The top malware and ransomware threats for June 2023

System hacked alert appearing on a computer screen
(Image credit: Getty Images)

Maintaining a cyber-secure IT estate continues to be a challenge for all organizations but knowing how to mitigate the most pressing threats will get many businesses most of the way there.

Cyber crime remains a lucrative business and shows no signs of slowing down. Ransomware operations are changing tactics to maximize returns and malware continues to pervade global networks.

While it’s impossible to group every single threat that’s targeting organizations every month, this series of monthly roundups aims to highlight the most important patches, workarounds, and indicators of compromise (IOCs) to be aware of.

Here you’ll find a complete list of the most dangerous malware and ransomware threats of June 2023.

Fiber optics carrying computer virus attacking binary code

(Image credit: Getty Images)

Zyxel NAS devices widely exploited

Zyxel is the latest company to battle issues in its line of network-attacked storage (NAS) devices. 

Following the widespread and repeated attacks on QNAP’s NAS drives last year, a critical vulnerability, tracked as CVE-2023-28771, is now being exploited in Zyxel’s hardware and is believed to affect tens of thousands of customers.

The flaw allows for remote code execution by sending a specially crafted packet to the device.


Rear facing image of man sat in dark tech lab using VR headset and gloves

(Image credit: Trend Micro)

The near and far future of ransomware business models

What would make ransomware actors change their criminal business models?


A technical analysis by security firm Rapid7 revealed evidence of exploits used to conduct attacks as part of a Mirai botnet.

According to the company’s telemetry, it was estimated that around 42,000 Zyxel NAS devices were exposed to the public internet on the wide area network (WAN), which is not a default setting.

Because the flaw resides in the NAS drives’ VPN service, which is enabled by default on the WAN, Rapid7 said it believes the total number of affected devices to be “much higher” than 42,000.

Patches for the buffer overflow vulnerability, and others announced at the same time, are now available and should be applied as soon as possible.

Read more from CloudPro’s coverage of the full story here.

Secure mail on digital screen

(Image credit: Getty Images)

Barracuda Networks email security gateway devices “must be replaced immediately”

Continuing on the theme of attacks targeting major hardware, Barracuda Networks revealed this week that despite releasing patches for a critical vulnerability, users must still replace the devices as soon as possible.

A zero-day vulnerability in its email security gateway (ESG) devices’ VPN service allowed for remote code execution. 

The earliest evidence of exploits is from October 2022 and have since been used to install backdoor malware with persistence.

Attacks have also been observed supporting downstream attacks from a Mirai-like botnet campaign.

Barracuda did not offer any further information about the reason for needing to fully replace the devices in a brief update to its security advisory.

Read more from ITPro’s coverage of the full story here.

Mockup of a botnet and its different stages

(Image credit: Getty Images)

Horobot runs wild for two years before getting discovered

A “sophisticated” botnet has only just been uncovered by security researchers after going unnoticed for more than two years.

Horobot has been targeting specific industry verticals - accounting, investment, and construction in particular - and has been installing different strains of malware since November 2020.

Banking trojans and spam tools were among the malware dropped in attacks. The latter was used to steal sensitive information and compromise email accounts to launch phishing attacks.

Gmail, Yahoo, and Outlook users were all affected by Horobot-based attacks, researchers noted.

The campaign mainly targeted Spanish-speaking users in the Americas and experts believe the attackers managing Horobot may be based in Brazil.

Horobot’s indicators of compromise can be found on Cisco Talos’ advisory, and you can read more detailed coverage of the story over at CloudPro here.

A series of blue blocks with binary code displayed alongside yellow padlocks

(Image credit: Getty)

Information-stealing malware targets 1Password, other password managers

A new version of ViperSoftX has been discovered and is now targeting the data held in web browsers by popular password managers’ extensions.

Focused mainly on 1Password and KeePass 2, the latest ViperSoftX was found by Trend Micro’s security researchers but has historically only had tooling for Google Chrome.

The malware now has the functionality to target browsers such as Microsoft Edge, Firefox, Brave, and Opera.

ViperSoftX was also originally used to be just a cryptocurrency-hijacking tool but now offers more robust options for cyber attackers. 

Trend Micro said the bulk of attacks are targeting organizations in Australia, Japan, the US, and India, but attacks are also prevalent across Asia and central European regions too.

ViperSoftX’s indicators of compromise can be found on Trend Micro’s advisory.

Purpple screen with a white hand placing down asterisks denoting a security and password theme

(Image credit: Getty Images)

Backdoors and MFA tampering in Azure AD

Faulty APIs in the premium version of Microsoft Azure Active Directory (Azure AD) were found to enable the tampering of conditional access policies (CAPs).

Researchers identified three APIs that allow editing of CAPs, one of which allowed editing of all CAP settings, including metadata.

The exploitation of this API could have led to serious ramifications for organizations, researchers said.


Orange webinar screen with title and image of magnifying glass with chart and graph icons inside

(Image credit: Cloudflare)

How applications are attacked

A year in application security


Nestori Syynimaa, senior principal security researcher at Secureworks Counter Threat Unit (CTU), said Azure AD “isn’t locked properly” and that any users, including threat actors, could see policy configurations. 

Admin users could also make modifications that don’t get logged properly, such as the installation of backdoors and turning off access controls to bypass multi-factor authentication (MFA).

It’s important that organizations can rely on their audit logs so that any damaging changes can be remediated effectively.

Microsoft was made aware of the issues in May 2022 but said “that it is expected behavior”.

Last month, it said it will be retiring the flawed AADgraph API and that admins will be prevented from making changes to CAPs.

Read more from CloudPro’s coverage of the full story here.

Abstract Technology Binary Code Dark Red Background

(Image credit: Getty Images)

Second major ransomware gang pivots to extortion-only model

The BianLian ransomware operation is said to have followed Cl0p’s lead and become the second major cyber criminal outfit of its kind to switch to pure extortion attacks.

An advisory issued by the US and Australia revealed that the latest analysis of the group’s activity indicated a step away from using the group’s ransomware payload in favor of simply extorting victims over stolen data.

It’s not clear why the techniques of ransomware criminals are changing in this way, but Cl0p, which started the year with the notorious supply chain attack on GoAnywhere MFT, has seen repeated success with the method.

Cl0p was also attributed to the supply chain attack on MOVEit Transfer, a widely used file transfer tool in the private sector.

The trend highlights the growing need for organizations to keep their data secure and regular backups in case of an attack. 

Cyber criminals continually evolve their tactics, especially in financially motivated attacks, and it’s important that organizations do what they can to avoid paying them and further incentivizing the business model.

High quality 3D rendered image of North and South America

(Image credit: Getty Images)

Tofsee botnet remains among the top business threats

Researchers at Cisco Talos have, for the second week in a row, included the Tofsee botnet in its list of most prevalent threats to organizations.

The botnet dates back more than a decade and has undergone several rounds of evolution since its inception.

Talos said describes Tofsee as a “multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more”.

There aren’t any exact figures available regarding the extent of the botnet’s reach, but it remains a significant threat to organizations given its modular design.

Primarily a cryptominer and web traffic proxy, it also has the functionality to be used for spam campaigns and DDoS attacks too.

For a full list of IOCs, head to Cisco Talos’ advisory here.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.