The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Welcome to Picus Security's monthly cyber threat intelligence roundup!
Each month, we aim to provide a comprehensive yet digestible analysis of the evolving threat landscape, including insights into the most targeted and at-risk sectors, industries, and regions by cybercriminals in the wild.
Our research is conducted throughout the entire month, utilizing a diverse range of resources that span across threat intelligence and malware dump platforms, blogs, exploit databases, sandboxes, and network data query results. We draw upon this wealth of information to provide you with a holistic understanding of the cyber threat environment, with a particular focus on dissecting malware campaigns, attack campaigns conducted by threat actors and advanced persistent threat (APT) groups, and new malware samples observed in the wild.
By following our monthly threat report, you'll be able to ascertain which threat actors or malware could potentially impact your sector, gauge if your country is being specifically targeted, and understand if there is a surge in threat activity correlated with geopolitical events or state-backed actions.
Executive Summary
-
In June, the most targeted regions for cyber attacks were Northern America, South Asia, East Asia, Northern and Southern Europe.
-
The cyber threat landscape is escalating globally, with North America facing significant threats from Cl0p Ransomware Gang, Volt Typhoon APT, and BlackCat Ransomware Gang, who have utilized a mix of sophisticated malware and tools such as TrueBot, DEWMODE webshell and Cobalt Strike. Meanwhile, in Southeast Asia and East Asia, organizations are facing threats from Camaro Dragon APT and LockBit Ransomware Gang, and in Eastern Europe, the likes of Lazarus APT and Fancy Bear APT are causing concern, highlighting the broad and geographically diverse nature of these cyber threats.
-
Government Agencies, Finance, Education, Energy, and Healthcare are the top five sectors under constant siege, predominantly from Cl0p Ransomware Gang, Lazarus APT, LockBit, BlackCat Ransomware Gang, and other varied threat actors. These sectors are prime targets due to their vast repositories of sensitive data, financial assets, and critical infrastructure, providing opportunities for ransom demands, data theft, and geopolitical disruption.
-
In June, the top five threat actors, namely the Cl0p Ransomware Gang, Kimsuky APT, Spyboy threat actor, APT 15, and Cadet Blizzard APT demonstrated varied motivations and strategies, indicative of prevailing geopolitical tensions.
-
Key highlights include Cl0p Ransomware Gang's exploitation of a MOVEit zero-day SQL vulnerability, Kimsuky APT's sophisticated social engineering campaign, Spyboy's novel BYOVD attack, APT 15's use of the Graphican backdoor, and Cadet Blizzard APT's targeted attacks on Ukrainian government agencies using destructive cyber techniques. The continued evolution of these threat actors' strategies underscores the need for vigilance and proactive defense measures.
Top 10 Most Targeted Regions in June
In this section, we are going to talk about the top five regions at risk of cyber attacks.
The following table delineates the five most frequently targeted regions, accompanied by a list of the primary threat actors and malware specifically targeting these regions.
