Cyber Threat Report | June 2022


</Reports </ Cybersecurity </ Cybercrime </ News


We’re halfway through 2022, and we’d like to congratulate our colleagues from various industries (including fintech, healthcare, and manufacturing) for prioritizing their cybersecurity efforts! We believe that only together can we make the digital environment a safer one - as cybersecurity is everyone’s responsibility.

Within our monthly Cybersecurity Report, we’ll look at some of the biggest threats that took place in the past month.

June 2022 saw the exploitation of various ransomware and vulnerabilities by hackers, including ‘Hermit’ and the Atlassian Confluence zero-day vulnerability.

We’ll share information from the report on the nearly impossible-to-detect 'Symbiote'.

You’ll also find out more about the DDoS attacks targeting major government organizations in Lithuania.

In June 2022, the fastest-spreading mobile malware was taken down and the largest recorded HTTPS DDoS attack was stopped.

Read on to discover our June overview of the cybersecurity space.

Cybercrime Breaking News

A cybersecurity company pinpoints an enterprise-grade Android surveillance are, believed to be used by the government of Kazakhstan. The spyware - named 'Hermit' - was detected in April 2022, following the suppression of nationwide protests against government policies that took place in January. 'Hermit' is deployed once users download packages; most often it's spread via SMS messages. This isn’t the first time that 'Hermit', developed by Italian RCS Labs and telecoms company Tykelab Srl, surfaced. The spyware is said to have been used in an anti-corruption operation in Italy (in 2019) and in northeastern Syria, to settle regional conflicts.

Google’s Threat Analysis Group (TAG) also released a report of seven zero-day vulnerabilities that were also attributed to RCS Labs and were used by government-backed actors in 2021. At the beginning of the month, Atlassian warns of a zero-day vulnerability in all supported versions of its Confluence Server and Data Center. The vulnerability was tagged as CVE-2022-26134 and was officially patched on June 3rd. Yet, in the middle of June, ransomware groups and nation-state actors began exploiting CVE-2022-26134, as confirmed by Microsoft's security team. In the latest news, a hacker is currently selling access to 50 vulnerable networks, which he gained access to through the zero-day.  

The Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) issued a warning about ongoing CVE-2021-44228 (Log4Shell) malicious activity. Cyber threat actors are said to be exploiting the vulnerability in VMware Horizon® and Unified Access Gateway (UAG) servers to "obtain initial access to organizations that did not apply available patches or workarounds".

BlackBerry and Intezer report on "Symbiote" - a nearly impossible-to-detect Linux threat, targeting the Latin American financial sector. The threat was discovered back in November 2021. Researchers explain that it "parasitically infects the systems by being loaded into all processes as a shared object library".

Cybersecurity Justice

Internet infrastructure company, Cloudflare stops the largest recorded HHTPS DDoS attack - 26 million requests per second (rps). The attack is said to have originated mostly from Cloud Service Providers, hinting at the usage of hijacked virtual machines and powerful servers. The DDoS attack was traced to a botnet of 5,067 devices; each generating approximately 5,200 rps at peak.

A Europol operation, involving 11 countries, takes down “one of the fastest-spreading mobile malware to date”, FluBot. Believed to have infected at least 60,000 smartphones around the world, the malware spreads through SMS, stealing sensitive information. FluBot was successfully disrupted in May by the Dutch Police.

An ex-Amazon Web Service employee was convicted for hacking into more than 30 Amazon accounts, including Capital One Bank, and downloading customer data from more than 100 million people in 2019. The former worker was also charged for using the computer's power to mine cryptocurrency. Netwalker ransomware affiliate agrees to plead guilty and forfeit $21.5 million - about 27.65 BTC and dozens of seized devices. 

Cyberwar between Russia and Ukraine: Updates

Lithuania’s Secure National Data Transfer Network and other governmental institutions and private companies in the country were targeted by a DDoS attack.

Russian hacker group Killnet has claimed responsibility for the attacks and said this was in “retaliation for Vilnius's decision to cease the transit of some goods under European Union sanctions to Russia's Kaliningrad exclave.”

FinTech Updates

FBI investigates the theft of $100 million in cryptocurrency (Ether, Tether (USDT), Wrapped Bitcoin (WBTC), and BNB) from blockchain company, Harmon.

Researchers believe that the crime was committed by a North Korean military-backed group (most believe it’s the Lazarus Group), due to the nature of the incident and the way the money was laundered.

Mirror Protocol - a DeFi platform on the Terra network - has had $2 million exploited after the Luna cryptocurrency crash in October.

Other News

  • An 8-page report, devised by US cybersecurity agencies and New Zealand and UK National Cybersecurity Centers, argues why PowerShell shouldn't be disabled
  • Large critical Norwegian organizations were targeted in DDoS attacks at the end of June; Norway’s National Security Authority (NSM) believes pro-Russian hackers were behind the attacks
  • Around 70,000 patient records of Kaiser Permanente (one of the largest nonprofit healthcare plans in the US) may have been exposed as a result of an April 2022 data breach
  • Microsoft disables more than 20 malicious OneDrive applications attacking Israeli-based organizations; the Lebanon-based group, Polonium, launched the attack

AMATAS will continue to monitor this space and deliver salient information regularly. 

Stay tuned for our next report and if you are interested in any of our privacy and cybersecurity services, please do reach out through our website or by e-mailing

As always – be vigilant, stay alert, and think twice.


Ralitsa Kosturska in AMATAS