Picus Cyber Threat Intelligence Report July 2023: Key Threat Actors, Regions and Industries at Risk

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

Welcome to Picus Security's monthly cyber threat intelligence roundup!

Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.

Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.

By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions. 

Top Four Most Targeted Regions in July

  • Northern America (U.S) emerged as the foremost targeted region in July 2023, facing threats from multiple prominent threat actors like Storm-0558 ([1], [2]), ALPHV (BlackCat) ([3], [4], [5]), Cl0p [6] and NoEscape [7], Ransomware Gangs, and the SiegedSec Hacker Group, among others. The attackers leveraged various tools and malware such as backdoors or ransomware, which can be seen in Table 1.

  • Europe stood as the second most targeted region, witnessing attacks predominantly from actors like Storm-0978 [8], Lazarus APT [9], APT31 [10] and the Turla Hacking Group [11]. Notable malware in these campaigns included the Ursnif Banking Trojan [12] and the WikiLoader Downloader Malware [13], which mainly targeted Italian organizations

  • In East Asia, actors such as APT37 [14], LockBit 3.0 [15] Ransomware Gang, Storm-0558 [16] remained active. In addition, an emerging threat group called Mysterious Elephant [17] is targeting Asia-Pacific countries.

  • Government Agencies, Finance, Education, Energy, and Healthcare are the top five sectors under constant siege, predominantly from Cl0p Ransomware Gang, Lazarus APT, LockBit, BlackCat Ransomware Gang, and other varied threat actors. These sectors are prime targets due to their vast repositories of sensitive data, financial assets, and critical infrastructure, providing opportunities for ransom demands, data theft, and geopolitical disruption. 

  • Lastly, South Asia encountered threats mainly from the Bahamut APT [18], DoNot APT [19], and ALPHV (BlackCat) Ransomware Gang. In addition, India's cybersecurity agency, CERT-In, has issued a warning about a newly identified ransomware called 'Akira' [20], which targets both Windows and Linux operating systems and compromises users through VPN services, deploying tools like AnyDesk, WinRAR, and PC Hunter.

 

Most Targeted Region

Threat Actor

Malware and Tools

1

Northern America (U.S.)

RStorm-0558 ([1], [2]), ALPHV (BlackCat) Ransomware Gang ([3], [4], [5]), Cl0p Ransomware Gang [6], Storm-0978 [8], NoEscape Ransomware Gang [7], SiegedSec Hacker Group [21], Snatch Ransomware Gang [22], Midnight Blizzard [23]

SpyBoy Terminator [3], Cobalt Strike [3], LaZagne Tool [3], Cl0p Ransomware [6], LEMURLOOT Web Shell ([6], [24]), FlawedAmmyy / FlawedGrace RAT ([6], [24]), DBot RAT ([6], [24]), Truebot ([6], [24]), Cobalt Strike ([6], [24]), DEWMODE Web Shell ([6], [24]), BlackCat Ransomware [3], ExMatter Malware [5], Sphynx Ransomware [5], Impacket Toolkit ([8], [5]), Blackmoon Trojan (KRBanker) [25], Cigril Tool [2], SoftEther Proxy Software [2], RomCom Backdoor [8], Industrial Spy Ransomware [8], Trigona Ransomware [8], NoEscape Ransomware Gang ([7], [26]), Blackmoon Trojan (KRBanker) [25]

2

Europe

Storm-0978 [8], Lazarus APT [9], Unknown threat actors behind the attack on Recycling Giant Tombra [27], Turla Hacking Group [11], Midnight Blizzard [23], Rhysida Ransomware Gang ([28], [29]), Cl0p Ransomware Gang [30], APT31 [10]

RomCom Backdoor [8], Industrial Spy Ransomware [8], Trigona Ransomware [8], Ursnif Banking Trojan [12], WikiLoader Downloader Malware [13],  Cl0p Ransomware ([6], [30]), LEMURLOOT Web Shell ([6], [24]), FlawedAmmyy / FlawedGrace RAT ([6], [24]), DBot RAT ([6], [24]), Truebot ([6], [24]), Cobalt Strike ([6], [24]), DEWMODE Web Shell ([6], [24])

3

East Asia 

APT37 (STARK#MULE Attack Campaign) [14], LockBit 3.0 Ransomware Gang [15], Storm-0558 [16], Mysterious Elephant [17] 

Cigril Tool [2], SoftEther Proxy Software [2], Payloads which are named lsasetup.tmp, winrar.exe and conshost.exe by APT37 [14]

4

South Asia 

Bahamut APT [18], BlackCat Ransomware Gang, DoNot APT [19],  Mysterious Elephant [17], Akira Ransomware Group [20]

BlackCat Ransomware, Akira Ransomware [20]

Table 1. Most Targeted Regions in July 2023

Top 5 Most Targeted Sectors in July

In July 2023, the government, healthcare, manufacturing, cryptocurrency and financial services, and education sectors emerged as the top five most targeted domains for cyber-attacks.

  • Governments

In July, governmental agencies surfaced as a prime target for cyber-attacks. The Norwegian Government fell victim to a significant breach, compromising software used across 12 vital ministries. This attack was distinct as it exploited a zero-day vulnerability. Among the notable threat actors targeting this sector were groups like Storm-0558, attributed to Chinese origins, and the North Korean-affiliated APT37 and Lazarus APT. SiegedSec Hacking Group also made its mark with the alleged NATO data theft. In the US, the City of Hayward, California wasn't spared either, illustrating that these attacks weren't confined to national governments alone.

  • Healthcare

The healthcare sector continued its trend as a desirable target for cybercriminals, especially in the backdrop of the pandemic. This vulnerability was underscored by the Maximum Data Breach, which compromised the details of over 8 million customers linked to healthcare programs. Prominent ransomware groups like Snatch and ALPHV (BlackCat) were particularly active, the latter of which was linked to a significant breach affecting Tampa General Hospital. The American hospital operator, HCA Healthcare, also fell prey to unidentified actors, potentially impacting 11 million patients.

  • Manufacture

Manufacturing entities weren't immune to the cyber onslaught. Major incidents included a targeted attack on the Taiwan Semiconductor Manufacturing Company, attributed to the LockBit 3.0 ransomware group. Notably recurrent in this domain were the Cl0p and ALPHV (BlackCat) ransomware gangs. The Yamaha breach brought to light the involvement of BlackByte and Akira Ransomware Gang, emphasizing the extensive nature of threats faced by this sector.

  • Cryptocurrency and Financial Services

Financial domains, inclusive of cryptocurrency, continued to be a gold mine for cyber-attackers. The North Korean hacking group Lazarus was particularly active, orchestrating an attack on CoinsPaid, leading to significant financial repercussions. New-age threats like open-source software supply chain attacks also came into focus, targeting banking systems. Key malware to watch out for in this domain includes the Ursnif Banking Trojan and WikiLoader downloader malware.

  • Education

The education sector, while always a target, saw increased activity in July. Institutions like Hawaii Community College found themselves at the mercy of ransomware groups like NoEscape, emphasizing the sector's vulnerabilities. The Cl0p Ransomware Gang, particularly through its MOVEit attack, targeted entities like Colorado State University. An interesting entrant in the threat landscape was Cyber Partisans, a hacktivist group from Belarus. Educational institutions need to be wary of malware such as the Eeamfo, and NoEscape Ransomware which have seen increased deployment.

 

Targeted Sector

Threat Actors

Malware

1

Governments

Storm-0558 (Attributed to Chinese origin) [1], APT37, Lazarus APT, SiegedSec Hacking Group, Unknown (exploited a zero-day vulnerability in Ivanti’s EPMM) [31], Cl0p Ransomware Gang, SiegedSec Hacker Group [21], Turla Hacking Group [11], Unknown threat actors behind the City of Hayward, California [32]

Cigril Tool [2], SoftEther Proxy Software [2],  LEMURLOOT Web Shell ([6], [24]), FlawedAmmyy / FlawedGrace RAT ([6], [24]), DBot RAT ([6], [24]), Truebot ([6], [24]), Cobalt Strike ([6], [24]), DEWMODE Web Shell ([6], [24])

2

Healthcare

Snatch Ransomware Group [22], LockBit 3.0 Ransomware Gang [33], ALPHV (a.k.a BlackCat) Ransomware Gang [34], Unknown threat actors behind the American hospital operator HCA Healthcare data breach [35], Crysis Threat Actors [36]

Snatch Ransomware [22], BlackCat Ransomware, Venus Ransomware [36]

