April 2022

Cyber threats of the past 30 days as seen by Gatewatcher's CTI analysts

Identified Indicators of Compromise (IOCs)


Identified compromise reports


Highlight of the month

This month, let’s take a look back at Conti, which has recently been in the news. 

This Russian-based cybercriminal group, operating since 2019, is best known for its “Ransomware as a service” (RaaS) activities.

In response to Russia’s attack against Ukraine in February 2022, the Conti group published an announcement proclaiming its support for Russia in the conflict. Shortly after the message was published, on February 27, 2022, a pro-Ukrainian security researcher posted an archive containing communications between Conti members as well as screenshots, source code and internal Conti documentation via the @ContiLeaks Twitter account.

The analysis of the revealed data shows how the group operates. It is actually organized like a typical hi-tech company, with teams, managers, and direct communication between these groups. The Conti teams are offered training courses with textual or video support that deal with obfuscation techniques (vmprotect-2, ADVobfuscator), privilege escalation (LPE, UAC override) or sandbox detection (mac addresses, cpuid, …). The leaked documents also describe a structured organization, with processes: task assignment and follow-up, bug reports, tools and configuration to apply…

In order to test their products in real life situations, Conti’s teams have also dedicated substantial resources to obtain detection hardware and software solutions from the main cybersecurity players on the market to improve the “quality” and performance of future attacks.

Despite the magnitude of this leak, Conti seems to have suffered little: Still in business, the group has replaced the exposed servers and has already made new victims.


common vulnerabilities & exposures


malware families

Definition of the month

The Traffic Light Protocol (TLP) is a protocol designed for sending and managing the sharing of sensitive information, created by the National Infrastructure Security Coordination Centre (NISCC) of the British government in the early 2000s. This protocol allows data to be sent with one of four colors, each corresponding to a level of confidentiality. This allows the sender to choose the extent to which his information can, or cannot, be shared.

Colour is red: the information must not be disclosed, it is reserved for the recipients.
Colour is orange: the information is intended for a restricted group of people.
Color is green: the information can circulate within a community but is not intended to be disclosed on the internet.
Color is white: the information can be freely distributed, provided that the distribution is not against the law.

If a recipient wishes to share the information beyond the color indicated by the sender, he or she must request it. Also, it is the sender’s responsibility to ensure that recipients understand the TLP and how to apply it.


targeted sectors


threats categories

About the cyber threats barometer

Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by LastInfoSec, Gatewatcher’s Cyber Threat Intelligence (CTI) platform.

LastInfoSec’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.