logo check point
  • CHAPTER 1
    EXECUTIVE SUMMARY MAYA HOROWITZ, VP RESEARCH
  • CHAPTER 2
    2022 CYBER SECURITY TRENDS
    • Russia Ukraine War – The First Hybrid War that Forced Everyone to Take Sides
    • Country Extortion - Ransomware Groups Step Up to Nation State Actor Level
    • MICROSOFT BLOCKS INTERNET MACROS IN OFFICE – THE DEVELOPMENTS IN THE EMAIL INFECTION CHAINS
    • The Mobile Malware Landscape
    • Cloud Supply Chain Attacks
  • CHAPTER 3
    GLOBAL ANALYSIS
    • Cyber Attack Categories by Region
    • Global Threat Index Map
    • Top malicious file types-web vs. email
    • Global malware statistics
    • Top Multipurpose Malware
    • Top Infostealer Malware
    • Top Cyptomining Malware
    • Top Mobile Malware
  • CHAPTER 4
    HIGH PROFILE GLOBAL VULNERABILITIES
    • Atlassian Confluence – Remote Code Execution (CVE-2022-26134)
    • ‘Log4Shell’ Apache Log4j Remote Code Execution Vulnerability CVE-2021-44228
    • F5 BIG IP (CVE-2022-1388)
  • CHAPTER 5
    TOP ATTACKS AND CYBER BREACHES H1 2022
  • CHAPTER 6
    H2 2022: WHAT TO EXPECT AND WHAT TO DO
  • CHAPTER 7
    INCIDENT RESPONSE PERSPECTIVE
  • CHAPTER 8
    PREVENTION OF THE NEXT ATTACK IS POSSIBLE
  • CHAPTER 9
    MALWARE FAMILY DESCRIPTIONS
  • CHAPTER 10
    CONCLUSION
  • 01 CHAPTER 1
    EXECUTIVE SUMMARY MAYA HOROWITZ, VP RESEARCH
  • 02 CHAPTER 2
    2022 CYBER SECURITY TRENDS
  • 03 CHAPTER 3
    GLOBAL ANALYSIS
  • 04 CHAPTER 4
    HIGH PROFILE GLOBAL VULNERABILITIES
  • 05 CHAPTER 5
    TOP ATTACKS AND CYBER BREACHES H1 2022
  • 06 CHAPTER 6
    H2 2022: WHAT TO EXPECT AND WHAT TO DO
  • 07 CHAPTER 7
    INCIDENT RESPONSE PERSPECTIVE
  • 08 CHAPTER 8
    PREVENTION OF THE NEXT ATTACK IS POSSIBLE
  • 09 CHAPTER 9
    MALWARE FAMILY DESCRIPTIONS
  • 10 CHAPTER 10
    CONCLUSION
BACK TO TOP

TOP ATTACKS AND CYBER BREACHES
H1 2022

In the first half of 2022, cyber attacks and major cyber breaches continued to be a major threats to organizations in all sectors and all regions, putting the sensitive information of billions of people at risk, and disrupting societies worldwide.
Below is a recap of the major attacks and breaches in each region.

AMERICAS
EUROPE, THE MIDDLE EAST AND AFRICA
ASIA-PACIFIC
  • AMERICAS
  • EUROPE, THE MIDDLE EAST AND AFRICA
  • ASIA-PACIFIC
01
January
02
February
03
March
04
April
05
May
06
June
January
  • The Florida based healthcare provider Broward Health has suffered a significant breach impacting over 1.3 million individuals, in which cyber criminals gained access to patients’ medical information.
  • Albuquerque US Public Schools have had to cancel classes after they were hit by a cyber-attack that compromised the student information system. This event follows a ransomware attack that impacted multiple government services across Bernalillo County on January.
  • The cryptocurrency exchange platform Crypto.com has announced that 483 user accounts were compromised in a recent hack, resulting in $35 million worth of unauthorized withdrawals.
February
  • Check Point Research has discovered a new implementation of the Trickbot banking Trojan. CPR counts over 140,000 machines infected by Trickbot since November 2020, as the threat actors try stealing credentials to financial and other services provided by 60 well-known corporations, including Amazon, Microsoft, Google and PayPal.
  • The FBI has announced that the BlackByte ransomware gang successfully broke into US critical infrastructures networks from several organizations in the past three months.