Most Targeted Region |
Threat Actor |
Malware and Tools |
|
1 |
Northern America (U.S.) |
Cl0p Ransomware Gang [1], Volt Typhoon APT (a.k.a BRONZE SILHOUETTE) [2], Mallox Ransomware [3], MalSmoke hacking group [4], LockBit ([5], [6]), Rhysida ransomware-as-a-service Group [7], BlackCat Ransomware Gang [8] |
Anatsa Android banking trojan [9], BatLoader downloader malware [3], LEMURLOOT (human2.aspx) webshell [10], Zloader malware [4], TrueBot malware [1], DEWMODE webshell [1], SDBot malware [1], Cobalt Strike framework [1] |
2 |
South East Asia |
Mallox Ransomware [3], Camaro Dragon APT (a.k.a Mustang Panda) [11], BlackCat Ransomware Gang [12] |
HelloTeacher Android Spyware [13], BatLoader downloader malware [3], WispRider malware [11], HopperTick launcher [11] |
3 |
East Asia |
Camaro Dragon APT (a.k.a Mustang Panda) [11], Unknown threat actors behind the ransomware attack to Japanese pharmaceutical giant Eisai [14], LockBit Ransomware Gang [15] |
WispRider malware [11], HopperTick launcher [11], JokerSpy macOS malware [16], LockBit Ransomware [15] |
4 |
Eastern Europe |
Chinese threat actors behind the Smugx attack campaign [17], Cl0p Ransomware Gang [7], Cadet Blizzard APT [18], Lazarus APT [19], Gamaredon (Russian-linked), APT [20], Fancy Bear APT [21], Camaro Dragon APT [11] |
TrueBot malware [1], DEWMODE webshell [1], SDBot malware [1], Cobalt Strike framework [1] |
5 |
Southern Europe |
Cl0p Ransomware Gang [1], Play Ransomware Gang [22], SharpPanda APT [23], 8BASE Ransomware Gang [24] |
Ursnif banking malware [25], Cl0p ransomware [1], Play ransomware [22], SQLite3.dll [26] (component of the SQLite database engine and is used for Chrome password theft in this case), Trigiona Ransomware [27], Mimikatz tool [27], Splashtop tool [27], RoyalRoad tool [23], Anatsa Android banking trojan [9], TrueBot malware [1], DEWMODE webshell [1], SDBot malware [1], Cobalt Strike framework [1] |
Top 5 Most Targeted Sectors in June
In this section, we are going to talk about the top five industries and sectors at risk of cyber attacks.
-
In the constantly evolving cybersecurity landscape, an array of threat actors has strategically targeted key sectors, including Government Agencies, Finance, Education, Energy, and Health.
-
In government, persistent attacks from Cl0p Ransomware Gang and APT 15 have compromised several U.S. federal agencies (including U.S. Department of Energy and U.S. Department of Health and Human Services), several NATO member countries, and foreign affairs ministries across Northern America.
-
The financial sector is increasingly under attack, with threat actors like the Akira Ransomware Gang and Lazarus APT affecting entities like Spanish bank Globalcaja and MCNA Dental, and crypto assets of Atomic Wallet users.
-
Similarly, in education, threat actors like Cl0p Ransomware Gang, Akira Ransomware and NoEscape Ransomware Gang have disrupted the operations of universities and public school systems across the globe.
-
The energy sector, with high-profile targets like European gas and oil giant Shell Oil and the Waste Isolation Pilot Plant (located in New Mexico) were some of the companies affected from the MOVEit zero-day SQL vulnerability exploitation attack by the Cl0p Ransomware Gang.
-
In healthcare, BlackCat and Cl0p Ransomware Gangs have left their mark on institutions such as Beverly Hills Plastic Surgery and Japan's pharmaceutical giant Eisai Group.
-
Lastly, various other organizations such as British Airlines (Transportation) and the BBC (Entertainment) have also been targeted by the Cl0p Ransomware Gang, underlining the group's opportunistic nature.
The following table delineates the five most frequently targeted sectors, accompanied by a list of the primary threat actors and malware specifically targeting these regions.
Targeted Sector |
Threat Actors |
Malware |
|
1 |
Government Agencies |
Cl0p Ransomware Gang [1], LockBit [6], APT 15 (Ke3chang) [28], Cadet Blizzard [18], Rhysida ransomware-as-a-service Group [7], Andariel APT [29], NoName057(16) Hacktivist Group [30], Midnight Blizzard (a.k.a APT 29) [11] |
Truebot malware [1], WhisperGate wiper malware [18], LEMURLOOT webshell [1], DEWMODE webshell [1], SDBot malware [1], Cobalt Strike [1], FlawedAmmyy [1], EarlyRat malware [29], DTrack backdoor [31], MagicRAT [29], YamaBot [29], Play ransomware [32], Cl0p ransomware [1] |
