WithSecure Monthly Threat Highlights Report

LiselotteP

Get the latest insights from the cyber threat landscape - courtesy of WithSecure™ Countercept's own Threat Intelligence team.

Subcribe to our Monthly Threat Highlights Report and other news and updates from WithSecure, by joining our mailing list.

Every month, you'll see the latest highlights in the discussion thread here.

If you'd like to stay in the loop, simply bookmark this discussion and you'll receive a notification whenever we post the latest report.

📝 Click here to see the latest report

LiselotteP

January 2023

Monthly highlights

• GoTo (LogMeIn) breach
• The rise of Emotet (again)
• SEO poisoning at an all-time high
• Mac malware of 2022

Ransomware: Trends and notable reports

• Royal Mail hit by LockBit... affiliate
• A history of LockBit
• BianLian decryptor and shift to I2P
• Newcomers: CatB
• An interview with Mallox

Other notable highlights in brief

• Nordic common cybersecurity strategy
• Cellebrite & MSAB XRY data leaked
• OWASSRF, a technical write-up
• Breach of Slack
• Poland warns of Russian cyber attacks
• Denmark struck by Russian hacktivist DDoS
• Freejacking
• SugarCRM actively exploited
• Kela report on cybercrime in 2022

Threat data highlights

Download report

LiselotteP

February 2023

Monthly highlights

Ransomware: Trends and notable reports

• ESXiArgs
• The end of Hive???
• Alphv attack on Munster
• Technological University
• The $10k ransomware manual
• TV provider Dish experience ransomware attack
• Newcomers: Nevada
• Newcomers: Mimic

Other notable highlights in brief

• GoAnywhere exploitation
• Zoho ManageEngine exploitation
• KeePass problems
• QR code phishing
• Sh1mmer exploit can unenroll managed Chromebooks
• IceBreaker target gaming/gambling companies

Threat data highlights

Research highlights

Download report

LiselotteP

March 2023

Monthly highlights

Ransomware: Trends and notable reports

• CISAs pre-ransomware notification initiative
• Dole attack shows real world impact
• Rise of Royal
• Nevada is Nokoyawa
• Magniber’s SmartScreen bypass
• Ransomware newcomers

Other notable highlights in brief

• Best practices in cyber
• Hydrochasma gathering intelligence
• I2PMiner targeting MacOS
• Lumma Stealer targets content creators
• T-Mobile constantly targeted by SIM-swappers
• Android banking trojan tracker
• Breach Forums down!
• Ultrasonic attacks

Threat data highlights

Detection and response highlights

Download report

LiselotteP

April 2023

Threat Intel monthly highlights: Ransomware gangs get Papercuts, Lockbit and BlueNoroff get into MacOS, pro-Russian 'hacktivism' continues and 3CX continues.

• Ransomware: Trends and notable reports
  • Capita
  • Nokoyawa – CVE-2023-28252
  • Rorschach Ransomware discovered
• Other notable highlights in brief
  • DuckTail new update?
  • APT41 HOODOO
  • Service Location Protocol Vulnerability
  • Google Chrome Zero Day attacks
  • Continued targeting of Networking Devices
• Threat data highlights
• Research highlights

Download report

LiselotteP

May 2023

Latest Threat Highlights: 8x TLD disruption, Outlook bug patch bypassed, more Wordpress woe, an Infostealer special focus and new threat groups.

Ransomware: Trends and notable reports

• Newcomers
• Akira ransomware goes retro
• Royal
• Money Message leaks MSI keys
• Buhti switches it up

Other notable highlights in brief

• Goodbye CryptBot, NodeStealer and Snake
• Does this Android look infected?
• Brute Print

Threat data highlight

Research highlights

Download report

LiselotteP

June 2023

• Mass exploitation of a vulnerability in MOVEit by Clop
• The use of "Bring Your Own Vulnerable Driver" (BYOVD) techniques in terminating AV/EDR
• Chinese APT group Volt Typhoon surfaces
• Mod poisoning for the popular video game Minecraft
• Updates on the hacktivism landscape
• Ransomware trends

The ransomware section includes identification of three newcomers and updates on the scale of attacks and statistics relating to the most active groups throughout June. 

