistication, leveraging phishing and known software flaws to gain access to sensitive information. The group's persistence and technical advancement present an ongoing threat to governmental cybersecurity.
Parallel to these espionage efforts, the E-Root marketplace's admin, Sandu Diaconu, was extradited to the US, signifying a substantial disruption to an illicit network that facilitated ransomware attacks, wire fraud, and other cybercrimes. Over 350,000 credentials were trafficked on this platform, affecting individuals, companies, and government agencies.
In Ukraine, a series of cyberattacks orchestrated by an unidentified group disrupted services across 11 telecom providers. These attacks highlight a pattern of reconnaissance and exploitation, utilizing compromised servers to conduct operations, especially within the Ukrainian internet space. Finally, the RomCom malware [38] phishing campaign targeted the Women Political Leaders Summit in Brussels. The attackers deployed a new backdoor variant using a fake website resembling the official WPL portal, demonstrating a continuous threat to political events and the individuals involved.
Each of these incidents underscores a multifaceted threat environment in Europe, where financial gain, espionage, and disruption are key motivators for diverse and increasingly sophisticated cyber adversaries.
From Silicon to Cyber Silk Road: East Asia Emerges as Fourth Most Hacked Region
In East Asia, a series of cyber attacks has highlighted the vulnerability of both the entertainment and telecommunications sectors, as well as the burgeoning cryptocurrency market.
Threat Actors & Attack Campaigns |
Malware & Tools |
RansomedVC Threat Group [39], Threat Actors Behind the Mixin Breach [40], Budworm APT [23], Threat Actors Behind the Casio Breach [41] |
SysUpdate Backdoor Malware [23] |
Japanese conglomerates Sony and NTT Docomo fell victim to ransomware attacks orchestrated by the RansomedVC group [39], which demanded millions in ransom and threatened to leak sensitive data. In the realm of cryptocurrency, the Hong Kong-based exchange Mixin suffered a major security breach resulting in the theft of $200 million [40]. The attackers exploited vulnerabilities in a cloud provider's database, showcasing the sophisticated methods used by cybercriminals to siphon off vast sums from digital currency platforms.
The activity of Chinese APT group Budworm has also been noted; this group employed DLL sideloading techniques to deploy SysUpdate malware, targeting government entities in Asia and a telecom company in the Middle East [23]. The SysUpdate malware acts as a backdoor, signifying an advanced persistent threat with the potential for long-term espionage and data extraction.
Casio, a global leader in consumer electronics, experienced a significant data breach involving a ClassPad server [41] Personal information of customers from 149 countries was compromised, including names, email addresses, purchase information, and service usage details. This breach, attributed to disabled network security settings and inadequate operational management, could expose customers to identity theft, phishing, and other cyber threats.
Top Five Most Targeted Sectors in October 2023
In this section, we will list the most targeted sectors:
-
Government and Administration,
-
Technology,
-
Finance,
-
Education, and
-
Telecommunications.
For each sector, we will provide the corresponding threat actors and APT (Advanced Persistent Threat) groups, as well as their malware campaigns.
Top of the Hacker's Hitlist: Government and Administration Under Siege!
The government and administrative sector is increasingly besieged by sophisticated cyber threats from various global actors, each with unique tools and methods of attack.
Threat Actors & Attack Campaigns |
Malware & Tools |
Winter Vivern Russia Hacking Group [36], Rhysida Ransomware Group [21], Threat Actors Behind the Attack Campaign Targeting Azerbaijani Entities [22], Budworm APT [23], RansomedVC [42], Scarred Manticore Attack Campaign [24], TA473 Cyberespionage Group [36], TetrisPhantom Threat Group [43], Void Rabisu APT [38], Kazakhstan’s State-owned Attacker YoroTrooper [28] |
Bibi-Linux Wiper Malware [29], Rhysida Ransomware [21], LIONTAIL Malware [24], DinodasRAT [44], RomCom Malware [38], SysUpdate Malware [23] |
The Chinese APT group Budworm [23] has been active, using advanced techniques such as DLL sideloading to implant its SysUpdate malware [23] into government and telecommunications entities, operating as a versatile backdoor for espionage. Similarly, the RansomedVC ransomware [42] gang compromised the District of Columbia Board of Elections through a breach in their hosting provider's server, threatening the integrity of sensitive US voter information.