2 |
Finance |
Akira Ransomware Gang [33], 8BASE Ransomware Gang [34], Andariel APT (Subgroup of Lazarus APT) [29], Lazarus APT [35], Play Ransomware Gang [22], LockBit Ransomware [36], BlackCat Ransomware Gang [12], Cl0p Ransomware Gang [1] |
Symbiote Linux malware [37], Akira (Linux version) ransomware [33], EarlyRat malware [29], DTrack backdoor malware [31], MagicRAT [29], YamaBot [29], Maui ransomware [29], NukeSpeed tool [38], ForkDump tool [39], ALPHV (BlackCat) ransomware [12] |
3 |
Education |
8BASE Ransomware Gang [34], Cl0p Ransomware Gang ([40], [7]), Rhysida ransomware-as-a-service Group [7], NoEscape Ransomware Gang [41], Unknown threat actors behind the DDoS attack to Greece’s Education Ministry [42], Akira Ransomware [43] |
Truebot malware [1], LEMURLOOT webshell [1], DEWMODE webshell [1], SDBot malware [1], Cobalt Strike [1], FlawedAmmyy RAT [1] |
4 |
Energy |
Cl0p Ransomware Gang [44], Unknown threat actors behind the attack campaign to Suncor Energy [45] |
Truebot malware [1], DEWMODE webshell [1], SDBot malware [1], Cobalt Strike [1], FlawedAmmyy RAT [1] |
5 |
Health |
BlackCat Ransomware Gang ([8], [46]) Cl0p Ransomware Gang [47], Camaro Dragon APT (a.k.a Mustang Panda) [11] |
TrueBot malware [1], LEMURLOOT webshell [1], DEWMODE webshell [1], SDBot malware [1], Cobalt Strike framework [1], FlawedAmmyy RAT[1], WispRider malware [11], HopperTick launcher [11] |
Top CVE’s Exploited in June
The cybersecurity landscape in recent times has witnessed the emergence of significant vulnerabilities across various products and platforms in June.
Threat actors and malware campaigns have actively exploited these vulnerabilities, targeting popular solutions like MOVEit Transfer software, Barracuda Email Security Gateway, Apple's iOS, iPadOS, macOS WebKit, and VMware Tools.
CVE |
Name / Affected Product |
Threat Actors / Malware Campaigns |
|
1 |
CVE-2023-34362 [10] |
MOVEit Transfer Software |
Cl0p ransomware gang |
2 |
CVE-2023-2868 [48] |
Barracuda Email Security Gateway Zero-Day Vulnerability |
Suspected to be related to China |
3 |
CVE-2023-32439 [49], [50] |
Apple iOS, iPadOS, and macOS WebKit Type Confusion Vulnerability |
Operation Triangulation malware campaign |
4 |
CVE-2023-32435 [49], [50] |
Apple iOS and iPadOS WebKit Memory Corruption Vulnerability |
Operation Triangulation malware campaign |
5 |
CVE-2023-20867 [51], [50] |
VMware Tools Authentication Bypass Vulnerability |
Suspected to be related to China |
Top Five Most Active Threat Actors in June
In June, the top five most active threat actors displayed diverse motivations and targeting strategies, reflecting geopolitical tensions.
This summary highlights the Cl0p ransomware gang exploiting a zero-day vulnerability, the Kimsuky APT group's social engineering campaign, Spyboy's BYOVD attack, APT 15's use of the Graphican backdoor, and the Cadet Blizzard APT's focus on Ukrainian government agencies using destructive cyber techniques.
1. Cl0p Ransomware Gang
The CL0P ransomware gang [10] (a.k.a TA505) exploited the zero-day SQL vulnerability CVE-2023-34362 in MOVEit Transfer software, infecting applications and stealing data via a webshell named LEMURLOOT from May 27, 2023. Known for their 'double extortion' tactic and their ability to change malware quickly, the ransomware gang have previously targeted Accellion File Transfer Appliance devices and GoAnywhere MFT servers. The CISA recommends data inventory, controlled admin access, network monitoring, and regular software updates as mitigation measures.
2. Kimsuky APT
Kimsuky [52], also known as Thallium, Black Banshee, and Velvet Chollima, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2012. Lately, this group has been observed launching a sophisticated social engineering campaign, including extensive email correspondence, spoofed URLs, and weaponized Office documents containing ReconShark malware [53]. While their old tactics of utilizing CHM (Microsoft Compiled HTML Help) files disguised as ordinary documents on varied topics persist, their approach now also includes the theft of Google and subscription credentials and strategic intelligence gathering. The embedded scripts collect user information, including IP and system details, and maintain persistent communication with their command and control server for further system compromises.
