Cyber Threat Intelligence 26 February 2025
-
Healthcare Sector
- Healthcare Malware Hunt, Part 1: Silver Fox APT Targets Philips DICOM Viewers
"Healthcare was the most targeted critical infrastructure sector in both 2023 and 2024. While many of those attacks involved ransomware, impacting data availability and potentially disrupting patient care, other threats to healthcare organizations directly exploit medical applications. During a threat hunt for new malicious software, we identified a cluster of 29 malware samples masquerading as Philips DICOM viewers. These samples deployed ValleyRAT, a backdoor remote access tool (RAT) used by the Chinese threat actor Silver Fox to gain control of victim computers. In addition to the backdoor, victims were also infected with a keylogger and a crypto miner, a behavior not previously associated with this threat actor."
https://www.forescout.com/blog/healthcare-malware-hunt-part-1-silver-fox-apt-targets-philips-dicom-viewers/
https://hackread.com/silver-fox-apt-valleyrat-trojanized-medical-imaging-software/
https://www.infosecurity-magazine.com/news/chinese-silver-fox-backdoors/
https://www.helpnetsecurity.com/2025/02/25/china-based-silver-fox-spoofs-healthcare-apps-dicom-viewer-to-deliver-valleyrat-malware/
https://www.theregister.com/2025/02/25/silver_fox_medical_app_backdoor/
Industrial Sector
- Rockwell Automation PowerFlex 755
"Successful exploitation of this vulnerability could result in exposure of sensitive data."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-056-01 - Dragos’s 2025 OT Cybersecurity Report
"Explore the data from Dragos’s 2025 OT Cybersecurity Report, our 8th Annual Year in Review – the go-to report for industrial control systems (ICS) and operational technology (OT) vulnerabilities, threats targeting industrial environments, and industry trends from customer engagements worldwide. Keep scrolling to discover key highlights from this year’s report. Be sure to download a free copy of the full report for a complete analysis of the state of OT cybersecurity and how to stay ahead of growing threats in 2025 and beyond."
https://www.dragos.com/ot-cybersecurity-year-in-review/
https://www.darkreading.com/cyber-risk/industrial-system-cyberattacks-surge-ot-vulnerable
https://cyberscoop.com/dragos-ot-ics-annual-report-states-collaborating-with-private-hacking-groups/
https://www.securityweek.com/nine-threat-groups-active-in-ot-operations-in-2024-dragos/
https://www.theregister.com/2025/02/25/new_ics_malware_dragos/
Vulnerabilities
- MITRE Caldera Security Advisory — Remote Code Execution (CVE-2025–27364)
"All versions of MITRE Caldera (before commit 35bc06e and going back as far as the very first versions of Caldera) are vulnerable to a remote code execution (RCE) vulnerability that can be triggered in most default configurations. The only preconditions for this vulnerability to be exploitable are the presence of Go, python and gcc on the system that the Caldera server is running on. Notably, all of these dependencies are required for Caldera to be fully-functional in the first place and on many distributions, gcc is a dependency of Go, meaning this vulnerability is extremely likely to be available to an attacker."
https://medium.com/@mitrecaldera/mitre-caldera-security-advisory-remote-code-execution-cve-2025-27364-5f679e2e2a0e
https://www.darkreading.com/application-security/max-severity-rce-vuln-all-versions-mitre-caldera
https://www.theregister.com/2025/02/25/10_bug_mitre_caldera/ - 100,000 WordPress Sites Affected By Arbitrary File Upload, Read And Deletion Vulnerability In Everest Forms WordPress Plugin
"On January 16th, 2025, we received a submission for an Arbitrary File Upload vulnerability in Everest Forms, a WordPress plugin with more than 100,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, and also makes it possible for unauthenticated threat actors to read and delete arbitrary files, including the wp-config.php file, which can make site takeover possible."
