Cyber Threat Intelligence 06 March 2025
-
Industrial Sector
- Organizations Still Not Patching OT Due To Disruption Concerns: Survey
"Many organizations are still concerned that patching operational technology (OT) systems can lead to equipment downtime and operational disruptions, and consequently they do not conduct regular patching, according to cyber-physical security firm TXOne Networks. The data comes from TXOne’s 2024 Annual OT/ICS Cybersecurity Report, which is based on a survey of 150 C-level executives in North America, Europe, the Middle East and Asia. The survey found that 85% of organizations don’t conduct regular patching. A majority install patches quarterly or less often, which leaves them exposed to attacks for extended periods of time."
https://www.securityweek.com/organizations-still-not-patching-ot-due-to-disruption-concerns-survey/
https://digital.txone.com/media/txone-networks-2024-annual-ics-ot-cybersecurity-report/
New Tooling
- Fix Inventory: Open-Source Cloud Asset Inventory Tool
"Fix Inventory is an open-source tool for detecting compliance and security risks in cloud infrastructure accounts. It was built from the ground up for cloud-native environments and provides broad support for over 300 cloud services, including AWS, Google Cloud Platform, Azure, DigitalOcean, Hetzner, Kubernetes, and GitHub."
https://www.helpnetsecurity.com/2025/03/05/fix-inventory-open-source-cloud-asset-inventory-tool/
https://github.com/someengineering/fixinventory - Open-Source Tool 'Rayhunter' Helps Users Detect Stingray Attacks
"The Electronic Frontier Foundation (EFF) has released a free, open-source tool named Rayhunter that is designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays. Stingray devices mimic legitimate cell towers to trick phones into connecting, allowing them to capture sensitive data, accurately geolocate users, and potentially intercept communications. With the release of the Rayhunter, EFF seeks to give users the power to detect these instances, allowing them to protect themselves and also help draw a clearer picture of the exact deployment scale of Stingrays."
https://www.bleepingcomputer.com/news/security/open-source-tool-rayhunter-helps-users-detect-stingray-attacks/
https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying
Vulnerabilities
- Chrome 134, Firefox 136 Patch High-Severity Vulnerabilities
"Chrome 134 and Firefox 136 were released to the stable channel on Tuesday with patches for dozens of vulnerabilities, including multiple high-severity bugs. Google rolled out Chrome 134 with 14 security fixes, including nine for security defects reported by external researchers. The most severe of these is CVE-2025-1914, a high-severity out-of-bounds read bug in the V8 JavaScript engine that earned its two reporting researchers a $7,000 bug bounty reward."
https://www.securityweek.com/chrome-134-firefox-136-patch-high-severity-vulnerabilities/
Malware
- Typosquatted Go Packages Deliver Malware Loader Targeting Linux And MacOS Systems
"Socket researchers have uncovered an ongoing malicious campaign infiltrating the Go ecosystem with typosquatted packages that install hidden loader malware targeting Linux and macOS systems. The threat actor has published at least seven packages impersonating widely used Go libraries, including one (github.com/shallowmulti/hypert) that appears to target financial-sector developers."
https://socket.dev/blog/typosquatted-go-packages-deliver-malware-loader - **https://thehackernews.com/2025/03/seven-malicious-go-packages-found.html
- From Event To Insight: Unpacking a B2B Business Email Compromise (BEC) Scenario**
"When an organization is subject to a Business Email Compromise (BEC), a single email could result in substantial monetary losses. Threat actors employing such tactics could employ different techniques, ranging from simple to advanced, and have seen increased activities yearly. A recent investigation examined not a typical BEC scenario where a threat actor simply sends a fraudulent email in the hopes of tricking a victim. Instead, this B2B BEC scheme involved abusing the implicit trust between relationships amongst business partners, patiently weaved by the threat actor within days."
https://www.trendmicro.com/en_us/research/25/c/from-event-to-insight.html - Silk Typhoon Targeting IT Supply Chain
"Microsoft Threat Intelligence identified a shift in tactics by Silk Typhoon, a Chinese espionage group, now targeting common IT solutions like remote management tools and cloud applications to gain initial access. While they haven’t been observed directly targeting Microsoft cloud services, they do exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities. After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives. Our latest blog explains how Microsoft security solutions detect these threats and offers mitigation guidance, aiming to raise awareness and strengthen defenses against Silk Typhoon’s activities."
https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/
https://www.bleepingcomputer.com/news/security/silk-typhoon-hackers-now-target-it-supply-chains-to-breach-networks/
https://thehackernews.com/2025/03/china-linked-silk-typhoon-expands-cyber.html
https://www.darkreading.com/remote-workforce/china-silk-typhoon-it-supply-chain-attacks
https://www.bankinfosecurity.com/chinas-silk-typhoon-tied-to-cloud-service-provider-hacks-a-27649
https://hackread.com/chinese-silk-typhoon-group-it-tools-network-breaches/
https://www.securityweek.com/china-hackers-behind-us-treasury-breach-caught-targeting-it-supply-chain/
https://securityaffairs.com/174962/apt/china-linked-apt-silk-typhoon-targets-it-supply-chain.html
https://www.infosecurity-magazine.com/news/silk-typhoon-exploits-common/
https://www.theregister.com/2025/03/05/china_silk_typhoon_update/ - Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices With Multiple Fraud Schemes
"HUMAN’s Satori Threat Intelligence and Research team recently uncovered and—in collaboration with Google, Trend Micro, Shadowserver, and other partners—partially disrupted a complex and expansive fraud operation dubbed “BADBOX 2.0.” The BADBOX 2.0 operation was a major expansion and adaptation of the BADBOX operation published by the Satori team in the fall of 2023. BADBOX 2.0 is the largest botnet of infected connected TV (CTV) devices ever uncovered, and Satori researchers have found compelling evidence that the threat actors behind BADBOX were involved in BADBOX 2.0."
https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/
https://www.bleepingcomputer.com/news/security/badbox-malware-disrupted-on-500k-infected-android-devices/
https://www.bankinfosecurity.com/malware-infested-android-devices-fuel-global-botnet-fraud-a-27654 - Cactus Ransomware: What You Need To Know
"Cactus is a ransomware-as-a-service (RaaS) group that encrypts victim's data and demands a ransom for a decryption key. Hundreds of organisations have found themselves the victim of Cactus since it was first discovered in March 2023, with their stolen data published on the dark web as an "incentive" to give in to the extortionists' demands."
https://www.tripwire.com/state-of-security/cactus-ransomware-what-you-need-know - Veriti Research Uncovers Malware Exploiting Cloud Services
"Veriti Research has identified a growing trend – attackers leveraging cloud infrastructure to facilitate malware distribution and command-and-control (C2) operations. This evolving tactic not only makes detection more challenging but also exposes organizations to significant security risks."
https://veriti.ai/blog/veriti-research-uncovers-malware-exploiting-cloud-services/
https://hackread.com/hackers-exploit-cloud-misconfigurations-spread-malware/ - I Spoke To a Task Scammer. Here’s How It Went
"Tasks scam are surging, with a year over year increase of 400%. So I guess it should have been no surprise when I was contacted by a task scammer on X recently. Task scammers prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. These tasks are usually gamified—organized in sets of 40 tasks that will take the victim to a “next level” once they are completed. Sometimes the victim will be given a so-called double task that earns a bigger commission."
https://www.malwarebytes.com/blog/news/2025/03/i-spoke-to-a-task-scammer-heres-how-it-went - Undercover Miner: How YouTubers Get Pressed Into Distributing SilentCryptoMiner As a Restriction Bypass Tool
"In recent months, we’ve seen an increase in the use of Windows Packet Divert drivers to intercept and modify network traffic in Windows systems. This technology is used in various utilities, including ones for bypassing blocks and restrictions of access to resources worldwide. Over the past six months, our systems have logged more than 2.4 million detections of such drivers on user devices."
https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/ - The Evolution Of Dark Caracal Tools: Analysis Of a Campaign Featuring Poco RAT
"In early 2024, analysts at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious sample. The cybersecurity community named it Poco RAT after the POCO libraries in its C++ codebase. At the time of its discovery, the sample had not been linked to any known threat group. The malware came loaded with a full suite of espionage features. It could upload files, capture screenshots, execute commands, and manipulate system processes. Patterns in its tactics, techniques, and procedures linked it to a known player. Dark Caracal, the group behind Bandook, was a clear match. The dropper used in Poco RAT closely resembled Bandook's, reinforcing the connection"
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/the-evolution-of-dark-caracal-tools-analysis-of-a-campaign-featuring-poco-rat
https://thehackernews.com/2025/03/dark-caracal-uses-poco-rat-to-target.html - Beneath The Surface: Detecting And Blocking Hidden Malicious Traffic Distribution Systems
"Many illicit network services, including phishing campaigns and online gambling platforms, exploit traffic distribution systems (TDS) to redirect network traffic. A TDS acts as a central hub, redirecting victims through an often complex network of servers to obfuscate the final destination and hinder detection of these operations. This infrastructure also facilitates the management of multiple malicious endpoints simultaneously."
https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribution-systems/
Breaches/Hacks/Leaks
- Toronto Zoo Shares Update On Last Year's Ransomware Attack
"The Toronto Zoo, the largest zoo in Canada, has provided more information about the data stolen during a ransomware attack in January 2024. In a final notification regarding the cyberattack, the Toronto Zoo said the resulting data breach impacts varying combinations of personal and financial information belonging to employees, former employees, volunteers, and donors."
https://www.bleepingcomputer.com/news/security/toronto-zoo-shares-update-on-last-years-ransomware-attack/
https://therecord.media/toronto-zoo-warns-decades-cyberattack - Qilin Ransomware Gang Claims Attacks On Cancer Clinic, OB-GYN Facility
"Qilin – the "no regrets" ransomware crew wreaking havoc on the global healthcare industry – just claimed responsibility for fresh attacks on a cancer treatment clinic in Japan and a women's healthcare facility in the US. Qilin is the same group responsible for multiple attacks on healthcare orgs across the globe including one that locked up pathology labs across NHS facilities in the UK for weeks, and its spokesperson once famously told The Reg in an interview that it had no regrets, even after seeing the extensive disruption it caused to people's healthcare."
https://www.theregister.com/2025/03/05/qilin_ransomware_credit/
General News
- Why Multi-Cloud Security Needs a Fresh Approach To Stay Resilient
"As enterprises expand their multi-cloud strategies to drive agility and scalability, CISOs must prioritize cyber resilience across diverse cloud platforms. The complexities of securing multi-cloud environments demand innovative solutions to maintain a strong security posture."
https://www.helpnetsecurity.com/2025/03/05/multi-cloud-security-approach-stay-resilient/ - Treasury Sanctions China-Based Hacker Involved In The Compromise Of Sensitive U.S. Victim Networks
"Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Zhou Shuai, a Shanghai-based malicious cyber actor and data broker, and his company, Shanghai Heiying Information Technology Company, Limited (Shanghai Heiying). In collaboration with another malicious cyber actor, U.S.-sanctioned Yin Kecheng, Zhou Shuai illegally acquired, brokered, and sold data from highly sensitive U.S. critical infrastructure networks. Malicious cyber actors, particularly those operating in China, continue to be one of the greatest and most persistent threats to U.S. national security, as highlighted in the Office of the Director of National Intelligence’s most recent Annual Threat Assessment."