  • Following an announcement by OpenSea about a contract migration they are planning, Check Point Research observed that hackers took advantage of the upgrade process and scammed NFT users, leading to theft of millions of dollars.
  • US based chipmaker Nvidia has been hit by a cyber-attack impacting their developer tools and email systems. It is claimed that the cyber criminals were hacked back, encrypting the data they had stolen.
March
  • State-sponsored APT41 group (aka Wicked Panda) affiliated with China has been successfully breaching into US government networks for the past 6 months by exploiting vulnerable web facing applications. Vulnerabilities included Log4Shell and a zero-day flaw in the USAHerds app tracked CVE-2021-44207.
  • Check Point Research reveals how hackers performed flash loan attacks to claim free tokens on ApeCoin Cryptocurrency, fraudulently earning millions of dollars.
  • Morgan Stanley customer accounts has been breached in social engineered attacks, which were the result of Vishing schemes. Hackers successfully transferred money to their own bank accounts.
April
  • A bug in Palo Alto Networks customer support tickets exposed information belonging to thousands of customers.
  • CISA and the US Department of Energy released a joint warning of attacks against internet-connected uninterruptible power supply (UPS) devices utilizing default usernames and passwords. Organizations can mitigate such attacks by removing management interfaces from the internet.
  • Check Point Research shows that 16% of the organizations worldwide were impacted with Spring4Shell during the first 4 days after the vulnerability outbreak. VMware has released security updates to address this critical remote code execution flaw within its products.
  • The FBI has issued a warning addressed to the Food and Agriculture (FA) organizations on the greater risks of ransomware attacks during the harvest and planting periods.
  • CISA, the FBI and the US Treasury Department alert on the North Korean APT group Lazarus targeting companies in the blockchain and cryptocurrency sectors, using social engineering on employees.
May
  • A 15.3 million request-per-second DDoS attack was recorded by the internet infrastructure company Cloudflare, marking it one of the largest HTTPS DDoS attacks ever.
  • FBI warns of BlackCat ransomware after that breached over 60 organizations worldwide.
  • Costa Rica has declared a State of Emergency following a devastating ransomware attack by the Conti gang. The attack affected many governmental organizations, including The Finance Ministry, The Costa Rican Social Security Fund, and The Ministry of Science, Innovation, Technology, and Telecommunications. An estimated $200 million was lost due to disruptions related to the tax and customs platforms.
  • Check Point Research reported how the Conti ransom group has taken cybercrime to a new, geopolitical level. They intervene in the internal politics of Costa Rica, the relationship between Costa Rica and the US, and basically moved the ransomware gangs to a new business stage of country extortion.
June
  • Costa Rica’s public health service was attacked by Hive ransomware, which shut off their computer systems. The Hive ransomware group demanded $5 million in Bitcoin to unlock the infected servers. This attack can be related to the Conti ransomware attacks on this and other government- related entities.
  • Researchers revealed a zero-day vulnerability in Microsoft Office that might enable remote code execution on a victim’s machine.The vulnerability, dubbed “Follina”, uses the remote template feature in Word to retrieve an HTML File from a remote server, and can execute a PowerShell by using an ms-msdt MSProtocol URI scheme.
  • Researchers have revealed a major phishing scam targeting Facebook users through the company’s Messenger app, in which 1M credentials were stolen in 4 months. The campaign peaked in April-May 2022 but has been active since at least September 2021.
PREVIOUS CHAPTER
NEXT CHAPTER
BACK TO TRENDS
  • AMERICAS
  • EUROPE, THE MIDDLE EAST AND AFRICA
  • ASIA-PACIFIC
01
January
02
February
03
March
04
April
05
May
06
June
January
  • A series of attacks targeting Russia’s Ministry of Foreign Affairs has been attributed to North Korean APT group Konni. Threat actors gained access by leveraging a socially engineered phishing campaign with New Year greetings and stealing credentials, aiming at collecting intelligence.
  • Threat actors have been targeting the UK National Health Service (NHS) using the Log4Shell flaw to hack compromised VMWare Horizon servers, likely as a reconnaissance phase.