3

Manufacture

LockBit Ransomware Gang, ALPHV (a.k.a BlackCat) Ransomware Gang [37], Cl0p Ransomware Gang ([37], [38]), BlackByte and Akira Ransomware Gang behind the Yamaha Breach [39], RedEnergy (SaaR) Operators [40]

BlackByte and Akira Ransomware [39], Cl0p Ransomware ([37], [38]), BlackCat Ransomware ([37], [40])  

4

Cryptocurrency and Financial Services

Lazarus APT [9], Akira Ransomware Gang [23], Unknown threat actors behind the open-source software supply chain attacks on banking [41], ALPHV (a.k.a BlackCat) Ransomware Gang [42], Kanti Ransomware Operators [43]

Ursnif Banking Trojan [12], WikiLoader Downloader Malware [13], Akira Ransomware [23], BlackCat Ransomware [42], Kanti (NIM-based) Ransomware [43]

5

Education 

ALPHV (a.k.a BlackCat) Ransomware Gang, Cl0p Ransomware Gang ([44]), NoEscape Ransomware Gang [7], Cyber Partisans, (a Belarusian hacktivist group) [45], Akira Ransomware Gang [23], Rhysida Ransomware Gang [28]

BlackCat Ransomware, ExMatter Tool, Eeamfo malware, NoEscape Ransomware

Table 2. Most Targeted Sectors in July 2023

Simulate real-world vulnerability exploitation attacks in minutes and gain a holistic view of your controls’ effectiveness against their cyber attacks at all times. Sign-up now!

References

[1] Reuters, “Chinese hackers breach US ambassador’s emails, Wall Street Journal reports,” Reuters, Reuters, Jul. 21, 2023. Available: https://www.reuters.com/world/us-ambassador-china-hacked-china-linked-spying-operation-wsj-2023-07-20/. [Accessed: Aug. 02, 2023]

[2] M. T. Intelligence, “Analysis of Storm-0558 techniques for unauthorized email access,” Microsoft Security Blog, Jul. 14, 2023. Available: https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/. [Accessed: Aug. 02, 2023]

[3] “Malvertising Used as Entry Vector for BlackCat Actors Also Leverage SpyBoy Terminator,” Trend Micro, Jun. 30, 2023. Available: https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html. [Accessed: Aug. 02, 2023]

[4] “Website.” Available: https://cybernews.com/security/law-foundation-of-silicon-valley-ransomware/

[5] “BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration,” Security Intelligence, May 30, 2023. Available: https://securityintelligence.com/posts/blackcat-ransomware-levels-up-stealth-speed-exfiltration/. [Accessed: Aug. 02, 2023]

[6] B. Toulas, “8 million people hit by data breach at US govt contractor Maximus,” BleepingComputer, Jul. 27, 2023. Available: https://www.bleepingcomputer.com/news/security/8-million-people-hit-by-data-breach-at-us-govt-contractor-maximus/. [Accessed: Aug. 02, 2023]

[7] UH News, “Hawaiʻi CC cyber attack resolved,” University of Hawaiʻi System News, Jul. 26, 2023. Available: https://www.hawaii.edu/news/2023/07/26/hawaii-cc-cyber-attack-resolved/. [Accessed: Aug. 04, 2023]

[8] M. T. Intelligence, “Storm-0978 attacks reveal financial and espionage motives,” Microsoft Security Blog, Jul. 11, 2023. Available: https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/. [Accessed: Aug. 03, 2023]

[9] “CoinsPaid is back to processing after being hit by a hacker attack. Client funds were not affected and are fully available,” Jul. 26, 2023. Available: https://coinspaid.com/tpost/0zx28tmj51-coinspaid-is-back-to-processing-after-be. [Accessed: Aug. 02, 2023]

[10] D. Ahmed, “Chinese APT Group Hits Air-Gapped Systems in Europe with Malware,” HackRead | Latest Cybersecurity and Hacking News Site, Aug. 01, 2023. Available: https://www.hackread.com/china-apt-group-gapped-systems-malware-europe/. [Accessed: Aug. 11, 2023]

[11] D. Antoniuk, “Russia’s Turla hackers target Ukraine’s defense with spyware.” Available: https://therecord.media/turla-hackers-targeting-ukraine-defense. [Accessed: Aug. 04, 2023]

[12] D. Antoniuk, “New WikiLoader malware targets Italian organizations.” Available: https://therecord.media/wikiloader-malware-downloader-italy-phishing-ursnif. [Accessed: Aug. 04, 2023]