https://www.wordfence.com/blog/2025/02/100000-wordpress-sites-affected-by-arbitrary-file-upload-read-and-deletion-vulnerability-in-everest-forms-wordpress-plugin/ - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2023-34192 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/02/25/cisa-adds-two-known-exploited-vulnerabilities-catalog
Malware
- Your Item Has Sold! Avoiding Scams Targeting Online Sellers
"The emergence of online marketplaces has facilitated the convenient exchange of goods between individuals and organizations around the world. It has also provided a means for people to easily resell items, enabling them to recapture value from assets they may not otherwise wish to maintain ownership of. The type of new and used items sold via marketplaces varies widely, and platforms such as Ebay, Facebook Marketplace, Reverb, and others are extremely popular avenues for selling everything from $15 vintage tissue boxes to $40,000 Gibson Les Paul guitars. You can even find $70,000,000 domains targeting affluent individuals with above-average BMIs being sold on online marketplaces."
https://blog.talosintelligence.com/online-marketplace-scams/ - DeepSeek Lure Using CAPTCHAs To Spread Malware
"The rapid rise of generative AI tools has created opportunities and challenges for cybercriminals. In an instant, industries are being reshaped while new attack surfaces are being exposed. DeepSeek AI chatbot that launched on January 20, 2025, quickly gained international attention, making it a prime target for abuse. Leveraging a tactic known as brand impersonation, threat actors craft fraudulent websites designed to impersonate DeepSeek and mislead unsuspecting users into divulging sensitive information and/or executing harmful malware. Zscaler ThreatLabz has highlighted concerns about open source generative AI tools, like DeepSeek, being misused by threat actors to enhance exploitation and data theft strategies."
https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
https://www.darkreading.com/threat-intelligence/ai-tricksters-spin-up-fake-deepseek-sites-steal-crypto - Ghostwriter | New Campaign Targets Ukrainian Government And Belarusian Opposition
"Ghostwriter is a long-running campaign likely active since 2016 and subsequently described in various public reports throughout 2020 to 2024. The actor behind Ghostwriter campaigns is closely linked with Belarusian government espionage efforts, while most commonly reported under the APT names UNC1151 (Mandiant) or UAC-0057 (CERT-UA). Some public reports may use the term “Ghostwriter APT” interchangeably to refer to both the threat actor and its associated campaigns."
https://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/
https://thehackernews.com/2025/02/belarus-linked-ghostwriter-uses.html
https://www.infosecurity-magazine.com/news/ghostwriter-cyber-attack-targets/ - Predatory App Downloaded 100,000 Times From Google Play Store Steals Data, Uses It For Blackmail
"A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending. Sometimes malware creators manage to get their apps listed in the official app store. This is a great benefit for them since it lends a sense of legitimacy to the app, and they don’t have to convince users to sideload the app from an unofficial site."
https://www.malwarebytes.com/blog/news/2025/02/predatory-app-downloaded-100000-times-from-google-play-store-steals-data-uses-it-for-blackmail - The Dark Side Of Clickbait: How Fake Video Links Deliver Malware
"McAfee Labs recently observed a surge in phishing campaigns that use fake viral video links to trick users into downloading malware. The attack relies on social engineering, redirecting victims through multiple malicious websites before delivering the payload. Users are enticed with promises of exclusive content, ultimately leading them to fraudulent pages and deceptive download links."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-dark-side-of-clickbait-how-fake-video-links-deliver-malware/ - LightSpy Expands Command List To Include Social Media Platforms
"First publicly reported in 2020, LightSpy is a modular surveillance framework designed for data collection and exfiltration. Initially observed targeting mobile devices, further analysis confirmed its ability to compromise Windows, macOS, Linux, and routers. LightSpy has been deployed in targeted attacks using watering hole techniques and exploit-based delivery, with its infrastructure frequently shifting to evade detection."
https://hunt.io/blog/lightspy-malware-targets-facebook-instagram
https://thehackernews.com/2025/02/lightspy-expands-to-100-commands.html - Silent Killers: Unmasking a Large-Scale Legacy Driver Exploitation Campaign
"While the abuse of vulnerable drivers has been around for a while, those that can terminate arbitrary processes have drawn increasing attention in recent years. As Windows security continues to evolve, it has become more challenging for attackers to execute malicious code without being detected. As a result, the attackers often aim to disable security solutions by targeting their crucial components. These components, usually a part of security solutions for Windows OS, run as protected processes (PP/PPL) using the kernel modules of these solutions to support their functionality."
https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/
https://thehackernews.com/2025/02/2500-truesightsys-driver-variants.html - Medusa Ransomware And Its Cybercrime Ecosystem
"The Medusa of Greek mythology is said to have been a beautiful woman until Athena’s curse transformed her into a winged creature with a head full of snakes. She is considered both a ‘monster’ and a protector, because of her power to petrify anyone who looked directly upon her face. She’s a compelling character in a giant story that’s often told in just bits and pieces."