  • Ukraine has been hit by a large scale cyber-attack that took down several of its government and ministries websites. Threat actors defaced the Foreign Affairs website with threatening message reading “Ukrainians!… All information about you has become public, be afraid and expect worse.” Researchers additionally found evidence of a significant ongoing operation targeting multiple organizations in Ukraine, leveraging a malware disguised as ransomware that could render a system inoperable.
  • A new cyber-espionage campaign by the Arabic-speaking APT group Molerats (aka Gaza Cybergang) has been targeting victims in the Middle East, specifically high-profile targets in the banking, NGOs and political sectors in Palestine and Turkey. The group leverages cloud services like Google Drive or Dropbox to host malicious payloads and for command- and-control.
  • Hacktivist group from Belarus called “Belarusian Cyber Partisans” has breached the computers systems of Belarusian Railways. Threat actors claim to have encrypted the network and are extorting the Belarusian government, asking for the release of 50 political prisoners and a pledge from Belarussian Railways to halt transport of Russian soldiers as Russia prepares for a possible invasion of Ukraine.
February
  • A significant Ransomware attack has disrupted operations of oil port terminals in Belgium, Germany and in the Netherlands, affecting at least 17 ports and resulting in difficulties loading and unloading refined product cargoes. The BlackCat cybercrime group is suspected to be the group behind the attack.
  • Researchers have found a new campaign targeting Turkish private organizations and governmental institutions attributed to Iranian state sponsored group MuddyWater. The group now uses canary tokens to track targets’ infection and possibly to evade sandbox-based detection systems.
  • 200,000 people have been impacted by a data breach that exposed personal information of users of Croatian phone carrier A1 Hrvatska.
  • Ukraine has been at the center of a series of targeted DDoS attacks on its armed forces, defense ministry, public radio and national banks websites. The US Government has officially attributed the attacks to Russia’s Main Directorate of the General Staff of the Armed Forces.
  • Check Point Research has released data on cyber attacks observed around the current Russia/Ukraine conflict. Cyber attacks on Ukraine’s government and military sector surged by 196% in the first three days of combat. Cyber attacks on Russian organizations increased by 4%. Phishing emails in the East Slavic languages increased 7-fold.
  • Check Point Research has spotted a new malware, Electron-bot, distributed through gaming applications on Microsoft’s official store, with at least 5,000 victims, mostly in Sweden, Bulgaria, Russia, Bermuda and Spain. The malware can control social media accounts of its victims, including Facebook, Google and Sound Cloud. The malware can register new accounts, log in, comment on and “like” other posts
March
  • Check Point Research reports on cyber criminals’ and hacktivists’ increased activity leveraging Telegram amid the Russia-Ukraine war. Anti-Russian cyber-attack groups have been growing, while others claiming to fundraise for Ukraine are suspected to be fraudulent.
  • Ukraine “IT army” consisting of cyber-operatives and volunteers worldwide has claimed attacks taking down multiple Russian and Belarusian key websites, including the Kremlin’s official site.
  • Swedish camera company Axis has had to shut down all its public-facing internet services after a cyber-attack targeted its IT systems.
  • TransUnion South Africa has been victim of a breach in which the hacker group named N4aughtysecTU stole 4TB of data. Attackers who claim to be based in Brazil are demanding a $15 million ransom over the sensitive data which includes credit score, banking details and ID numbers.
  • One of Russia’s largest meat producers Miratorg Agribusiness Holding has suffered a major cyberattack. Threat actors used Windows BitLocker to encrypt the victim’s IT systems in full volumes and demanded a ransom. The attack resulted in distribution disruptions for several days.
  • German wind turbine company Nordex has been victim of a cyberattack claimed by the Conti ransomware gang. The attack, which occurred on March 30, shut down all the company’s internal IT systems and disrupted their remote access to the turbines.
April
  • Check Point Research (CPR) revealed a large spike in attacks committed by advanced persistent threat groups (APTs) around the world, using lures utilizing the war between Russia and Ukraine. Most of the attacks started with spear-phishing emails that contained documents with malicious macros dropping malware such as Loki.Rat backdoor.
  • Check Point Research discovered six applications spreading banking malware on Google Play Store by masquerading as anti-virus solutions, with over 15,000 downloads. The malware, known as ‘Sharkbot’, steals credentials and banking information of Android users.
May
  • The Ukrainian IT army has disrupted Russia’s alcohol distribution by performing DDoS attacks to limit access to a portal called State Automated Alcohol Accounting Information System (EGAIS) used by the Russian government.