In the Middle East, the Iranian APT group Scarred Manticore [24], also known as Storm-0861 or OilRig, has been leveraging IIS-based backdoors named LIONTAIL [24] for cyberespionage against governmental and military targets, exhibiting their prowess since at least 2019.
Moreover, the Asia-Pacific region has not been spared, with the emergence of the TetrisPhantom [43] hackers who exploit secure USB drives to pilfer data from government systems. This threat underscores the ingenuity of threat actors in breaching even air-gapped security measures. At the same time, the Women Political Leaders Summit in Brussels became the target of a phishing campaign utilizing a new variant of the RomCom backdoor [38], indicating a trend towards more stealthy and sophisticated malware.
Additionally, the Kazakhstani group YoroTrooper has been identified by Cisco Talos [28], highlighting the diverse linguistic and regional expertise of state-sponsored cyber threats. These incidents collectively underline the critical need for robust cybersecurity measures and constant vigilance in the government sector against a backdrop of escalating and evolving cyber threats.
Digital Crosshairs: Technology Sector Seizes the Silver in Cybersecurity Breach Stakes!
The technology sector continues to grapple with sophisticated cyber threats, with recent breaches indicating a high level of targeted activity.
Threat Actors & Attack Campaigns |
Malware & Tools |
Lazarus APT [4], Octo Tempest [45], Okta Breach [46], Diamond Sleet, Onyx Sleet (with aliases ZINC, PLUTONIUM) [47], An Unidentified APT Group [48] |
SIGNBT and LPEClient Malware [4], ALPHV/BlackCat Ransomware [45], ForestTiger Backdoor, RollSling, FeedLoad, HazyLoad Malware [47], API SbieDll_Hook, loading tools such as Cobalt Strike Stager, Cobalt Strike Beacon, the Havoc framework, and NetSpy [48] |
North Korean threat actors, particularly Diamond Sleet and Onyx Sleet, have exploited a vulnerability in JetBrains TeamCity (CVE-2023-42793) to deploy malware such as ForestTiger, RollSling, FeedLoad, and HazyLoad, suggesting an elevated risk to software development and technology organizations [47]. These actors, also known as ZINC and PLUTONIUM, are motivated by cyber espionage, seeking persistent access to compromise systems, and have been active since early October 2023.
In a similar vein, the notorious Lazarus group breached a software vendor repeatedly, aiming for source code theft or supply chain attacks, using sophisticated malware like SIGNBT and LPEClient, despite available patches for known software flaws [4].
Further demonstrating the sector's vulnerability, Octo Tempest [45], an adept English-speaking hacking group, has been executing ransomware attacks and data extortion against various industries, including technology, by deploying ALPHV/BlackCat ransomware [45] and sophisticated phishing tools.
Additionally, a new APT group [48] has been observed conducting targeted attacks against the manufacturing and IT industries, employing a unique combination of custom malware and known exploits like CVE-2019-0803 for credential theft and system control.
These incidents highlight the ongoing and diverse threats facing the technology sector, where threat actors leverage a mix of old and new vulnerabilities and malware to achieve their objectives, from espionage to financial gain.
Monetary Mayhem: Finance Holds the Third Place Trophy in Cyber Intrusions
The finance sector has faced a series of cyber threats, with multiple actors and malware targeting financial institutions and cryptocurrency platforms.
Threat Actors & Attack Campaigns |
Malware & Tools |
Threat Actor Behind the LastPass Cryptocurrency Breach [49], Octo Tempest [45], Threat Actors Behind the Mixin Breach [40], Scarred Manticore Attack Campaign [24], KibOrg and NLB Hacktivist Groups |
Xenomorph Android Malware [19], ALPHV/BlackCat Ransomware [45], LIONTAIL Malware [24], SeroXen Remote Access Trojan (RAT) [50] |
The LastPass cryptocurrency breach [49], attributed to the theft of $4.4 million, was conducted by threat actors who exploited stolen databases to access cryptocurrency wallet passphrases, credentials, and private keys. This breach underscores the growing trend of cybercriminals targeting password managers to facilitate cryptocurrency theft.
In another event, developers were deceived by malicious NuGet packages, which amassed over two million downloads, impersonating crypto wallets and exchanges. These packages were designed to distribute the SeroXen remote access trojan (RAT) [50], highlighting the risks posed to software supply chains by malicious actors.
In a notable cyber operation, Ukrainian hacktivist groups KibOrg and NLB [51], reportedly in collaboration with Ukraine's Security Services (SBU), breached Alfa-Bank, Russia's largest private bank. They claimed to have accessed the private information of over 30 million clients, including sensitive personal data. This incident not only reflects the direct impact of geopolitical tensions on cybersecurity but also serves as a reminder of the high stakes involved in protecting customer data within the finance sector.
These diverse and significant cyber threats demonstrate the finance sector's position as a high-value target for a variety of cybercriminal activities, from politically motivated attacks to complex financial fraud schemes.
Hacking the Halls of Learning: Education Sector Takes Fourth Place in Cyber Threats
The education sector has been hit by a wave of cyberattacks affecting institutions of various sizes and significance.
Threat Actor |
UNC Behind Toronto Public Library Service Downing Attack [52], Hunters International Ransomware-as-a-Service (RaaS) [32], SingularityMD Hacking Group [1], Akira Ransomware Gang [53], Threat Actors Behind the University of Michigan Breach [54], Threat Actors Behind University of Tokyo Breach [55], AvosLocker Double-Extortion Group [56] |
The Toronto Public Library [52], a key educational resource in Canada, experienced a cyberattack that disrupted its online services. The incident affected a vast network of 100 branch libraries and over a million registered members, challenging the library's considerable operational budget that surpasses $200M.
Stanford University also fell victim to a cyberattack by the Akira ransomware gang [53], which claimed to have exposed 430GB of sensitive data. This breach targeted the systems of Stanford's Department of Public Safety, potentially affecting the security of the university's community.
The University of Michigan disclosed a data breach involving unauthorized access to servers containing sensitive information such as Social Security and driver's license numbers, government IDs, payment information, and healthcare details [54].
Similarly, the University of Tokyo suffered a data leak resulting from a malware infection, compromising the personal information of students across nearly two decades (from 2003 to 2022) [55]. Both incidents highlight the vulnerability of personal data within educational institutions.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding AvosLocker, a Ransomware-as-a-Service group with a significant focus on the education sector [56], constituting a quarter of their attacks. The United States was the primary target of these attacks, showcasing the persistent threat of ransomware within the educational landscape. This pattern of attacks underscores the need for robust cybersecurity measures in educational institutions, which house a wealth of sensitive information and are integral to the learning process and personal development of students.
Signals Intercepted: Telecommunications Named Fifth in the Cyber Strike League
The telecommunications sector has been under persistent cyber threat, with various nation-state actors conducting targeted attacks to disrupt services and gather intelligence.
Threat Actors & Attack Campaigns |
Malware & Tools |
Budworm APT [23], Threat Actors Behind British Mobile Virtual Network Operator Company Lyca Mobile Breach [33], Scarred Manticore Attack Campaign [24], UAC-0165 [35], Sandworm APT [37], ToddyCat Hackers [57], Kazakhstan’s State-owned Attacker YoroTrooper [28], Staying Alive Attack Campaign [58] |
LIONTAIL Malware [24], POEMGATE, POSEIDON and HITECAT [35], CurKeep Malware [57] |
In October 2023, The Computer Emergency Response Team of Ukraine (CERT-UA) identified that at least 11 service providers had been compromised by threat actors, designated as UAC-0165 [35], between May and September of that year. The reconnaissance activities were carried out from servers previously compromised within Ukraine. These attacks involved scanning for vulnerable RDP or SSH interfaces to gain entry, which led to significant service interruptions for customers.
