Cyber Intel Brief: July 14 – 20, 2022


North Korean Threat Actor Targets Small and Midsize Businesses with H0lyGh0st Ransomware

Impacted Industries: Small and Medium-sized Businesses

What You Need To Know:

According to Microsoft Threat Intelligence Center (MSTIC), a North Korean threat group, H0lyGh0st, tracked by Microsoft as DEV-0530, has been producing and using the H0lyGh0st ransomware in attacks against small businesses in several countries since June 2021. Additionally, MSTIC has seen communications between DEV-0530 and PLUTONIUM and DEV-0530 utilizing PLUTONIUM-created tools.


BlackCat Ransomware Attacks Not Merely a Byproduct of Bad Luck

Impacted Industries: All

What You Need To Know:

Sophos has observed threat actor(s) exploiting firewall devices and employing numerous publicly available tools in BlackCat ransomware incidents since December 2021.


How Watchdog Smuggles Malware into Your Network as Uninteresting Photos

Impacted Industries: Unknown

What You Need To Know:

Lacework Labs has moderate confidence that the cryptomining threat group WatchDog uses a steganography-based malware they have identified. The malware has three parts, the downloader, the image payload, a low-resolution image, and embedded malware.

Threat Actors

8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts

Impacted Industries:  All

What You Need To Know:

Sentinel One has observed the cryptomining threat group, the 8220 Gang, increase the size of its botnet to almost 30,000 machines in its most recent campaign. Organizations targeted by the group typically use cloud networks running insecure and improperly configured Linux applications and services.

Threat Actors

Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive

Impacted Industries: Government

What You Need To Know:

Palo Alto’s Unit 42 published a report outlining APT 29’s evolving tactics, transitioning from Dropbox to including the use of Google Drive services in two of their most recent malware campaigns for the first time.

Threat Actors

Amid Rising Magecart Attacks on Online Ordering Platforms, Recent Campaigns Infect 311 Restaurants

Impacted Industries: Accommodation and Food Services, Retail Trade

What You Need To Know:

Recorded Future has uncovered two continuing Magecart efforts that inserted e-skimmer scripts into restaurants utilizing the MenuDrive, Harbortouch, or InTouchPOS systems. As a result, Magecart has infected at least 311 restaurants with e-skimmers across all three platforms compromising over 50,000  payment card records.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog