Top 10s in Cybersecurity for June’23: 365° Security

Cyber threats continue to grow and pose severe risks to people, businesses, and even countries as the globe becomes more linked. Several major cyber incidents made headlines around the world in June 2023. These occurrences, which range from ransomware assaults to data breaches, show how critical it is to have robust cybersecurity procedures in place. In this article, we’ll go further into some of June’s most notable cyber events, discussing their aftermath and any lessons we may draw from them.

Ensar Seker

11 min readJul 14, 2023

What Happened on the Dark Web in June’23?

New Ransomware that Emerged in June’23

Ransomware with Numbers in June’23

Top 10 Ransomware Groups in June’23

Top 10 Threat Actors in June’23

Top Malware Families in Q2'23

Top Malware Types in Q2'23

Top 10 Cyber Incidents in June’23

WebAPK Phishing Attacks

WebAPK Phishing Attacks are sophisticated phishing attacks that utilize WebAPK technology to install a malicious application on Android devices.

WebAPK is a technology that allows the creation of web applications that can be installed on Android devices as native applications. This is part of a broader trend called Progressive Web Apps (PWA), which aims to enhance the functionality and performance of web applications. A key feature of WebAPK technology is that it allows the installation of web applications directly from the browser, bypassing the Google Play Store.

The attack process began with victims receiving SMS messages suggesting the need to update a mobile banking application. The link in the message led to a site that used WebAPK technology to install a malicious application on the victim’s device. The installation process did not trigger typical warnings about installations from untrusted sources.

After installation, the application presented the user with an interface imitating a mobile banking login panel. Subsequent screens asked the user for a login, password, 2FA code, and an SMS code already being used for transaction authorization.

WebAPK technology poses a serious threat due to its ability to install a malicious application without displaying typical warnings associated with installations from untrusted sources. The application then mimicked the mobile banking interface to defraud users of their login details and authorization codes.

2. Anonymous Sudan Campaign

Here are the key points from Anonymous Sudan Campaign;

I. Anonymous Sudan was born out of opposition to perceived international hostilities towards Sudan. They issued a clear statement that they would attack any country with cyberattacks against those who oppose Sudan.

II. The group has targeted various sectors across multiple countries, including Sweden, the Netherlands, Germany, Denmark, the U.S., France, Australia, Israel, and India. The sectors targeted include government institutions, military, education, banking, airports, healthcare, and technology companies like Microsoft.

III. The group has shown a strategic approach to its cyberattacks, focusing on key sectors that are critical to a nation’s function and well-being. These include healthcare, education, finance, and critical infrastructure.

IV. The primary method of attack used by Anonymous Sudan is Distributed Denial of Service (DDoS) attacks, which overload servers with an immense volume of requests, causing the targeted systems to slow down or crash. This service disruption can lead to significant financial and reputational damage for the targeted organizations.

V. In some instances, the group demands a ransom to cease their attacks, adding another layer of complexity and potential financial burden to the victims of these cyber-attacks.

VI. The group has also shown a willingness to collaborate with other hacker groups, indicating the emergence of cross-national hacker alliances.

VII. The group’s actions have escalated over time, with the targeting of healthcare infrastructure representing a dangerous escalation in Anonymous Sudan’s activities. Attacks on healthcare facilities could potentially have life-threatening consequences.

VIII. The group’s activities signify a shift in the landscape of cyber warfare, highlighting the emergence of cross-national hacker alliances. Alongside Anonymous Sudan, the ‘Infinity Hackers Group,’ ‘KILLNET,’ and ‘ANONYMOUS RUSSIA’ are mentioned.

3. New Ransomware Family: Big Head

The infection routine of the third sample of the Big Head ransomware

Introduction: Big Head ransomware, also known as JSSLoader, is a potent threat that has been active since 2019. It is often used in conjunction with other malware, such as Emotet and TrickBot.

Variants: The ransomware has several variants, including BigHead, JSSLoader, and IEncrypt. Each variant has its unique characteristics, but they all share the same basic functionality of encrypting victims’ files and demanding a ransom.

Tactics: The ransomware uses a variety of tactics to infect systems. These include phishing emails, exploit kits, and malicious attachments. Once inside a system, it uses advanced techniques to evade detection and establish persistence.

Impact: The impact of Big Head ransomware is significant. It has affected numerous organizations worldwide, causing substantial financial losses and operational disruptions. The healthcare sector has been particularly hard hit.