In the Middle East, the Iranian threat actor Scarred Manticore [24], linked to OilRig (APT34, EUROPIUM, Hazel Sandstorm), has been actively targeting government and telecommunications sectors. Meanwhile, the notorious Russian Sandworm APT [37] group breached 11 Ukrainian telecom providers within the same timeframe, resulting in service disruptions and potential data breaches. Sandworm's operations are characterized by sophisticated espionage tactics including phishing, Android malware, and data-wiping tools.
Additionally, the 'Stayin' Alive' campaign [58] orchestrated by the Chinese espionage actor ToddyCat [57] has been targeting telecoms across Asia. This campaign employed "disposable" malware, including downloaders and loaders like CurKeep, to avoid detection and maintain a foothold in targeted networks.
The persistent and varied nature of these attacks highlights the strategic importance of telecommunications infrastructure in geopolitical cyber operations, and the need for heightened security measures in this sector.
References
[1] L. Abrams, “Hackers email stolen student data to parents of Nevada school district,” BleepingComputer, Oct. 28, 2023. Available: https://www.bleepingcomputer.com/news/security/hackers-email-stolen-student-data-to-parents-of-nevada-school-district/. [Accessed: Nov. 07, 2023]
[2] T. Claburn, “Now Russians accused of pwning JFK taxi system to sell top spots to cabbies,” The Register, Oct. 31, 2023. Available: https://www.theregister.com/2023/10/31/russians_nyc_jfk_taxi_hacking/. [Accessed: Nov. 08, 2023]
[3] “Website.” Available: https://thecyberwire.com/stories/fe240f10e10049b9b2b9407216696e1b/lockbit-claims-a-cyberattack-against-boeing
[4] B. Toulas, “Lazarus hackers breached dev repeatedly to deploy SIGNBT malware,” BleepingComputer, Oct. 27, 2023. Available: https://www.bleepingcomputer.com/news/security/lazarus-hackers-breached-dev-repeatedly-to-deploy-signbt-malware/. [Accessed: Nov. 07, 2023]
[5] “Bloomberg.” Available: https://www.bloomberg.com/news/articles/2023-10-30/hackers-accessed-632-000-email-addresses-at-defense-doj. [Accessed: Nov. 08, 2023]
[6] C. Jones, “Stanford schooled in cybersecurity after Akira claims ransomware attack,” The Register, Oct. 30, 2023. Available: https://www.theregister.com/2023/10/30/stanford_university_confirms_investigation_into/. [Accessed: Nov. 08, 2023]
[7] C. Jones, “Microsoft unveils shady shenanigans of Octo Tempest and their cyber-trickery toolkit,” The Register, Oct. 27, 2023. Available: https://www.theregister.com/2023/10/27/octo_tempest_microsoft/. [Accessed: Nov. 08, 2023]
[8] C. Jones, “Hunters International leaks pre-op plastic surgery pics in negotiation no-no,” The Register, Oct. 25, 2023. Available: https://www.theregister.com/2023/10/25/rebuilt_hive_ransomware_gang_stings/. [Accessed: Nov. 08, 2023]
[9] J. L. Hardcastle, “DC elections agency warns entire voting roll may have been stolen,” The Register, Oct. 23, 2023. Available: https://www.theregister.com/2023/10/23/washington_elections_agency_breach/. [Accessed: Nov. 08, 2023]
[10] J. L. Hardcastle, “Admin behind E-Root stolen creds souk extradited to US,” The Register, Oct. 20, 2023. Available: https://www.theregister.com/2023/10/20/eroot_admin_extradited/. [Accessed: Nov. 08, 2023]
[11] L. Abrams, “Toronto Public Library outages caused by Black Basta ransomware attack,” BleepingComputer, Nov. 01, 2023. Available: https://www.bleepingcomputer.com/news/security/toronto-public-library-outages-caused-by-black-basta-ransomware-attack/. [Accessed: Nov. 08, 2023]
