July 2024

Cyber threats
Barometer

Every month, cyber threats as seen by Gatewatcher’s CTI analysts
Le Lab Gatewatcher D
161 846
Identified Indicators of Compromise (IOCs)
86 639
Identified compromise reports (sum of IoCs)

Highlight of the month

Plugx
Plugx

Not a month goes by without a new operation against malware authors. After Operation EndGame in May 2024, followed by Operation Morpheus in June 2024, July 2024 completes the series with a major operation targeting a network of zombie machines infected with the PlugX (S0013) malware.

A press release from the Paris city  judicial court on July 25 announced the success of a joint international operation by various private and public bodies.  This success was made possible by taking control of the IP address of a control server (C2) and using a specific payload to disinfect the controlled systems.

PlugX malware (also known as Sogu or RedDelta) is no stranger. This RAT (Remote Access Trojan) was first identified in 2008, targeting mainly Japanese entities at the time. It then spread to Asia, before spreading to the rest of the world. The transformation of this Trojan into a worm (self-replicating malware) appears to date back to 2020.

Unlike other botnets exploiting vulnerabilities or using default passwords (such as Mirai or Mozi), PlugX is transmitted via USB key. The publication of technical details (transmission mode, disinfection) highlights two important points: As only one IP address linked to the C2 server has been recovered, others are still active, not to mention existing variants of this malware. Secondly, this latest operation will not be enough to stem the tide of infection: while the load deployed during the dismantling operation is capable of disinfecting the USB stick when it is plugged in, infected and unreachable sticks remain in circulation.

This serves as a reminder that a threat is not obsolete simply because it is old, and that good security practices such as automatic scanning of USB devices on workstations can drastically reduce risks.

TOP

COMMON VULNERABILITIES & EXPOSURES  (%)

TOP

TARGETED BUSINESS SECTORS (%)

Definition of the month

Botnet (from the contraction of robot network), or “ zombie machine network”, refer to a group of devices under the control of a single control center (C2) or attacker. These devices can be personal computers, but also any IoT (Internet Of Things) device, i.e. an everyday object connected to the Internet, or network equipment.

The possible uses of a botnet are varied. They range from distributed denial-of-service (DDoS) attacks to the provision of virtual private networks (VPNs) to cybercriminals, and can relay spam, phishing or crypto-mining campaigns.Well-known botnets include Mirai and its variants. Mainly targeting network and IoT equipment, Mirai is characterized by its ability to self-replicate.

TOP

MALWARE FAMILIES (%)

TOP

THREAT CATEGORIES (%)

About the Cyber Threat Barometer

Malware, critical vulnerabilities, advanced persistent threats, industries particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected by Gatewatcher CTI, our Cyber Threat Intelligence platform.

Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than 4000 data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.

Ask for a demo

Cyber Threats Barometer: Your monthly cyber threats overview as seen by Gatewatcher’s CTI analysts