Mitigation and Prevention: Regular backups, patching and updating systems, employee education, and the use of advanced security solutions.

4. Emerging Threat Actor: Storm-0558

According to Microsoft, the actor had gained access to the email accounts of approximately 25 organizations, including government agencies and related consumer accounts. Microsoft has been working with the impacted customers and notifying them before going public with further details.

The incident was first reported on June 16, 2023, and the investigation revealed that the actor had gained access to email data from May 15, 2023, using forged authentication tokens. Microsoft has completed the mitigation of this attack for all customers and has added automated detections for known indicators of compromise associated with this attack.

Microsoft’s real-time investigation and collaboration with customers and government agencies, such as DHS CISA, were key to the rapid mitigation of the attack. The company emphasizes its commitment to keeping its customers safe, learning from incidents, and hardening its identity/access platforms to manage evolving risks.

5. New Decryption for Akira Ransomwar

The Akira ransomware is a 64-bit Windows binary written in C++ and uses the Boost library to implement the asynchronous encryption code. A Linux version, which also uses the Boost library, was published by a security researcher in June 2023.
The ransomware generates a symmetric encryption key using CryptGenRandom(), a random number generator implemented by the Windows CryptoAPI. Files are encrypted by Chacha 2008, and the symmetric key is encrypted by the RSA-4096 cipher and appended to the end of the encrypted file.
The ransomware has a list of files and folders it does not encrypt, including .exe, .dll, .lnk, .sys, .msi, and akira_readme.txt files, and folders such as winnt, temp, thumb, $Recycle.Bin, System Volume Information, Boot, Windows, and Trend Micro.
The ransomware has similarities to the Conti v2 ransomware, suggesting that the authors of Akira may have been inspired by the leaked Conti sources.
The Avast team has developed a decryption tool for files encrypted by ransomware. The tool is a 64-bit binary, and the article provides detailed instructions on how to use it.
The Linux version of the ransomware works identically to its Windows counterpart. The Avast team is currently developing a Linux version of their decryptors, but in the meantime, the Windows version of the decryptor can be used to decrypt files encrypted by the Linux version of the ransomware using the WINE layer.

6. Lockbit Interview

This is a summarized version of the interview with the Lockbit ransomware group administrator, identified as LB0:

Lockbit was founded on September 3rd, 2019, due to dissatisfaction with other groups. LB0 is a veteran of the ransomware scene.
The name Lockbit was derived from the words “lock” and “byte.”
Lockbit was not started alone. The team includes over ten members, including pen testers, developers, money launderers, testers, and negotiators.
Substance abuse is an issue in ransomware groups, with some members using cocaine or marijuana.
The current Lockbit team is still present in Lockbit 3.0. If people leave, LB0 recruits new members.
LB0 manages internal conflicts by firing or creating conditions for the person to leave on their own.
LB0 hires different specialists for any work, acting as a manager.
LB0 enjoys his job and doesn’t feel stressed, despite running a large cyber cartel.
Lockbit has no more than 100 affiliates at the moment, but LB0 dreams of having 300 partners.
LB0 does regular purges and blocks inactive affiliates.
LB0 personally negotiates for an increased percentage, ranging from 30 to 50%, depending on the complexity and effectiveness of the negotiations.
LB0 has observed a decrease in affiliates since the beginning of the Russian-Ukrainian conflict.
Cashing out ransoms is not difficult, according to LB0. Money is transferred to Chinese exchangers, then to another exchange, then to drop-off cards.
LB0 meets money mules in person who doesn’t know his true identity. They are trusted with $1,000-$7,000 and are given a 5% cut.
LB0 invests the cashed-out money immediately into the business and mixes it with legal money to inflate business profits and launder money.
LB0 owns three restaurants in China and two in New York.
LB0’s messages to threat intelligence, the FBI, and antivirus companies are: “Work better,” “Free Assange,” and “Don’t watch your users,” respectively.

