Top cybersecurity threats for
July 2023

Author: Phil Muncaster

On the third Wednesday of every month, the Verizon Threat Research Advisory Center (VTRAC) holds a Monthly Intelligence Briefing (MIB) to discuss the current cybersecurity threat landscape. Below is the summary of their most recent briefing and here is the July recording of the briefing.

Listen now

Condition based maintenance icon

1. Clop became the most prolific ransomware actor in June thanks to the MOVEit campaign

Security alert

2. Microsoft published details on six zero-day vulnerabilities in the July Patch Tuesday

laptop hackers

3. Chinese threat actor compromised government emails via forged tokens

Top cybersecurity news

July 2023 cybersecurity and threat intelligence news you should know about.

  • BreachForums administrator pleaded guilty to charges of hacking and possession of child pornography
  • A VirusTotal leak following an insider error led to the exposure of names and email addresses of defense and intelligence workers
  • A teenage member of the Lapsus hacking group accused of hacking Uber and Revolut and attempting to blackmail the developers of Grand Theft Auto has been assessed by psychiatrists as not fit to stand trial
  • Some 15,000 Citrix servers remained exposed to a critical zero-day vulnerability (CVE-2023-3519), a security non-profit has warned

Like what you're reading?

If you’d like to receive new articles, solutions briefs, whitepapers and more—just let us know.

Sign up

The information provided will be used in accordance with terms set out in our Privacy Policy.

The Clop ransomware group became the most prolific ransomware actor in June thanks to MOVEit campaign

Top takeaways:

  • Clop surpassed LockBit, with the most ransomware victims to its name (91) in June
  • Total victims of Clop's MOVEit campaign stood at 492, with 23 million individuals impacted
  • Clop was leaking stolen data on easily accessible surface websites to force ransom payments

Clop became the number one ransomware group by victim count in June, thanks to the MOVEit campaign, which exploited a zero-day bug in the popular file transfer software. Verizon recorded 91 victims for the group during the month, versus 62 for LockBit in second place. The MOVEit campaign now has 492 known victims and has impacted around 23 million individuals. Overall, Verizon recorded 434 ransomware victims in June, pushing the total year-to-date count to 2,304.

Clop has also been observed evolving its tactics to improve return on investment. The group launched a surface website to publish data stolen from MOVEit victim PwC, in an attempt to force payment. The technique, pioneered by the ALPHV/BlackCat group, is marketed to customers of compromised companies as a way to check if they are impacted by a breach and pressure these companies into paying.

Microsoft publishes details on six zero-day vulnerabilities in the July Patch Tuesday

Top takeaways:

  • Microsoft announced six zero-day vulnerabilities in its July Patch Tuesday set of updates
  • The firm patched four out of six zero-day flaws
  • One unpatched vulnerability was being actively exploited by threat actor Storm-0978

Microsoft announced 132 fixes for vulnerabilities in July's Patch Tuesday, including four for zero-day vulnerabilities being actively exploited in the wild. However, there were no updates for a further two zero-days also being exploited. ADV230001 is new guidance on Microsoft Signed Drivers being used maliciously, while CVE-2023-36884 is actively being exploited by an actor known as Storm-0978 (aka RomCom). Based in Russia, the actor is thought to be driven by both financial and cyberespionage motives.

CVE-2023-36884 is a remote code execution vulnerability affecting Office and Windows HTML. Microsoft said it was used to target organizations attending a NATO summit with ransomware and espionage attacks using the RomCom backdoor. Microsoft released mitigations for the flaw and promised a fix soon.

Chinese threat actor compromises U.S. government emails via forged authentication tokens

Top takeaways:

  • Microsoft revealed that sophisticated Chinese actor Storm-0558 accessed customer emails
  • Around 25 organizations and associated consumer accounts were impacted
  • The U.S. ambassador to China and Commerce Department secretary were among those affected

A sophisticated attack on Microsoft email accounts impacted the accounts of the Commerce Department Secretary and the U.S. ambassador to China. Microsoft linked the campaign to Chinese state-backed threat actor Storm-0558. It said the actor used an acquired Microsoft account (MSA) consumer signing key to forge Azure AD tokens, which it did by exploiting a validation error in Microsoft code. This allowed it to access victims' emails via Outlook Web Access (OWA) and

Following negotiations with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Microsoft has agreed to provide access to expanded cloud logging capabilities to Azure customers at no extra charge. This will give administrators greater visibility into their cloud environments and hopefully enable them to react quicker to similar events in the future.

Related briefings

Learn more about the ever-evolving nature of security threats and complex risk environments.

Related products

Cyber Risk Management

To help build an evidence-based cyber risk management program and improve your threat defense.

Rapid Response Retainer

To help accelerate response to serious attacks.

Web Application Firewall

To help mitigate the risks associated with the exploitation of public-facing applications.

Advanced Security Operations Center (SOC) Services

To help detect and contain sophisticated threats and help prevent them from spreading.

  • Learn more

Let's get started.