[12] G. Cluley, “Ransomware group demands $51 million from Johnson Controls after cyber attack,” Hot for Security. Available: https://www.bitdefender.com/blog/hotforsecurity/ransomware-group-demands-51-million-from-johnson-controls-after-cyber-attack/. [Accessed: Nov. 08, 2023]
[13] J. Greig, “Wisconsin county dealing with ransomware attack on public health department.” Available: https://therecord.media/wisconsin-county-dealing-with-ransomware-attack-healthcare. [Accessed: Nov. 08, 2023]
[14] J. Greig, “23andMe scraping incident leaked data on 1.3 million users of Ashkenazi and Chinese descent.” Available: https://therecord.media/scraping-incident-genetic-testing-site. [Accessed: Nov. 08, 2023]
[15] L. Abrams, “North Korean hackers exploit critical TeamCity flaw to breach networks,” BleepingComputer, Oct. 18, 2023. Available: https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-critical-teamcity-flaw-to-breach-networks/. [Accessed: Nov. 08, 2023]
[16] S. Gatlan, “BianLian extortion group claims recent Air Canada breach,” BleepingComputer, Oct. 11, 2023. Available: https://www.bleepingcomputer.com/news/security/bianlian-extortion-group-claims-recent-air-canada-breach/. [Accessed: Nov. 08, 2023]
[17] S. Gatlan, “ALPHV ransomware gang claims attack on Florida circuit court,” BleepingComputer, Oct. 09, 2023. Available: https://www.bleepingcomputer.com/news/security/alphv-ransomware-gang-claims-attack-on-florida-circuit-court/. [Accessed: Nov. 08, 2023]
[18] “Crambus: New Campaign Targets Middle Eastern Government.” Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government. [Accessed: Nov. 08, 2023]
[19] R. Priyanka, “Xenomorph Malware targets US banks,” Latest Cyber Security News, Leading Cyber Security News, Sep. 27, 2023. Available: https://cybersafe.news/xenomorph-malware-targets-us-banks/. [Accessed: Nov. 07, 2023]
[20] B. Toulas, “Okta hit by third-party data breach exposing employee information,” BleepingComputer, Nov. 02, 2023. Available: https://www.bleepingcomputer.com/news/security/okta-hit-by-third-party-data-breach-exposing-employee-information/. [Accessed: Nov. 09, 2023]
[21] J. Greig, “Kuwait isolates some government systems following attack on its Finance Ministry.” Available: https://therecord.media/kuwait-isolates-systems-after-ransomware-attack. [Accessed: Nov. 08, 2023]
[22] F. Gutierrez, “Threat Actors Exploit the Tensions Between Azerbaijan and Armenia,” Fortinet Blog, Sep. 27, 2023. Available: https://www.fortinet.com/blog/threat-research/threat-Actors-exploit-the-tensions-between-azerbaijan-and-armenia. [Accessed: Nov. 08, 2023]
[23] “Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org.” Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt. [Accessed: Nov. 08, 2023]
[24] “From Albania to the Middle East: The Scarred Manticore is Listening,” Check Point Research, Oct. 31, 2023. Available: https://research.checkpoint.com/2023/from-albania-to-the-middle-east-the-scarred-manticore-is-listening/. [Accessed: Nov. 08, 2023]
[25] 2023 newsroom Oct 26, “Iranian Group Tortoiseshell Launches New Wave of IMAPLoader Malware Attacks,” The Hacker News, Oct. 26, 2023. Available: https://thehackernews.com/2023/10/iranian-group-tortoiseshell-launches.html. [Accessed: Nov. 08, 2023]
[26] “AlienVault - Open Threat Exchange,” AlienVault Open Threat Exchange. Available: https://otx.alienvault.com/pulse/6540ef652aec427c2989429d. [Accessed: Nov. 09, 2023]
[27] “AlienVault - Open Threat Exchange,” AlienVault Open Threat Exchange. Available: https://otx.alienvault.com/pulse/650d6ec6b48cdeb3e1205751. [Accessed: Nov. 09, 2023]
[28] A. Malhotra, “Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan,” Cisco Talos Blog, Oct. 25, 2023. Available: https://blog.talosintelligence.com/attributing-yorotrooper/. [Accessed: Nov. 09, 2023]