[13] 2023, Aug 01, “Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan,” The Hacker News, Aug. 01, 2023. Available: https://thehackernews.com/2023/08/cybercriminals-renting-wikiloader-to.html. [Accessed: Aug. 04, 2023]

[14] “Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures,” Securonix, Jul. 28, 2023. Available: https://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/. [Accessed: Aug. 04, 2023]

[15] T. Danton, “LockBit ransomware attackers target Japan’s biggest port: but who’s next?,” TechFinitive, Jul. 06, 2023. Available: https://www.techfinitive.com/lockbit-ransomware-attackers-target-japans-biggest-port/. [Accessed: Aug. 11, 2023]

[16] J. Borger, “US ambassador to Beijing targeted in Chinese cyber-attack – report,” The Guardian, The Guardian, Jul. 20, 2023. Available: https://www.theguardian.com/us-news/2023/jul/20/ambassador-to-beijing-among-us-officials-hit-by-chinese-hackers. [Accessed: Aug. 11, 2023]

[17] “Website.” Available: https://www.infosecurity-magazine.com/news/apt-mysterious-elephant-q2-2023/

[18] “APT Bahamut Targets Individuals with Android Malware Using Spear Messaging,” CYFIRMA. Available: https://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/. [Accessed: Aug. 04, 2023]

[19] K. Liucveikis, “Threat Actor Bahamut Uses Fake Android Chat App To Steal Signal, WhatsApp Data.” Available: https://www.pcrisk.com/internet-threat-news/27423-threat-actor-bahamut-uses-fake-android-chat-app-to-steal-signal-whatsapp-data. [Accessed: Aug. 11, 2023]

[20] A. Singh, “India: Government warns of ‘Akira’ ransomware targeting Windows and Linux users,” WION, Jul. 25, 2023. Available: https://www.wionews.com/technology/india-government-warns-of-akira-ransomware-targeting-windows-and-linux-users-619192. [Accessed: Aug. 11, 2023]

[21] B. Toulas, “NATO investigates alleged data theft by SiegedSec hackers,” BleepingComputer, Jul. 26, 2023. Available: https://www.bleepingcomputer.com/news/security/nato-investigates-alleged-data-theft-by-siegedsec-hackers/. [Accessed: Aug. 04, 2023]

[22] J. Greig, “Tampa hospital says sensitive data of 1.2 million stolen in failed ransomware attack.” Available: https://therecord.media/tampa-hospital-says-data-on-over-1-million-stolen-in-failed-ransomware-attack. [Accessed: Aug. 02, 2023]

[23] “Decrypted: Akira Ransomware,” Avast Threat Labs, Jun. 29, 2023. Available: https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/. [Accessed: Aug. 04, 2023]

[24] “#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a. [Accessed: Aug. 04, 2023]

[25] N. Zargarov, “Old Blackmoon Trojan, NEW Monetization Approach,” Rapid7, Jul. 13, 2023. Available: https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-monetization-approach/. [Accessed: Aug. 02, 2023]

[26] L. Abrams, “Meet NoEscape: Avaddon ransomware gang’s likely successor,” BleepingComputer, Jul. 17, 2023. Available: https://www.bleepingcomputer.com/news/security/meet-noescape-avaddon-ransomware-gangs-likely-successor/. [Accessed: Aug. 04, 2023]

[27] “July 20th Update on Cyberattack.” Available: https://www.tomra.com/news-and-media/news/2023/tomra-july-20th-update-on-cyberattack. [Accessed: Aug. 04, 2023]

[28] A. Scroxton, “Scottish university hit by Rhysida ransomware gang,” ComputerWeekly.com, Jul. 28, 2023. Available: https://www.computerweekly.com/news/366546112/Scottish-university-hit-by-Rhysida-ransomware-gang. [Accessed: Aug. 04, 2023]

[29] A. Cox, “Scottish university UWS targeted by cyber attackers,” BBC News, BBC News, Jul. 27, 2023. Available: https://www.bbc.com/news/uk-scotland-glasgow-west-66327336. [Accessed: Aug. 11, 2023]

[30] A. Scroxton, “BlackCat and Clop gangs both claim cyber attack on Estée Lauder,” ComputerWeekly.com, Jul. 19, 2023. Available: https://www.computerweekly.com/news/366545044/BlackCat-and-Clop-gangs-both-claim-cyber-attack-on-Estee-Lauder. [Accessed: Aug. 11, 2023]