3. Spyboy Threat Actor
Spyboy [54], a threat actor, is advertising a tool named "Terminator" on a Russian hacking forum. This tool claims to terminate antivirus, XDR, and EDR platforms, and security researchers identify it as a disguised Bring Your Own Vulnerable Driver (BYOVD) attack. Claimed to bypass 24 various antivirus, EDR, and XDR defenses, it targets devices operating on Windows 7 and beyond. Pricing ranges from $300 for a single bypass to $3,000 for an all-in-one package. Users need administrative privileges and must convince the victim to accept a User Account Controls (UAC) pop-up to run Terminator.
4. Ke3chang (a.k.a APT 15, Nickel or Flea)
The APT 15 (a.k.a Flea and Nickel) targeted foreign ministries in a campaign using a new backdoor, Backdoor.Graphican, from late 2022 to early 2023 [55]. Graphican, an evolution of APT 15’s Ketrican backdoor, uses Microsoft Graph API and OneDrive for command-and-control infrastructure. It retrieves the encrypted server address dynamically from OneDrive rather than using a hardcoded server. The APT 15 also used new variants of the backdoor EWSTEW and credential-dumping tools such as Mimikatz. Despite Microsoft seizing 42 domains of the APT group in 2021, they still continue to operate, demonstrating an ongoing development of new tools and the adoption of techniques utilized by other APT groups.
5. Cadet Blizzard APT
Cadet Blizzard APT [18], associated with the Russian GRU, focuses on Ukrainian government agencies and IT service providers using a combination of conventional network operations and destructive cyber techniques.
This includes the exploitation of commonly found web servers like Microsoft Exchange and Atlassian Confluence on network perimeters and DMZs [56], the use of living-off-the-land techniques for lateral movement and credential harvesting, and the deployment of disruptive payloads like WhisperGate, a destructive capability that wipes Master Boot Records (MBRs). The group specifically targets government organizations and IT service providers, but these techniques could potentially be used against other industries in regions of interest.
Their operations follow a structured pathway, revealing a calculated, multi-step process designed to deliver maximum impact and run the risk of disrupting continuity of network operations and exposing sensitive information.
References
[1] J. Slaughter, F. Gutierrez, and S. Imano, “MOVEit Transfer Critical Vulnerability (CVE-2023-34362) Exploited as a 0-day,” Fortinet Blog, Jun. 08, 2023. [Online]. Available: https://www.fortinet.com/blog/threat-research/moveit-transfer-critical-vulnerability-cve-2023-34362-exploited-as-a-0-day. [Accessed: Jul. 11, 2023]
[2] “Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations,” May 24, 2023. [Online]. Available: https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations. [Accessed: Jul. 11, 2023]
[3] “Mallox Ransomware Implements New Infection Strategy,” Cyble, Jun. 22, 2023. [Online]. Available: https://blog.cyble.com/2023/06/22/mallox-ransomware-implements-new-infection-strategy/. [Accessed: Jul. 11, 2023]
[4] C. Osborne, “Malsmoke hackers abuse Microsoft signature verification in ZLoader cyberattacks,” ZDNET, Jan. 05, 2022. [Online]. Available: https://www.zdnet.com/article/malsmoke-hackers-now-abuse-microsoft-e-signature-verification-tool-in-cyberattacks/. [Accessed: Jul. 13, 2023]
[5] S. Gatlan, “CISA: LockBit ransomware extorted $91 million in 1,700 U.S. attacks,” BleepingComputer, Jun. 14, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/cisa-lockbit-ransomware-extorted-91-million-in-1-700-us-attacks/. [Accessed: Jul. 13, 2023]
[6] “Understanding Ransomware Threat Actors: LockBit,” Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a. [Accessed: Jul. 13, 2023]