[29] S. Gatlan, “New BiBi-Linux wiper malware targets Israeli orgs in destructive attacks,” BleepingComputer, Oct. 30, 2023. Available: https://www.bleepingcomputer.com/news/security/new-bibi-linux-wiper-malware-targets-israeli-orgs-in-destructive-attacks/. [Accessed: Nov. 07, 2023]
[30] “AlienVault - Open Threat Exchange,” AlienVault Open Threat Exchange. Available: https://otx.alienvault.com/pulse/652e97f29e476b423d10aeae. [Accessed: Nov. 09, 2023]
[31] “Picus CTI.” Available: http://136.243.15.17:9090/dashboard/analysis/reports/09551476-774e-4d3e-ab58-88254a7ce8f1. [Accessed: Nov. 09, 2023]
[32] I. Ilascu, “New Hunters International ransomware possible rebrand of Hive,” BleepingComputer, Oct. 29, 2023. Available: https://www.bleepingcomputer.com/news/security/new-hunters-international-ransomware-possible-rebrand-of-hive/. [Accessed: Nov. 07, 2023]
[33] C. Page, “Lyca Mobile says customer data was stolen during cyberattack,” TechCrunch, Oct. 06, 2023. Available: https://techcrunch.com/2023/10/06/lyca-mobile-says-customer-data-was-stolen-during-cyberattack/. [Accessed: Nov. 08, 2023]
[34] C. Jones, “Pro-Russia group exploits Roundcube zero-day in attacks on European government emails,” The Register, Oct. 25, 2023. Available: https://www.theregister.com/2023/10/25/prorussia_group_exploits_roundcube_zeroday/. [Accessed: Nov. 08, 2023]
[35] 2023newsroom Oct 17, “CERT-UA Reports: 11 Ukrainian Telecom Providers Hit by Cyberattacks,” The Hacker News, Oct. 17, 2023. Available: https://thehackernews.com/2023/10/cert-ua-reports-11-ukrainian-telecom.html. [Accessed: Nov. 08, 2023]
[36] S. Gatlan, “European govt email servers hacked using Roundcube zero-day,” BleepingComputer, Oct. 25, 2023. Available: https://www.bleepingcomputer.com/news/security/european-govt-email-servers-hacked-using-roundcube-zero-day/. [Accessed: Nov. 07, 2023]
[37] B. Toulas, “Russian Sandworm hackers breached 11 Ukrainian telcos since May,” BleepingComputer, Oct. 16, 2023. Available: https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-breached-11-ukrainian-telcos-since-may/. [Accessed: Nov. 08, 2023]
[38] B. Toulas, “Women Political Leaders Summit targeted in RomCom malware phishing,” BleepingComputer, Oct. 15, 2023. Available: https://www.bleepingcomputer.com/news/security/women-political-leaders-summit-targeted-in-romcom-malware-phishing/. [Accessed: Nov. 08, 2023]
[39] A. Mascellino, “Ransomed.vc Group Hits NTT Docomo After Sony Breach Claims,” Infosecurity Magazine, Sep. 27, 2023. Available: https://www.infosecurity-magazine.com/news/ransomedvc-group-hits-ntt-docomo/. [Accessed: Nov. 08, 2023]
[40] L. Franceschi-Bicchierai, “Hackers steal $200M from crypto company Mixin,” TechCrunch, Sep. 25, 2023. Available: https://techcrunch.com/2023/09/25/hackers-steal-200-million-from-crypto-company-mixin/. [Accessed: Nov. 08, 2023]
[41] J. L. Hardcastle, “Casio keyed up after data loss hits customers in 149 countries,” The Register, Oct. 19, 2023. Available: https://www.theregister.com/2023/10/19/casio_data_theft/. [Accessed: Nov. 08, 2023]
[42] S. Gatlan, “D.C. Board of Elections confirms voter data stolen in site hack,” BleepingComputer, Oct. 06, 2023. Available: https://www.bleepingcomputer.com/news/security/dc-board-of-elections-confirms-voter-data-stolen-in-site-hack/. [Accessed: Nov. 08, 2023]
[43] B. Toulas, “New TetrisPhantom hackers steal data from secure USB drives on govt systems,” BleepingComputer, Oct. 22, 2023. Available: https://www.bleepingcomputer.com/news/security/new-tetrisphantom-hackers-steal-data-from-secure-usb-drives-on-govt-systems/. [Accessed: Nov. 08, 2023]
