This year, Cyberint Research Team has witnessed a major spike in compromised Atlassian service credentials compared to 2021. When observing compromised Atlassian credentials from the start of 2021 and 2022 through to August of the relevant year, we have seen an increase of around 337% (Figure 1, 2) in leaked credentials.

Over the past few years, the awareness of privacy and personal security has taken a significant step forward. Typical users have now adopted far more suspicious practices when utilizing multiple PC or mobile device applications. This is a direct result of the constant attempts of cybercriminals to launch malicious campaigns aimed at gaining access to both credentials and internal systems.

Over the past couple of months, a new group has emerged named the Atlas Intelligence Group (A.I.G), aka Atlantis Cyber-Army. What makes this group unique compared to all the other groups we’ve seen lately, is its recruitment of cyber-mercenaries to do specific jobs as a part of bigger campaigns known only to the admins. In the early days, the group appeared to be yet another data leakage group.

In June 2022, Cyberint observed a new hacktivist campaign targeting multiple Israeli organizations and enterprises coordinated via different social media platforms. The campaign is led by hacktivists originating in a group called GhostSec. GhostSec was first identified in 2015 and was initially founded to attack ISIS in the cyber realm as part of the fight against Islamic extremism.

The first quarter of 2022 was rich with many unusual incidents of new ransomware groups, and new techniques. The most notable event of Q1 was without a doubt the ContiLeaks incident, courtesy of the Russia-Ukraine conflict, which lasted till not long ago, at the end of Q2. As the shockwaves of the Russia-Ukraine conflict have faded, when it comes to the ransomware industry, we have seen many families going “back to business”.

As many threat actors and groups seek to utilize recently discovered vulnerabilities, the Cyberint Research Team found several XFiles stealer campaigns, in which Follina vulnerability was exploited as part of the delivery phase. Follina is one of the most widespread vulnerabilities discovered throughout 2022. The vulnerability allows a threat actor to perform a remote code execution (RCE) through malicious Word documents. XFiles stealer is a vastly used info stealer that took off during the end of 2021.

BlackGuard is a fairly new info stealer from the end of January 2022 with a business model of Malware-as-a-Service (MaaS). The malware is sold in underground forums and a dedicated Telegram channel of the operators’ named blackteam007.

Over the past weekend, on June 2, Atlassian published a security advisory regarding a zero-day vulnerability in all versions of the Confluence Server and Data Center that is already being exploited in the wild. The critical severity vulnerability has received the ID of CVE-2022-26134 and a threat actor can exploit this vulnerability in order to perform unauthenticated remote code execution (RCE).

Emotet, one of the first Malware-as-a-Service (MaaS), an ever-evolving botnet and banking trojan active since 2014, recently added new techniques to its arsenal. Initially intended to extract sensitive banking information from a victim’s computer and operate using other malware trojans, this notorious malware continues evolving by implementing new techniques in the malware delivery stage. This document is an update to the technical report on Emotet from December 2021.