7. Clop Leaks

The “Clop” ransomware group has been exploiting the MOVEit Transfer zero-day vulnerability (CVE-2023–34362). The group has been naming and threatening to leak data from various organizations if no ransom is paid. Here are the key points for the Clop Leaks:

As of July 5, 2023, Clop has named 36 additional organizations, spanning the insurance and technology industries, among others. Over 80% of these organizations do business in the United States.
Clop tends to release data in the same order as it names organizations, with about ten days between the initial naming and the release of data.
The group has not shown signs of slowing down.
Clop has been carrying through with its ransom threats, leaking the business information of several organizations.
The group has also been adding new organizations to its ransom list, including accounting firms and technology companies.
The majority of victims named so far are from the US, with others from Switzerland, Canada, Belgium, and Germany. The victims span a range of industries, including financial services, healthcare, and pharmaceuticals.
This is the third time that Clop has exploited major vulnerabilities in enterprise-managed file transfer (MFT) software to target third-party victims. The group conducts data extortion, threatening to publicly release sensitive data stolen from MFT software.
More companies will be expected to be named on Clop’s data-leak site in the immediate future. For those organizations that refuse to pay a ransom, they expect data to be leaked in stages.
It is advised that organizations understand their MFT solution’s public footprint and take steps to harden their defenses. This includes restricting public MFT access to authorized users, setting up firewall rules to exclude unknown IP addresses, and quickly applying software patches.

8. New Playground for Scammers: Threads and BlueSky

Threads, introduced by Meta (formerly Facebook), aims to bring communities together for discussions on a wide range of topics. It offers users the opportunity to connect with their favorite creators and like-minded individuals who share similar interests.
BlueSky is a decentralized social network protocol with an associated social networking service. It was conceptualized by former Twitter CEO Jack Dorsey and developed in parallel with Twitter. BlueSky has a Twitter-like user interface with algorithmic choice, a federated design, and community-specific moderation.
The risks of not creating official accounts on these new platforms include the possibility of someone else taking over your company’s name and impersonating your business. This can lead to financial loss and tarnish your company’s reputation.
Threat actors can exploit your brand name to carry out phishing attacks or distribute malicious links that can lead unsuspecting users to phishing websites or download malware onto their devices.
Companies should educate employees about emerging threats, such as the proliferation of fake social media sites created to deceive unsuspecting individuals, especially when new social media platforms gain popularity.
If someone else claims your company’s name and uses it for malicious purposes, it can have severe consequences for your brand’s reputation. Rebuilding a damaged reputation takes time, effort, and resources, potentially resulting in financial losses and the loss of valuable customers.

In a nutshell, while new social media platforms like Threads and BlueSky offer exciting possibilities, it is crucial to weigh the potential risks if you do not have a digital presence on these platforms yet. Organizations need to proactively protect their digital presence and mitigate risks that can harm their brand, compromise sensitive data, and lead to reputational damage.

9. APT Profile: TURLA

The Turla group, also known as Snake, UNC4210, Venomous Bear, Waterbug, or Uroburos. Turla is a highly sophisticated Advanced Persistent Threat (APT) group, believed to be linked to the Russian Federal Security Service (FSB), and has been active since the late 1990s. The group is known for its stealthiness and adaptability, frequently changing its tactics, techniques, and procedures (TTPs) to evade detection and maintain persistence within its target networks.

Turla uses a variety of attack vectors, including spearphishing and watering hole attacks, to gain initial access to its target systems. The group has been observed taking control of expired domains associated with widespread, financially motivated malware like ANDROMEDA, and has also been known to leverage USB-spreading malware to gain initial access to organizations. In 2015, Turla was discovered to be hijacking satellite communications to control their malware and exfiltrate data.

Turla uses a wide range of custom-developed malware, as well as publicly available tools and known vulnerabilities, to achieve its objectives. Some of the notable tools and vulnerabilities associated with Turla include Agent.btz, ComRAT, KopiLuwak, TunnusSched (QUIETCANARY), Gazer, Carbon, HyperStack, and Kazuar.

Turla predominantly targets organizations in Ukraine, but its victims are located across the globe, with a particular focus on countries in Europe, Asia, and the Middle East. The group infiltrates a wide array of entities and conducts extensive victim profiling. This profiling allows the group to select specific victim systems and tailor their follow-on exploitation efforts to gather and exfiltrate information of strategic importance.

10. Stealer-as-a-Ransomware (StaR)

StaR operates in two stages. Initially, it acts as a stealer, infiltrating systems to extract valuable data. It targets sensitive information such as login credentials, financial data, and personal identification information. This data is then transmitted to the attacker’s server, providing a wealth of exploitable information.

Following the data exfiltration phase, StaR transitions into ransomware mode. It encrypts the victim’s files, rendering them inaccessible. The victim is then presented with a ransom note demanding payment in exchange for the decryption key.

Once all valuable data is stolen, the attackers encrypt the files and send a ransom note demanding payment in exchange for the decryption key and a promise to delete the stolen files.