[44] 2023 newsroom Oct 05, “Guyana Governmental Entity Hit by DinodasRAT in Cyber Espionage Attack,” The Hacker News, Oct. 05, 2023. Available: https://thehackernews.com/2023/10/guyana-governmental-entity-hit-by.html. [Accessed: Nov. 08, 2023]
[45] M. I. Response and M. T. Intelligence, “Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction,” Microsoft Security Blog, Oct. 25, 2023. Available: https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/. [Accessed: Nov. 07, 2023]
[46] R. Goswami, “Okta cybersecurity breach wipes out more than $2 billion in market cap,” CNBC, Oct. 23, 2023. Available: https://www.cnbc.com/2023/10/23/okta-hack-wipes-out-more-than-2-billion-in-market-cap.html. [Accessed: Nov. 08, 2023]
[47] M. T. Intelligence, “Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability,” Microsoft Security Blog, Oct. 18, 2023. Available: https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/. [Accessed: Nov. 09, 2023]
[48] T. S. Dutta, “New APT Group Using Custom Malware to Attack Manufacturing & IT Industries,” Cyber Security News, Oct. 10, 2023. Available: https://cybersecuritynews.com/apt-group-custom-malware/. [Accessed: Nov. 09, 2023]
[49] L. Abrams, “LastPass breach linked to theft of $4.4 million in crypto,” BleepingComputer, Oct. 30, 2023. Available: https://www.bleepingcomputer.com/news/security/lastpass-breach-linked-to-theft-of-44-million-in-crypto/. [Accessed: Nov. 07, 2023]
[50] B. Toulas, “Malicious Solana, Kucoin packages infect NuGet devs with SeroXen RAT,” BleepingComputer, Oct. 12, 2023. Available: https://www.bleepingcomputer.com/news/security/malicious-solana-kucoin-packages-infect-nuget-devs-with-seroxen-rat/. [Accessed: Nov. 08, 2023]
[51] D. Antoniuk, “Ukraine security services involved in hack of Russia’s largest private bank.” Available: https://therecord.media/sbu-involved-in-alfa-bank-hack. [Accessed: Nov. 09, 2023]
[52] B. Toulas, “Toronto Public Library services down following weekend cyberattack,” BleepingComputer, Oct. 30, 2023. Available: https://www.bleepingcomputer.com/news/security/toronto-public-library-services-down-following-weekend-cyberattack/. [Accessed: Nov. 07, 2023]
[53] J. Greig, “Stanford University investigating cyberattack after ransomware claims.” Available: https://therecord.media/stanford-investigating-cyberattack-after-ransomware. [Accessed: Nov. 08, 2023]
[54] I. Ilascu, “University of Michigan employee, student data stolen in cyberattack,” BleepingComputer, Oct. 23, 2023. Available: https://www.bleepingcomputer.com/news/security/university-of-michigan-employee-student-data-stolen-in-cyberattack/. [Accessed: Nov. 09, 2023]
[55] The Yomiuri Shimbun, “University of Tokyo PC Infected with Malware in July 2022; Possible Leak of Students’ Addresses, Grades,” Oct. 24, 2023. Available: https://japannews.yomiuri.co.jp/society/crime-courts/20231024-145447/. [Accessed: Nov. 08, 2023]
[56] N. Shivtarkar and R. Dodia, “A Retrospective on AvosLocker,” Oct. 27, 2023. Available: https://www.zscaler.com/blogs/security-research/retrospective-avoslocker. [Accessed: Nov. 09, 2023]
[57] B. Toulas, “ToddyCat hackers use ‘disposable’ malware to target Asian telecoms,” BleepingComputer, Oct. 12, 2023. Available: https://www.bleepingcomputer.com/news/security/toddycat-hackers-use-disposable-malware-to-target-asian-telecoms/. [Accessed: Nov. 08, 2023]
[58] “Stayin’ Alive - Targeted Attacks Against Telecoms and Government Ministries in Asia,” Check Point Research, Oct. 11, 2023. Available: https://research.checkpoint.com/2023/stayin-alive-targeted-attacks-against-telecoms-and-government-ministries-in-asia/. [Accessed: Nov. 09, 2023]