Download report

LiselotteP

Ransomware has been a hugely profitable industry for criminal gangs for the last few years. The total amount of ransom paid since 2020 is estimated to be at least $2 billion, and this has both motivated and enabled the groups who are profiting from this activity to become more professional.

These groups are emulating the legitimate tech ecosystem and seeking greater efficiencies and profits: they outsource common, complex problems; they subcontract work; and they employ freelancers via what could be termed a gig economy of operators.

Stephen Robinson - Senior Threat Intelligence Analyst at WithSecure

https://www.helpnetsecurity.com/2023/07/12/ransomware-industry-profitability/

LiselotteP

July 2023

• Exploitation of Ivanti EPMM resulting in the compromise of government departments in Norway
• Ransomware incidents involving newcomers BigHead and the impersonation of Sophos
• Driver loopholes
• Exploitation of Citrix products
• TeamsPhisher tool that is being ignored by Microsoft
• Examination of the hacktivist landscape
• Statistics relating to the most active threat groups throughout July

The report examines the hacktivist landscape and includes statistics relating to the most active threat groups throughout July.

Download report

LiselotteP

August 2023

• Monthly highlights
• Ransomware trends and notable reports
• Other notable highlights in brief, and threat data highlights
• Latest news and trends in the cyber security industry
• Newcomers in the ransomware space, such as "Cloak", "Metaencryptor" and "Ransomed"

Download report

LiselotteP

September 2023

• Monthly highlights
• Ransomware
• Other notable highlights in brief

Download report

LiselotteP

October 2023

• An ongoing phishing campaign impacting Finland
• The state of the infostealer market
• Fallout following the compromise of Okta
• A new HTTP/2 rapid reset DDoS technique
• The state of the hacktivist landscape, which has been further shaped by ongoing conflict in Israel
• Tracking the ransomware landscape, including statistics from known attacks
• Reference to a wider piece of research on the malware Darkgate

Download report

LiselotteP

November 2023

• Exploitation of Vulnerabilities
• SolarWinds Lawsuit
• Ransomware Trends and Notable Reports

Download report

LiselotteP

December 2023

• Significant data breaches affecting US telecoms provider Xfinity, US mortgage lender MrCooper, and DonorView, a provider of a cloud-based charitable donation platform
• Active exploitation of the zero-click Outlook/Exchange exploit by Russian APT, identified as Unit 26165 of the Russian GRU.
• Analysis of exploit data focusing on changes over time in WithSecure and VirusTotal detection data, including fluctuations in the use of specific CVEs.
• Ongoing events surrounding Israel and Palestine with associated hacktivist proxies active in the cyber arena for both sides.
• Continuation of ransomware attacks, albeit in lower numbers than previous months, and signs of potential return of Qakbot after being taken down by Law Enforcement Agencies.
• Exploration of interesting vulnerabilities, both old and new, with a different approach to analyzing the data on these vulnerabilities.

Download report

LiselotteP

January 2024

• Multiple zero-day vulnerabilities in Ivanti Connect Secure VPN appliances 
• Compromise of Microsoft and HP Enterprise by Russian state actors 
• Spike in Akira ransomware activity targeting the Nordics 
• Vulnerabilities in GitLab and GitHub, raising concerns about CI/CD pipeline supply chain attacks 
• Attacks by hacktivist groups with significant impacts 
• Security failures leading to outages for Orange Spain

Download report

LiselotteP

February 2024

• Mass exploitation incidents involving Ivanti ConnectSecure and ConnectWise ScreenConnect vulnerabilities.
• Ransomware attacks and varying statistics and opinions on the state of the ransomware sector.
• Use of Machine Learning and LLMs for malicious activities like fraud and autonomous hacking.
• Significant increases in phishing/maldoc exploits targeting client software.
• Exploit data highlighting vulnerabilities such as CVE-2023-21716, CVE-2023-38831, CVE-2023-23376, and CVE-2023-23397.
• Lazarus Group exploiting a Windows driver zero-day vulnerability (CVE-2024-21338) to disable security tools.
• Newly exploited vulnerabilities added to CISA's Known Exploited Vulnerabilities catalogue, including CVE-2023-4762 affecting Google Chromium V8.

Download report

LiselotteP

March 2024

• Reports of political espionage by China, specifically the compromise of the UK Electoral Commission by Chinese state-sponsored attackers.
• The FBI's report on the increase in ransomware attacks against critical infrastructure, with a significant rise in reported attacks and losses.
• Notable IoT vulnerabilities, such as the Saflok RFID-based keycard locks and the CVE-2019-7256 in the Nice Linear eMerge E3-Series operating system.
• Disagreements between organizations in the cybersecurity industry regarding responsible disclosure practices and the effectiveness of detection and remediation tools.
• Updates on the ransomware industry, including the closure of major players like BlackCat/ALPHV and the impact on the Ransomware as a Service industry.

Download report

LiselotteP

April 2024

• Key findings from Change Healthcare's Q1 financials regarding the cost of a ransomware attack
• How did CISA and MITRE handle breaches related to Ivanti ConnectSecure, and what lessons can be learned from their transparency?
• What scathing observations and recommendations did CISA make regarding the Microsoft corporation's culture, risk management, and communications in relation to the Microsoft Exchange Online compromise of late 2023?

Download report

LiselotteP

May 2024

• Emphasis on the importance of multi-factor authentication (MFA) in preventing cyberattacks, as demonstrated by the compromise of Change Healthcare due to a lack of MFA on a Citrix account.
• Organizational changes at Microsoft in response to security failures, such as tying senior executives' pay awards to prioritizing security over new features and partnering deputy CISOs with engineering teams.
• Ongoing law enforcement actions against cybercriminals, including the action against LockBit and the initiation of a secure-by-design pledge by the US government cybersecurity agency, CISA.
• Response to zero-day vulnerabilities in SSL VPN solutions, with Norway's NCSC recommending organizations to switch to more secure alternatives like IPSec IKEv2 VPNs or 5G data connections.
• Insights into AI security news, including research on how hackers are leveraging generative AI to enhance their offensive capabilities and strategies to defend against such attacks.

Download report

LiselotteP

June 2024

• Kaspersky software banned from US due to national security concerns.
• New MoveIT SFTP vulnerability under active exploitation within hours of being disclosed.
• Snowflake data warehousing customers targeted in data theft campaign.
• A Chinese APT compromised more than 20,000 Fortinet infrastructure devices in a wide ranging zero-day campaign.
• Ransomware incident at US SaaS supplier CDK heavily impacts more than 15,000 car dealerships.
• Notable AI cybersecurity stories.

Download report

LiselotteP

July 2024

This month, we delve into significant events impacting the cybersecurity landscape, including the Crowdstrike outage and the ongoing repercussions of the ransomware attack on Kadokawa Corporation in Japan. We also highlight a critical vulnerability in OpenSSH that could pose risks to many users. Amidst the challenges, there are positive developments as international law enforcement takes action against cybercriminals.

1. Concerns Over Vulnerability Disclosure: The Zero Day Initiative raised issues regarding the lack of coordination in vulnerability disclosure processes, particularly highlighting instances where serious zero-days were patched without prior warning to researchers. This lack of communication can lead to security researchers opting to release exploits as zero-days, which could force vendors to respond more rapidly to vulnerabilities.
2. AI Vulnerability Reporting Issues: There are significant concerns regarding the lack of structured vulnerability reporting and tracking for AI and large language models (LLMs). A researcher reported difficulties in getting a denial-of-service vulnerability acknowledged by Microsoft, which initially classified it as a product suggestion rather than a security issue. This reflects a broader issue of inadequate collaboration and transparency in the AI sector.
3. Increased Exploits: There was a notable increase in detections of a 2017 Microsoft Office Equation Editor CVE, which was reportedly exploited by North Korean actors in attacks targeting the aerospace and defense sectors. This highlights ongoing threats from state-sponsored actors.
4. Ransomware Impact: The report discusses the ongoing impact of a ransomware attack on Kadokawa Corporation, emphasizing the diverse sectors affected and the variety of data stolen. This incident illustrates the extensive ramifications of ransomware attacks on businesses.
5. Law Enforcement Actions: International law enforcement agencies have successfully shut down a Russian AI bot farm involved in covert influence operations, seizing domains and social media accounts used for disinformation campaigns. This operation underscores the ongoing battle against cyber influence and propaganda.
6. Cyber Threats to Major Events: The report includes an analysis of cyber threats facing the Paris 2024 Olympics, indicating that high-profile events attract significant unwanted interest from cyber adversaries.

Download report