[7] “3rd July – Threat Intelligence Report,” Check Point Research, Jul. 03, 2023. [Online]. Available: https://research.checkpoint.com/2023/3rd-july-threat-intelligence-report/. [Accessed: Jul. 13, 2023]
[8] J. L. Hardcastle, “Now BlackCat extortionists threaten to leak stolen plastic surgery pics,” The Register, Jun. 22, 2023. [Online]. Available: https://www.theregister.com/2023/06/22/blackcat_ransomware_plastic_surgery_clinic/. [Accessed: Jul. 13, 2023]
[9] J. Doe, “Anatsa banking Trojan hits UK, US and DACH with new campaign,” Jun. 26, 2023. [Online]. Available: https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign. [Accessed: Jul. 11, 2023]
[10] “#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability,” Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a. [Accessed: Jul. 12, 2023]
[11] “Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives,” Check Point Research, Jun. 22, 2023. [Online]. Available: https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/. [Accessed: Jul. 13, 2023]
[12] S. Desk, “Notorious BlackCat hackers steal over 170gb sensitive data from Krishi Bank,” The Daily Star, Jul. 11, 2023. [Online]. Available: https://www.thedailystar.net/tech-startup/news/notorious-blackcat-hackers-steal-over-170gb-sensitive-data-krishi-bank-3366161. [Accessed: Jul. 14, 2023]
[13] “HelloTeacher: New Android Malware Targeting Banking Users In Vietnam,” Cyble, Jun. 05, 2023. [Online]. Available: https://blog.cyble.com/2023/06/05/helloteacher-new-android-malware-targeting-banking-users-in-vietnam/. [Accessed: Jul. 14, 2023]
[14] “Notification of Ransomware Incident,” Eisai Co., Ltd. [Online]. Available: https://www.eisai.com/news/2023/news202341.html. [Accessed: Jul. 13, 2023]
[15] P. Paganini, “LockBit gang demands a $70 million ransom to the semiconductor manufacturing giant TSMC,” Security Affairs, Jul. 01, 2023. [Online]. Available: https://securityaffairs.com/148022/cyber-crime/tsmc-lockbit-ransomware.html. [Accessed: Jul. 13, 2023]
[16] C. Wilhoit et al., “Emerging Threat! Exposing JOKERSPY,” Elastic Blog. [Online]. Available: https://www.elastic.coen-us/security-labs/inital-research-of-jokerspy. [Accessed: Jul. 14, 2023]
[17] “Chinese Threat Actors Targeting Europe in SmugX Campaign,” Check Point Research, Jul. 03, 2023. [Online]. Available: https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/. [Accessed: Jul. 14, 2023]
[18] M. T. Intelligence, “Cadet Blizzard emerges as a novel and distinct Russian threat actor,” Microsoft Security Blog, Jun. 14, 2023. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/. [Accessed: Jul. 11, 2023]
[19] “12th June – Threat Intelligence Report,” Check Point Research, Jun. 12, 2023. [Online]. Available: https://research.checkpoint.com/2023/12th-june-threat-intelligence-report/. [Accessed: Jul. 14, 2023]
[20] “Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine.” [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military. [Accessed: Jul. 14, 2023]
[21] J. Greig, “Russia’s ‘Fancy Bear’ hackers targeted Ukrainian gov’t, military orgs.” [Online]. Available: https://therecord.media/russia-fancy-bear-hackers-targeted-ukraine. [Accessed: Jul. 14, 2023]
[22] J. Greig, “Large Spanish bank confirms ransomware attack.” [Online]. Available: https://therecord.media/spain-globalcaja-bank-confirms-ransomware-attack. [Accessed: Jul. 13, 2023]
[23] “SharpPanda APT Campaign Expands its Arsenal Targeting G20 Nations,” Cyble, Jun. 01, 2023. [Online]. Available: https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/. [Accessed: Jul. 11, 2023]
[24] Defenda Solutions, “The 8Base Ransomware Gang Intensifies Double Extortion Attacks in June 2023 - Where Italy is at the Top of the List of Their Victims,” 1688142197000. [Online]. Available: https://www.linkedin.com/pulse/8base-ransomware-gang-intensifies-double-extortion-attacks. [Accessed: Jul. 14, 2023]