https://home.treasury.gov/news/press-releases/sb0042
https://therecord.media/doj-charges-chinese-nationals-isoon-cyberattacks-treasury
https://www.bleepingcomputer.com/news/security/us-charges-chinese-hackers-linked-to-critical-infrastructure-breaches/
https://www.bankinfosecurity.com/us-seizes-chinese-hacker-infrastructure-unseals-indictments-a-27652
https://www.bankinfosecurity.com/us-prosecutors-indict-isoon-chinese-hacking-contractors-a-27650
https://cyberscoop.com/chinese-nationals-indictments-espionage-attacks/
https://www.securityweek.com/us-indicts-chinas-isoon-hackers-for-hire-operatives/
https://www.theregister.com/2025/03/06/fbi_china_pays_75k_per/ - Investigator Says Differing Names For Hacker Groups, Hackers Studying Investigative Methods Hinders Law Enforcement
"Malicious hacking groups pay close attention to public documents related to criminal prosecutions, and the lack of standardized names for those groups hampers U.S. federal law enforcement, an investigator said in a recent speech. The investigator, who could not be named under the conditions of the speech, said those are just two of many problems facing investigators pursuing cybercriminals in a justice system that was set up long ago and never designed to account for the complexities created by hackers — who operate across the world and attack targets around the globe."
https://cyberscoop.com/cybercrime-investigator-hacker-groups-law-enforcement/ - February Sees Record-Breaking Ransomware Attacks, New Data Shows
"February ransomware attacks set a single-month record, according to an analysis of Cyble threat intelligence data. The year began with a surge in ransomware attacks, a trend that continued into February. With February’s data now final, the number of organizations claimed as victims by ransomware groups reached numbers well above long-term trends. We’ll look at what’s behind those numbers and what they mean for future ransomware trends."
https://cyble.com/blog/february-sees-ransomware-attacks-new-data-shows/ - Why Security Leaders Are Opting For Consulting Gigs
"As a chief information security officer (CISO), I've watched our profession transform from purely technical authorities to key business leaders. Burnout has always been a concern stemming from the growing number of data breaches and the accelerating technical transformation occurring in many businesses. But the job is getting considerably harder due to increased regulatory complexity and a rise in culture of transparency and accountability — and the pressure isn't letting up."
https://www.darkreading.com/cybersecurity-operations/why-security-leaders-opting-consulting-gigs - The 5 Stages Of Incident Response Grief
"Whether we recognize it or not, anytime an incident occurs, it sets off the grieving process. But grief isn’t a bad thing: it’s how we process our emotional reactions and move on. That’s precisely what security teams need to do in the wake of a cyber incident—and you’d be surprised how well the stages of incident response map to the famous “Five Stages of Grief.”"
https://www.helpnetsecurity.com/2025/03/05/incident-response-grief-stages/ - Nonprofits Face Surge In Cyber-Attacks As Email Threats Rise 35%
"Nonprofit organizations have seen a sharp rise in cyber-attacks, with email-based threats increasing by 35.2% over the past year. These attacks target donor data, financial transactions and internal communications. According to a new report by Abnormal Security, nonprofits have become prime targets due to their limited cybersecurity resources, high-trust environments and frequent financial transactions. Attackers exploit these vulnerabilities to deploy business email compromise (BEC) and vendor email compromise (VEC) schemes, tricking employees into redirecting funds or sharing sensitive information."
https://www.infosecurity-magazine.com/news/nonprofits-email-threats-rise-35/ - Open-Source Cybersecurity Tools: Are They Right For You?
"Cybersecurity professionals love their tools. Walk into any security conference, and you'll hear people debating the best options for penetration testing, network monitoring or digital forensics. But the real question isn't just which tool to use, it's whether an open-source tool is the right fit in the first place. Having the knowledge and skill to make this determination is an important career skill for any cyber professional."
https://www.bankinfosecurity.com/blogs/open-source-cybersecurity-tools-are-they-right-for-you-p-3830 - When Code Kills: The Rise Of Kinetic Cyberattacks
"Have you seen the recent Netflix series “Zero Day,” starring Robert De Niro? (I’m only up to the fourth episode, so no spoilers, please.) In case you haven’t, the plot centers on a massive cyberattack that affects basically every computerized system in the US. Everything gets turned off for one minute, then everything is restored. But the result is that thousands die, as planes and trains crash, industrial plants explode, and so on."
https://blog.barracuda.com/2025/03/04/when-code-kills-the-rise-of-kinetic-cyberattacks
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Organizations Still Not Patching OT Due To Disruption Concerns: Survey