May 2024

Cyber threats

Every month, cyber threats as seen by Gatewatcher’s CTI analysts
Le Lab Gatewatcher D
253 046
Identified Indicators of Compromise (IOCs)
100 353
Identified compromise reports (sum of IoCs)

Highlight of the month

The month of May 2024 saw an increase in the number of actions taken by the authorities against cybercrime exchange platforms.

At the end of May, Operation Endgame, led by Europol and supported by France, which targeted MaaS (Malware as a Service) activities, led to the arrest of four suspects and the seizure of some 2,000 domains. Around a hundred servers were also seized during this large-scale operation, which required the coordination of police and cyber law enforcement agencies from a number of countries, including France, Denmark, Germany, the Netherlands, Ukraine, Portugal, the USA and the UK. The operation specifically targeted botnets, groups of computers run by the same person for malicious purposes, as well as droppers, tools for spreading malicious code. It’s clearly still in its infancy.

The other notable event of May was the seizure of Breachforums by a coalition of police forces from various countries, including the FBI, leading to its temporary closure. Breachforums is a discussion forum and marketplace enabling cybercriminals to trade and sell data

2405 ctb Breach Forum
Capture of the seizure mention on the BreachForums website

On May 15, the arrest of one of the main administrators, known as Baphomet, and the seizure of servers enabled investigators to temporarily close the forum. The stunt was short-lived, however, as the administrator managed to recreate the infrastructure a few days later. According to him, the FBI agents had unwittingly made a mistake by asking the domain name manager to redirect the forum’s feeds, without entering the domain name, to the page announcing the seizure. The forum administrator then made a request to recover the domain name, enabling Breachforum to rise from the ashes. In addition, the FBI agents unwittingly facilitated this quicker-than-expected return by mistakenly seizing all the servers in the datacenter, some of which contained perfectly legitimate services. The resulting procedural error forced the rapid return of the servers, and de facto the restoration of the malicious forum. To date, no public denial has been issued by the American institutions.





Definition of the month

A takedown is a technical or legal action designed to disable an implant, botnet or threat actor. It can take the form of server or domain name requisitioning, as was recently the case with BreachForum. A takedown can also take the form of a technical block on access to infrastructures, via techniques such as DNS sinkholing, which can be implemented at ISP or registrar level. Finally, it can take a purely legal form, with the arrest and criminal prosecution of the masterminds behind a group of cybercriminals.





About the Cyber Threat Barometer

Malware, critical vulnerabilities, advanced persistent threats, industries particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected by Gatewatcher CTI, our Cyber Threat Intelligence platform.

Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than 4000 data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.

Ask for a demo

Cyber Threats Barometer: Your monthly cyberthreat overview as seen by Gatewatcher’s CTI analysts