[25] “Cybercrime Targeting Italy,” Proofpoint, June. 20, 2023. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/cybercrime-targeting-italy. [Accessed: Jul. 14, 2023]
[26] “Operation CMDStealer: Financially Motivated Campaign Leverages CMD-Based Scripts and LOLBaS for Online Banking Theft in Portugal, Peru, and Mexico,” BlackBerry, May 30, 2023. [Online]. Available: https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico. [Accessed: Jul. 11, 2023]
[27] “An Overview of the Different Versions of the Trigona Ransomware,” Trend Micro, Jun. 23, 2023. [Online]. Available: https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.html. [Accessed: Jul. 11, 2023]
[28] N. Nelson, “20-Year-Old Chinese APT15 Finds New Life in Foreign Ministry Attacks,” Dark Reading, Jun. 21, 2023. [Online]. Available: https://www.darkreading.com/vulnerabilities-threats/20-year-old-chinese-apt15-new-life-foreign-ministry-attacks. [Accessed: Jul. 13, 2023]
[29] “Kaspersky uncovers new malware family used by Andariel, Lazarus’ subgroup,” www.kaspersky.com, Jun. 28, 2023. [Online]. Available: https://www.kaspersky.com/about/press-releases/2023_kaspersky-uncovers-new-malware-family-used-by-andariel-lazarus-subgroup. [Accessed: Jul. 13, 2023]
[30] The Federal Council, “DDoS attack on Federal Administration: various Federal Administration websites and applications unavailable.” [Online]. Available: https://www.admin.ch/gov/en/start/documentation/media-releases.msg-id-95641.html. [Accessed: Jul. 13, 2023]
[31] GReAT, “Andariel’s silly mistakes and a new malware family,” Kaspersky, Jun. 28, 2023. [Online]. Available: https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/. [Accessed: Jul. 13, 2023]
[32] “19th June – Threat Intelligence Report,” Check Point Research, Jun. 19, 2023. [Online]. Available: https://research.checkpoint.com/2023/19th-june-threat-intelligence-report/. [Accessed: Jul. 13, 2023]
[33] B. Toulas, “Linux version of Akira ransomware targets VMware ESXi servers,” BleepingComputer, Jun. 28, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/linux-version-of-akira-ransomware-targets-vmware-esxi-servers/. [Accessed: Jul. 13, 2023]
[34] “Website.” [Online]. Available: https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html
[35] “North Korea’s Lazarus Group Likely Responsible For $35 Million Atomic Crypto Theft,” Elliptic Connect. [Online]. Available: https://hub.elliptic.co/analysis/north-korea-s-lazarus-group-likely-responsible-for-35-million-atomic-crypto-theft/. [Accessed: Jul. 13, 2023]
[36] P. Paganini, “Lockbit ransomware attack on MCNA Dental impacts 8.9M individuals,” Security Affairs, May 29, 2023. [Online]. Available: https://securityaffairs.com/146804/data-breach/mcna-data-breach.html. [Accessed: Jul. 14, 2023]
[37] J. Kennedy, “Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat,” Intezer, Jun. 09, 2022. [Online]. Available: https://intezer.com/blog/research/new-linux-threat-symbiote/. [Accessed: Jul. 13, 2023]
[38] A. Mascellino, “Andariel’s Mistakes Uncover New Malware in Lazarus Group Campaign,” Infosecurity Magazine, Jun. 28, 2023. [Online]. Available: https://www.infosecurity-magazine.com/news/andariels-mistakes-uncover-new/. [Accessed: Jul. 13, 2023]
[39] P. Paganini, “North Korea-linked Andariel APT used a new malware named EarlyRat last year,” Security Affairs, Jun. 30, 2023. [Online]. Available: https://securityaffairs.com/147976/apt/andariel-apt-earlyrat-malware.html. [Accessed: Jul. 13, 2023]
[40] A. Triay, “Cyberattack impacts U.S. federal government, NATO allies. Here’s what we know about the breach so far,” CBS News, Jun. 15, 2023. [Online]. Available: https://www.cbsnews.com/news/us-cyberattack-impacts-government-agencies-nato-allies-breach/. [Accessed: Jul. 13, 2023]