https://blog.barracuda.com/2025/02/25/medusa-ransomware-and-its-cybercrime-ecosystem - Deceptive Signatures: Advanced Techniques In BEC Attacks
"Business email compromise attacks have become increasingly common in recent years, driven by sophisticated social engineering tactics that make it easier to dupe victims. This is in part to the believability that the threat actors are able to achieve by collecting sensitive information from publicly available sources, including corporate websites and social media. Criminals leverage this information to pose as trusted colleagues or business partners, using stolen or spoofed email accounts to deliver convincing messages that prompt recipients to transfer funds or disclose confidential information. The evolving nature of these schemes is characterized by their high success rate, low technological barriers to entry for threat actors, and the substantial financial losses incurred by victim organizations. Advancements in automation, AI-driven personalization, and ready-to-use phishing kits have further accelerated the proliferation of BEC attacks, creating a lucrative marketplace for cybercriminals."
https://www.cybereason.com/blog/bec-email-signature-technique
Breaches/Hacks/Leaks
- Processing 23 Billion Rows Of ALIEN TXTBASE Stealer Logs
"We've ingested a corpus of 1.5TB worth of stealer logs known as "ALIEN TXTBASE" into Have I Been Pwned. They contain 23 billion rows with 493 million unique website and email address pairs, affecting 284M unique email addresses. We've also added 244M passwords we've never seen before to Pwned Passwords and updated the counts against another 199M that were already in there. Finally, we now have a way for domain owners to query their entire domain for stealer logs and for website operators to identify customers who have had their email addresses snared when entering them into the site."
https://www.troyhunt.com/processing-23-billion-rows-of-alien-txtbase-stealer-logs/
https://www.bleepingcomputer.com/news/security/have-i-been-pwned-adds-284m-accounts-stolen-by-infostealer-malware/ - US Drug Testing Firm DISA Says Data Breach Impacts 3.3 Million People
"DISA Global Solutions, a leading US background screening and drug and alcohol testing firm, has suffered a data breach impacting 3.3 million people. In January, the company first disclosed a cybersecurity incident that occurred between February 9, 2024, and April 22, 2024, the day it discovered the breach. In an update earlier this month, DISA revealed that the threat actors might have accessed sensitive data stored in its systems, but there was no evidence of further dissemination or misuse."
https://www.bleepingcomputer.com/news/security/us-drug-testing-firm-disa-says-data-breach-impacts-33-million-people/
https://therecord.media/background-check-company-disa-data-breach
https://www.helpnetsecurity.com/2025/02/25/background-check-drug-testing-provider-disa-suffers-data-breach/
https://www.malwarebytes.com/blog/news/2025/02/background-check-provider-data-breach-affects-3-million-people-who-may-not-have-heard-of-the-company
https://www.theregister.com/2025/02/26/disa_data_breach/ - Orange Group Confirms Breach After Hacker Leaks Company Documents
"A hacker claims to have stolen thousands of internal documents with user records and employee data after breaching the systems of Orange Group, a leading French telecommunications operator and digital service provider. The threat actor published on a hacker forum details about the stolen data after trying to extort the company unsuccessfully. Orange confirmed the breach to BleepingComputer saying that it occurred on a non-critical application. The company intiated an investigation and is working to minimize the impact of the incident."
https://www.bleepingcomputer.com/news/security/orange-group-confirms-breach-after-hacker-leaks-company-documents/ - RansomHub Sends a Letter To The Editor. Really.