[31] S. Gatlan, “Norway says Ivanti zero-day was used to hack govt IT systems,” BleepingComputer, Jul. 25, 2023. Available: https://www.bleepingcomputer.com/news/security/norway-says-ivanti-zero-day-was-used-to-hack-govt-it-systems/. [Accessed: Aug. 02, 2023]

[32] “Ransomware attack hits Hayward; city claims, so far, personal data is safe,” ABC7 San Francisco, Jul. 10, 2023. Available: https://abc7news.com/hayward-cyber-security-attack-city-of-website-down-personal-information/13485987/. [Accessed: Aug. 04, 2023]

[33] A. Burky, “LockBit attack on dental insurer impacts 8.9M patients,” FierceHealthcare, Jun. 01, 2023. Available: https://www.fiercehealthcare.com/health-tech/attack-notorious-ransomware-group-compromises-personal-data-89-million. [Accessed: Aug. 02, 2023]

[34] S. Adlam, “Barts NHS Trust Hacked by BlackCat/ALPHV Ransomware Group,” Gridinsoft Blog, Jul. 10, 2023. Available: https://gridinsoft.com/blogs/blackcat-alphv-barts-nhs-trust/. [Accessed: Aug. 04, 2023]

[35] R. Southwick, “HCA Healthcare discloses data breach affecting as many as 11 million patients,” OncLive, Jul. 10, 2023. Available: https://www.chiefhealthcareexecutive.com/view/hca-healthcare-discloses-data-breach-affecting-as-many-as-11-million-patients. [Accessed: Aug. 04, 2023]

[36] H. Labs, “Crysis Threat Actors Unleash Venus Ransomware via RDP,” Hive Pro, Jul. 07, 2023. Available: https://www.hivepro.com/crysis-threat-actors-unleash-venus-ransomware-via-rdp/. [Accessed: Aug. 04, 2023]

[37] C. Boyd, “Estée Lauder targeted by Cl0p and BlackCat ransomware groups,” Malwarebytes, Jul. 21, 2023. Available: https://www.malwarebytes.com/blog/news/2023/07/este-lauder-targeted-by-cl0p-and-blackcat-ransomware-groups. [Accessed: Aug. 04, 2023]

[38] P. Paganini, “Schneider Electric and Siemens Energy are two more victims of a MOVEit attack,” Security Affairs, Jun. 27, 2023. Available: https://securityaffairs.com/147865/data-breach/schneider-electric-siemens-energy-moveit.html. [Accessed: Aug. 04, 2023]

[39] “Website.” Available: https://www.bitdefender.com/blog/hotforsecurity/following-claims-by-two-ransomware-groups-yamaha-confirms-cyberattack/

[40] “Website.” Available: https://cyware.com/news/redenergy-new-stealer-as-a-ransomware-out-in-the-wild-6ab8cc7c

[41] 2023, Jul 24, “Banking Sector Targeted in Open-Source Software Supply Chain Attacks,” The Hacker News, Jul. 24, 2023. Available: https://thehackernews.com/2023/07/banking-sector-targeted-in-open-source.html. [Accessed: Aug. 04, 2023]

[42] S. Desk, “Notorious BlackCat hackers steal over 170gb sensitive data from Krishi Bank,” The Daily Star, Jul. 11, 2023. Available: https://www.thedailystar.net/tech-startup/news/notorious-blackcat-hackers-steal-over-170gb-sensitive-data-krishi-bank-3366161. [Accessed: Aug. 04, 2023]

[43] “Kanti: A NIM-Based Ransomware Unleashed in the Wild,” Cyble, Jul. 20, 2023. Available: https://cyble.com/blog/kanti-a-nim-based-ransomware-unleashed-in-the-wild/. [Accessed: Aug. 04, 2023]

[44] “MOVEit software cyberattack notification,” SOURCE, Jul. 12, 2023. Available: https://source.colostate.edu/moveit-software-cyberattack-notification/. [Accessed: Aug. 03, 2023]

[45] D. Antoniuk, “Belarusian hacktivists сlaim to breach country’s leading state university.” Available: https://therecord.media/cyber-partisans-belarusian-state-university-attack. [Accessed: Aug. 04, 2023]