  • The National Health System (NHS) in the UK has been a victim of a phishing campaigns targeting email accounts since at least April 2022. More than a thousand phishing messages were sent from two NHS IP addresses, delivered from hijacked email accounts belonging to 139 employees in England and Scotland.
  • Check Point Research has unveiled a targeted cyber-espionage operation against at least two research institutes in Russia, which are part of the Rostec Corporation, a state-owned defense conglomerate. The sophisticated campaign, which CPR dubbed “Twisted Panda”, has been attributed to Chinese threat actors, with possible connections to Mustang Panda and Stone Panda (aka APT10). Hackers used new tools, including a multi-layered loader and a backdoor called “SPINNER”.
  • Russian state-sponsored hacking group, Turla, has been launching a reconnaissance campaign against the Austrian Economic Chamber, a NATO platform, and the Baltic Defense College.
June
  • FluBot, the notorious mobile malware threat that spreads globally mainly via SMS-based phishing, has been taken down in a joint law enforcement operation – Europol announced.
  • The Italian municipality of Palermo has been victim of a ransomware attack that caused a large-scale service outage affecting over a million people. The attack was claimed by the Vice Society ransomware group, which used the double extortion ransomware.
PREVIOUS CHAPTER
NEXT CHAPTER
BACK TO TRENDS
  • AMERICAS
  • EUROPE, THE MIDDLE EAST AND AFRICA
  • ASIA-PACIFIC
01
January
02
February
03
March
04
April
05
May
06
June
January
  • The Vietnamese trading platform ONUS was victim of a ransomware attack leveraging the Log4j flaw on its payment system. Cyber criminals demanded a $5 million ransom in a double extortion scheme. ONUS refused to pay, so threat actors published for sale records of 2 million ONUS costumers.
  • A new password stealing malware dubbed BHUNT has been targeting crypto wallets worldwide, most victims being in India. BHUNT is suspected to be using cracked software installers as an infection vector.
  • Delta Electronics, a Taiwanese Apple and Tesla contractor, has been hit by a Conti Ransomware attack. The company stated that only non-critical systems were compromised. Ransomware operators demanded a $15 million ransom payment in exchange for the decryption key.
February
  • Researchers have discovered that North Korean APT group Kimsuky has been active in campaigns involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. Their latest campaign is primarily focused on South Korean targets.
March
  • Ransomware gang Lapsus$, which took responsibility for last week’s breach on the giant chip firm NVIDIA, claims it has now managed to breach the Korean manufacturer Samsung, and published 190GB of sensitive data online.
  • Japanese car manufacturer Toyota has halted their operations and productions in its plants across Japan after one of its plastic component suppliers Kojima Press Industries suffered a cyber-attack.
April
  • The Pakistan-based threat group APT36 conducted a new campaign against the Indian government. The group used the laced Kavach authentication apps, which are used by the Indian military and other government agencies to access critical IT systems.
  • The new Spring4shell vulnerability (CVE-2022-22965) has been actively exploited by threat actors since the beginning of April, leveraging the Mirai botnet. The Singapore region has been one of the most impacted geographic area.
  • North Korean state-sponsored APT group Lazarus has been linked to a recent theft of $625 million worth in Ethereum cryptocurrency in the Axie Infinity game.
May
  • The Japanese financial news outlet Nikkei Group has suffered a ransomware attack that hit its headquarters in Singapore. The company, which is still in the process of determining the scope of the attack, claims that no data was leaked although the affected server may have contained customer data.
  • Indian airline SpiceJet has been the victim of a ransomware attack that resulted in delayed flight departures and underlying system failures. The company announced that the attack is also delaying its financial results announcement.
June
  • Check Point Research found a vulnerability within the UNISOC chip firmware used in Android mobile phones, which can allow a remote attacker to disrupt the device’s radio communication through a malformed packet.
  • A Critical vulnerability affecting Atlassian Confluence and Data Center servers (CVE-2022-26134), exploited in the wild, has been patched. Successful exploitation could allow remote attackers to create new admin accounts, execute commands, and take over the server.
PREVIOUS CHAPTER
NEXT CHAPTER
BACK TO TRENDS
https://go.checkpoint.com/2022-mid-year-trends