July 2023 cyber threat intelligence briefing
At a glance, this MIB covered:
Top cybersecurity news
July 2023 cybersecurity and threat intelligence news you should know about.
- BreachForums administrator pleaded guilty to charges of hacking and possession of child pornography
- A VirusTotal leak following an insider error led to the exposure of names and email addresses of defense and intelligence workers
- A teenage member of the Lapsus hacking group accused of hacking Uber and Revolut and attempting to blackmail the developers of Grand Theft Auto has been assessed by psychiatrists as not fit to stand trial
- Some 15,000 Citrix servers remained exposed to a critical zero-day vulnerability (CVE-2023-3519), a security non-profit has warned
The Clop ransomware group became the most prolific ransomware actor in June thanks to MOVEit campaign
- Clop surpassed LockBit, with the most ransomware victims to its name (91) in June
- Total victims of Clop's MOVEit campaign stood at 492, with 23 million individuals impacted
- Clop was leaking stolen data on easily accessible surface websites to force ransom payments
Clop became the number one ransomware group by victim count in June, thanks to the MOVEit campaign, which exploited a zero-day bug in the popular file transfer software. Verizon recorded 91 victims for the group during the month, versus 62 for LockBit in second place. The MOVEit campaign now has 492 known victims and has impacted around 23 million individuals. Overall, Verizon recorded 434 ransomware victims in June, pushing the total year-to-date count to 2,304.
Clop has also been observed evolving its tactics to improve return on investment. The group launched a surface website to publish data stolen from MOVEit victim PwC, in an attempt to force payment. The technique, pioneered by the ALPHV/BlackCat group, is marketed to customers of compromised companies as a way to check if they are impacted by a breach and pressure these companies into paying.
Microsoft publishes details on six zero-day vulnerabilities in the July Patch Tuesday
- Microsoft announced six zero-day vulnerabilities in its July Patch Tuesday set of updates
- The firm patched four out of six zero-day flaws
- One unpatched vulnerability was being actively exploited by threat actor Storm-0978
Microsoft announced 132 fixes for vulnerabilities in July's Patch Tuesday, including four for zero-day vulnerabilities being actively exploited in the wild. However, there were no updates for a further two zero-days also being exploited. ADV230001 is new guidance on Microsoft Signed Drivers being used maliciously, while CVE-2023-36884 is actively being exploited by an actor known as Storm-0978 (aka RomCom). Based in Russia, the actor is thought to be driven by both financial and cyberespionage motives.
CVE-2023-36884 is a remote code execution vulnerability affecting Office and Windows HTML. Microsoft said it was used to target organizations attending a NATO summit with ransomware and espionage attacks using the RomCom backdoor. Microsoft released mitigations for the flaw and promised a fix soon.
Chinese threat actor compromises U.S. government emails via forged authentication tokens
- Microsoft revealed that sophisticated Chinese actor Storm-0558 accessed customer emails
- Around 25 organizations and associated consumer accounts were impacted
- The U.S. ambassador to China and Commerce Department secretary were among those affected
A sophisticated attack on Microsoft email accounts impacted the accounts of the Commerce Department Secretary and the U.S. ambassador to China. Microsoft linked the campaign to Chinese state-backed threat actor Storm-0558. It said the actor used an acquired Microsoft account (MSA) consumer signing key to forge Azure AD tokens, which it did by exploiting a validation error in Microsoft code. This allowed it to access victims' emails via Outlook Web Access (OWA) and Outlook.com.
Following negotiations with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Microsoft has agreed to provide access to expanded cloud logging capabilities to Azure customers at no extra charge. This will give administrators greater visibility into their cloud environments and hopefully enable them to react quicker to similar events in the future.
Let's get started.
Choose your country to view contact details.
- Select Country...
- United States
- Costa Rica
- Hong Kong
- New Zealand
- United Kingdom
- United States
Call for Sales.
Or we'll call you.