"On February 17, DataBreaches reported that the RansomHub ransomware group claimed responsibility for an attack on the Sault Ste. Marie Tribe of Chippewa Indians. RansomHub claimed to have “temporarily locked” the tribe’s infrastructure and to have acquired 119 GB of files (501, 211 files). The post included statements by RansomHub as seen on their dark web leak site (DLS) as well as an update from the tribe about the situation."
https://databreaches.net/2025/02/25/ransomhub-sends-a-letter-to-the-editor-really/ - Siberia's Largest Dairy Plant Reportedly Disrupted With LockBit Variant
"The largest dairy processing plant in southern Siberia has been hit by a ransomware attack. Local media reports suggest that the breach could be connected to the plant's support for Russian troops in Ukraine. During the attack on the Semyonishna plant, which occurred earlier in December, the unidentified hacker group encrypted the company’s systems with a LockBit ransomware strain, the regional office of Russia’s security service (FSB) said in a comment last Friday to local news website Kommersant."
https://therecord.media/siberia-dairy-plant-cyberattack-lockbit-variant - LockBit Taunts FBI Director Kash Patel With Alleged “Classified” Leak Threat
"The ransomware gang LockBit sent a strange message to newly appointed FBI Director Kash Patel, they offer alleged “classified information” that could “destroy” this agency if publicly disclosed. The ransomware group published the message on their dark web leak site, specifically referring to the agency’s new director Patel."
https://securityaffairs.com/174639/cyber-crime/lockbit-taunts-fbi-director-kash-patel.html
General News
- Avoiding Vendor Lock-In When Using Managed Cloud Security Services
"In this Help Net Security interview, Marina Segal, CEO at Tamnoon, discusses the most significant obstacles when implementing managed cloud security in hybrid and multi-cloud environments. She shares insights on long onboarding times, legacy security gaps, vendor lock-in, and overlooked threats that can put organizations at risk."
https://www.helpnetsecurity.com/2025/02/25/marina-segal-tamnoon-managed-cloud-security/ - How Nice That State-Of-The-Art LLMs Reveal Their Reasoning ... For Miscreants To Exploit
"AI models like OpenAI o1/o3, DeepSeek-R1, and Gemini 2.0 Flash Thinking can mimic human reasoning through a process called chain of thought. That process, described by Google researchers in 2022, involves breaking the prompts put to AI models into a series of intermediate steps before providing an answer. It can also improve AI safety for some attacks while undermining it at the same time. We previously went over chain-of-thought reasoning here, in our hands-on guide to running DeepSeek R1 locally."
https://www.theregister.com/2025/02/25/chain_of_thought_jailbreaking/ - Ransomware Recovery Lessons Learned From Arnold Clark
"As with playing the piano, getting to Carnegie Hall and combating ransomware, there's only one real path to mastery. "Practice, practice, practice," Eddie Hawthorne, chief executive and group managing director of Arnold Clark, told a Scottish cybersecurity conference on Tuesday. Glasgow-based Arnold Clark, Britain's largest independently owned car retailer and one of the largest car dealer groups in Europe, employs over 10,000 people and sells over 300,000 cars annually across more than 200 U.K. retail locations."
https://www.bankinfosecurity.com/ransomware-recovery-lessons-learned-from-arnold-clark-a-27593 - 2025 Unit 42 Incident Response Report — Attacks Shift To Disruption
"Palo Alto Networks Unit 42 today released its 2025 Global Incident Response Report, revealing that 86% of major cyber incidents in 2024 resulted in operational downtime, reputational damage or financial loss. The report (based on 500 major cyber incidents that Unit 42 responded to across 38 countries and every major industry) highlights a new trend: financially motivated attackers have shifted their focus to deliberate operational disruption, prioritizing sabotage – destroying systems, locking customers out and causing prolonged downtime – to maximize impact and pressure organizations into paying extortion demands."
https://www.paloaltonetworks.com/blog/2025/02/incident-response-report-attacks-shift-disruption/
https://www.paloaltonetworks.com/engage/unit42-2025-global-incident-response-report
https://cyberscoop.com/cyberattacks-business-disruption-2025-unit-42-palo-alto-networks/ - Unmanaged Devices: The Overlooked Threat CISOs Must Confront
"One of my favorite things about working in security, and tech in general, is the shared attitude that no problem is unsolvable. We transitioned virtually the entire Internet from "http" to "https" in the name of security. Clearly, we're not afraid of a challenge. But there's one problem that many companies haven't even tried to solve, and its very name seems to communicate a kind of surrender: unmanaged devices."