[41] “26th June – Threat Intelligence Report,” Check Point Research, Jun. 26, 2023. [Online]. Available: https://research.checkpoint.com/2023/26th-june-threat-intelligence-report/. [Accessed: Jul. 13, 2023]
[42] “Worst cyberattack in Greece disrupts high school exams, causes political spat,” AP News, May 30, 2023. [Online]. Available: https://apnews.com/article/cyberattack-cybercrime-greece-school-highschool-ddos-9258842dbd84d67430cf5eb39999f93d. [Accessed: Jul. 14, 2023]
[43] J. LaRoue, “Middlesex Co. Public Schools confirms ransomware attack,” WAVY.com, Jun. 01, 2023. [Online]. Available: https://www.wavy.com/news/virginia/middlesex-co-public-schools-confirms-ransomware-attack/. [Accessed: Jul. 14, 2023]
[44] M. W. Roeloffs, “U.S. Government Agencies—Including Energy Department—Targeted In Latest Global Cyberattack,” Forbes, Jun. 15, 2023. [Online]. Available: https://www.forbes.com/sites/maryroeloffs/2023/06/15/us-government-agencies-including-energy-department-targeted-in-latest-global-cyberattack/. [Accessed: Jul. 13, 2023]
[45] B. Toulas, “Suncor Energy cyberattack impacts Petro-Canada gas stations,” BleepingComputer, Jun. 26, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/suncor-energy-cyberattack-impacts-petro-canada-gas-stations/. [Accessed: Jul. 13, 2023]
[46] S. Adlam, “Barts NHS Trust Hacked by BlackCat/ALPHV Ransomware Group,” Jul. 10, 2023. [Online]. Available: https://gridinsoft.com/blogs/blackcat-alphv-barts-nhs-trust/. [Accessed: Jul. 14, 2023]
[47] The, “The latest victim of the MOVEit data breach is the Department of Health and Human Services,” AP News, Jun. 29, 2023. [Online]. Available: https://apnews.com/article/moveit-data-breach-hhs-f417b85cfc4eba7575787cda08a7fb8f. [Accessed: Jul. 14, 2023]
[48] “Barracuda Email Security Gateway Appliance (ESG) Vulnerability.” [Online]. Available: https://www.barracuda.com/company/legal/esg-vulnerability. [Accessed: Jul. 11, 2023]
[49] “Campagna ”Operation Triangulation” che sfruttano vulnerabilità 0-day di tipo 0-click su dispositivi mobili Apple,” Yoroi, Jun. 23, 2023. [Online]. Available: https://yoroi.company/warning/campagna-operation-triangulation-che-sfruttano-vulnerabilita-0-day-di-tipo-0-click-su-dispositivi-mobili-apple/. [Accessed: Jul. 11, 2023]
[50] “CISA Adds Five Known Exploited Vulnerabilities to Catalog,” Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/alerts/2023/06/23/cisa-adds-five-known-exploited-vulnerabilities-catalog. [Accessed: Jul. 12, 2023]
[51] “Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems,” The Hacker News, Jun. 14, 2023. [Online]. Available: https://thehackernews.com/2023/06/chinese-hackers-exploit-vmware-zero-day.html. [Accessed: Jul. 12, 2023]
[52] gygy, “Kimsuky Distributing CHM Malware Under Various Subjects,” ASEC BLOG, Jun. 21, 2023. [Online]. Available: https://asec.ahnlab.com/en/54678/. [Accessed: Jul. 12, 2023]
[53] A. Milenkoski, “Kimsuky Strikes Again,” SentinelOne, Jun. 06, 2023. [Online]. Available: https://www.sentinelone.com/labs/kimsuky-new-social-engineering-campaign-aims-to-steal-credentials-and-gather-strategic-intelligence/. [Accessed: Jul. 12, 2023]
[54] S. Gatlan, “Terminator antivirus killer is a vulnerable Windows driver in disguise,” BleepingComputer, May 31, 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/terminator-antivirus-killer-is-a-vulnerable-windows-driver-in-disguise/. [Accessed: Jul. 12, 2023]
[55] “Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries.” [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/flea-backdoor-microsoft-graph-apt15. [Accessed: Jul. 12, 2023]
[56] N. Nelson, “Russian APT ‘Cadet Blizzard’ Behind Ukraine Wiper Attacks,” Dark Reading, Jun. 14, 2023. [Online]. Available: https://www.darkreading.com/threat-intelligence/russian-apt-cadet-blizzard-ukraine-wiper-attacks. [Accessed: Jul. 11, 2023]