June 2022


Cyber threats of the past 30 days as seen by Gatewatcher’s CTI analysts
269 294

Indicateurs de compromission (IOCs) identifiés

100 779

Rapports de compromission identifiés (regroupement d’IoCs)


Let’s focus this month on Mirai, which accounted for nearly 30% of malware detections over the month of May in our Cyber Threat Barometer.

Mirai is a malware, more precisely a botnet, first observed in 2016, which infects IOT machines (routers, cameras, etc.) exposed on the internet.It was originally the project of a student at Rutgers University in the United States, with the aim of launching DDoS attacks on his university’s servers or Minecraft servers.

In October 2016, Mirai’s source code was published on the internet with the aim of disguising its origin, so it will be used as is or as a basis for many other botnets.

The rise of Mirai is seen in attacks targeting services such as Krebs on Security, Dyn DNS, or OVH with an attack rate exceeding Terabit per second.Once a machine is infected, Mirai can take the following actions: delete the binary and change the process name to escape detection, block the reboot of the host terminal, disable administrative services (Telnet, SSH), destroy any other malware present on the host, and scan the network for new targets.

Today, Mirai-based malware has evolved, it has been rewritten to target all kinds of Linux machines exposed on the Internet: IOT, mobile, cloud infrastructure. Among the variants are Satori, OMG or more recently, Beastmode. These variants do not change the fundamental functioning of Mirai and are often improved versions, which include more techniques. In addition to the default ID lists, they use recent CVEs such as Log4j to propagate, but are still recognizable by the use of techniques already present in the original code. Mirai and its many variants therefore remain an active and constantly evolving threat.


common vulnerabilities u0026 exposures [CVE]


malware families


Structured Threat Information eXpression (STIX™), is a language used to exchange cyber threat information in a common, standardized format.
Developed by MITRE and the OASIS Cyber Threat Intelligence Technical Committee, it is an open-source project whose idea is the sharing of comprehensive and rich cyber threat information across organizational and community silos. Often this information comes from a specific structure or group, and is not originally designed for broad, standardized sharing.

Data in the STIX format can be visually represented for analysis, or it can be computer processed in JSON.\

The main goals of the STIX project are:

  • Expressiveness: provide expressive coverage for as many use cases as possible rather than just a few.
  • Flexibility: highlighting relevant information and avoiding mandatory features.
  • Extensibility: build extensions for particular domains.
  • Automation: to support the automation of processing by machines.
  • Readability: to also be readable by humans.

MITRE asserts that a community project like STIX, aiming at the establishment of an efficient and mature cyber intelligence, is essential to unite efforts against cyber attackers and cyber threats.


targeted business sectors


threats categories


Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.

Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.