https://www.darkreading.com/remote-workforce/unmanaged-devices-overlooked-threat-cisos-must-confront - Betting (and Losing) The Farm On Traditional Cybersecurity
"Our field often discusses a cybersecurity skills gap, but I recently saw a young man change his LinkedIn profile from #Open To Work to #Desperate. His bio shows a master's degree in cybersecurity and multiple security certifications (CSSCP, Network+, Security+, etc). Yet he can't find work in an industry that regularly advertises a critical personnel shortage. We're undergoing a seismic shift in cybersecurity that is fundamentally changing the core skills practitioners need to have. We've grown accustomed to the idea of cybersecurity professionals as experts on endpoints, networks, and operating systems. These skills are no longer enough in the era of ubiquitous cloud computing, work-from-anywhere, and artificial intelligence (AI)."
https://www.darkreading.com/cloud-security/betting-losing-farm-traditional-cybersecurity - 25 Years On, Active Directory Is Still a Prime Attack Target
"Despite turning 25 years old this week, Microsoft's Active Directory (AD) remains the cornerstone of identity management across many enterprise environments. And because it is such a crucial component of the enterprise network, it still presents an attractive target for attackers. "AD remains a primary target for attackers because of its central role in identity and access management," says Jim Doggett, CISO at Semperis. "If AD is compromised, attackers effectively have compromised the keys to the IT kingdom, as AD provides access to all network resources within an organization.""
https://www.darkreading.com/identity-access-management-security/25-years-active-directory-prime-attack-target - Cybersecurity Needs a Leader, So Let’s Stop Debating And Start Deciding
"Have you ever heard anyone earnestly ask in a business, “Who owns legal?” or “Who sets the financial strategy?” Probably not – it should be obvious, right? Yet, when it comes to cybersecurity, the question of ownership still seems to spark endless debates. That might have been understandable back in the 1990s when key security roles like the CISO were still being ironed out. But these days, it should be a serious red flag."
https://www.helpnetsecurity.com/2025/02/25/cybersecurity-ownership/ - 61% Of Hackers Use New Exploit Code Within 48 Hours Of Attack
"In 2024, cyber-criminals have launched attacks within 48 hours of discovering a vulnerability, with 61% of hackers using new exploit code in this short timeframe. Companies faced an average of 68 days of critical cyber-attacks, while ransomware remained the most significant threat. The healthcare industry was particularly affected, with ransomware responsible for 95% of all breaches and impacting more than 198 million US patients. These figures come from SonicWall’s Annual Cyber Threat Report, which also suggested that attackers are leveraging AI-driven automation and advanced evasion techniques, making it increasingly difficult for SMBs to defend themselves."
https://www.infosecurity-magazine.com/news/hackers-use-exploit-code-within-48/ - Only a Fifth Of Ransomware Attacks Now Encrypt Data
"Ransomware actors are largely eschewing encryption, with at least 80% of attacks last year focusing solely on exfiltrating data, as it is quicker and easier, according to ReliaQuest. The threat intelligence vendor claimed in its Annual Cyber-Threat Report that exfiltration-only ransomware attacks are 34% faster. After initial access, “breakout time” typically takes just 48 minutes, although some groups manage to achieve lateral movement in as little as 27 minutes, giving network defenders little time to react. ReliaQuest highlighted several trends from 2024 worth noting."
https://www.infosecurity-magazine.com/news/only-fifth-ransomware-attacks/
https://www.reliaquest.com/resources/research-reports/annual-threat-report-2025/ - 5 Active Malware Campaigns In Q1 2025
"The first quarter of 2025 has been a battlefield in the world of cybersecurity. Cybercriminals continued launching aggressive new campaigns and refining their attack methods. Below is an overview of five notable malware families, accompanied by analyses conducted in controlled environments."
https://thehackernews.com/2025/02/5-active-malware-campaigns-in-q1-2025.html - OpenAI Bans ChatGPT Accounts Used By North Korean Hackers
"OpenAI says it blocked several North Korean hacking groups from using its ChatGPT platform to research future targets and find ways to hack into their networks. "We banned accounts demonstrating activity potentially associated with publicly reported Democratic People's Republic of Korea (DPRK)-affiliated threat actors," the company said in its February 2025 threat intelligence report."
https://www.bleepingcomputer.com/news/security/openai-bans-chatgpt-accounts-used-by-north-korean-hackers/
https://cdn.openai.com/threat-intelligence-reports/disrupting-malicious-uses-of-our-models-february-2025-update.pdf
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Healthcare Malware Hunt, Part 1: Silver Fox APT Targets Philips DICOM Viewers