Cyber Threat Intelligence 10 March 2025
-
Industrial Sector
- MITRE EMB3D For OT & ICS Threat Modeling Takes Flight
"Frameworks to aid device and industrial control system (ICS) manufacturers in modeling the threats that their products face continue to gain traction as research matures. Non-profit government research organization MITRE, for example, announced its EMB3D framework for threat modeling in late 2023, outlining specific categories of threats. Late last year, MITRE added recommendations for companies to mitigate the threats. And already, device manufacturers are starting to use EMB3D to enhance their threat modeling processes, researchers are using it to discuss findings in the same language, and cybersecurity vendors have started incorporating it into the products, says Marie Stanley Collins, senior principal with MITRE's Critical Infrastructure Initiative."
https://www.darkreading.com/threat-intelligence/mitre-emb3d-ot-ics-threat-modeling - Multiple Vulnerabilities Discovered In a SCADA System
"In early 2024 we conducted a security assessment of a Supervisory Control and Data Acquisition (SCADA) system named ICONICS Suite and identified five vulnerabilities in versions 10.97.2 and earlier for Microsoft Windows. We coordinated with the ICONICS security team, which released multiple security patches in 2024 to resolve some of these issues and published timely security advisories with workarounds for the rest."
https://unit42.paloaltonetworks.com/vulnerabilities-in-iconics-software-suite/
Vulnerabilities
- Unpatched Edimax IP Camera Flaw Actively Exploited In Botnet Attacks
"A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. The flaw was discovered by Akamai researchers, who confirmed to BleepingComputer that the flaw is exploited in attacks that are still ongoing. Akamai researcher Kyle Lefton told BleepingComputer that they will provide more technical details about the flaw and the associated botnet next week."
https://www.bleepingcomputer.com/news/security/unpatched-edimax-ip-camera-flaw-actively-exploited-in-botnet-attacks/
https://www.securityweek.com/edimax-camera-zero-day-disclosed-by-cisa-exploited-by-botnets/
https://securityaffairs.com/175060/hacking/mirai-based-botnets-exploit-cve-2025-1316-zero-day-in-edimax-ip-cameras.html - Undocumented Commands Found In Bluetooth Chip Used By a Billion Devices
"The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks. The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence. This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid."
https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/
https://securityaffairs.com/175102/hacking/undocumented-hidden-feature-espressif-esp32-microchip.html
Malware
- Microsoft: North Korean Hackers Join Qilin Ransomware Gang
"Microsoft says a North Korean hacking group tracked as Moonstone Sleet has deployed Qilin ransomware payloads in a limited number of recent attacks. "Since late February 2025, Microsoft has observed Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of orgs," the company's threat intelligence experts said this week. "Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator.""
https://www.bleepingcomputer.com/news/security/microsoft-north-korean-hackers-now-deploying-qilin-ransomware/ - FIN7, FIN8, And Others Use Ragnar Loader For Persistent Access And Ransomware Operations
"Threat hunters have shed light on a "sophisticated and evolving malware toolkit" called Ragnar Loader that's used by various cybercrime and ransomware groups like Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (ex-REvil). "Ragnar Loader plays a key role in keeping access to compromised systems, helping attackers stay in networks for long-term operations," Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News."
https://thehackernews.com/2025/03/fin7-fin8-and-others-use-ragnar-loader.html - Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion In Bybit Heist
"Safe{Wallet} has revealed that the cybersecurity incident that led to the Bybit $1.5 billion crypto heist is a "highly sophisticated, state-sponsored attack," stating the North Korean threat actors behind the hack took steps to erase traces of the malicious activity in an effort to hamper investigation efforts. The multi-signature (multisig) platform, which has roped in Google Cloud Mandiant to perform a forensic investigation, said the attack is the work of a hacking group dubbed TraderTraitor, which is also known as Jade Sleet, PUKCHONG, and UNC4899."
https://thehackernews.com/2025/03/safewallet-confirms-north-korean.html - PrintSteal : Exposing Unauthorized CSC-Impersonating Websites Engaging In Large-Scale KYC Document Generation Fraud
"Imagine thousands of fake identity documents being generated at the click of a button—Aadhaar cards, PAN cards, birth certificates—all convincingly real, but entirely fraudulent. That’s exactly what the "PrintSteal" operation has been doing on a massive scale. This investigation uncovers a highly organized criminal network running over 1,800 fake domains, impersonating government websites, and using cyber cafés, Telegram groups, and illicit APIs to distribute fraudulent KYC documents. With over 167,000 fake documents created and ₹40 Lakh in illicit profits, this isn’t just fraud—it’s a direct attack on India’s digital security. The full report dives into how this scam works, who’s behind it, and what needs to be done to stop it. If you care about financial security, digital identity protection, or cybercrime prevention, you won’t want to miss it. Read on to uncover the full story."
https://www.cloudsek.com/blog/printsteal-exposing-unauthorized-csc-impersonating-websites-engaging-in-large-scale-kyc-document-generation-fraud-2 - Developer Guilty Of Using Kill Switch To Sabotage Employer's Systems
"A software developer has been found guilty of sabotaging his ex-employer's systems by running custom malware and installing a "kill switch" after being demoted at the company. Davis Lu, 55, of Houston, was a software developer for an Ohio company, reportedly Eaton Corp, from November 2007 to October 2019. Eaton Corporation is a global power management company that provides electrical, hydraulic, and mechanical solutions for various industries."
https://www.bleepingcomputer.com/news/security/developer-guilty-of-using-kill-switch-to-sabotage-employers-systems/
https://www.theregister.com/2025/03/08/developer_server_kill_switch/ - YouTubers Extorted Via Copyright Strikes To Spread Malware
"Cybercriminals are sending bogus copyright claims to YouTubers to coerce them into promoting malware and cryptocurrency miners on their videos. The threat actors take advantage of the popularity of Windows Packet Divert (WPD) tools that are increasingly used in Russia as they help users bypass internet censorship and government-imposed restrictions on websites and online services."
https://www.bleepingcomputer.com/news/security/youtubers-extorted-via-copyright-strikes-to-spread-malware/ - US Cities Warn Of Wave Of Unpaid Parking Phishing Texts
"US cities are warning of an ongoing mobile phishing campaign pretending to be texts from the city's parking violation departments about unpaid parking invoices, that if unpaid, will incur an additional $35 fine per day. While parking scams have been around for years, a massive wave of phishing text messages has caused numerous cities throughout the US to issue warnings, including from Annapolis, Boston, Greenwich, Denver, Detroit, Houston, Milwaukee, Salt Lake City, Charlotte, San Diego, San Francisco, and many others."
https://www.bleepingcomputer.com/news/security/us-cities-warn-of-wave-of-unpaid-parking-phishing-texts/
Breaches/Hacks/Leaks
- Data Breach At Japanese Telecom Giant NTT Hits 18,000 Companies
"Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident. The data breach was discovered in early February 2025, but the exact date when the hackers gained initial access to NTT's systems hasn't been determined. "NTT Communications Corporation discovered on February 5 that our facilities had been subjected to unauthorized access," reads the announcement. "On February 6, we confirmed that some information might have been leaked externally.""
https://www.bleepingcomputer.com/news/security/data-breach-at-japanese-telecom-giant-ntt-hits-18-000-companies/
https://www.securityweek.com/18000-organizations-impacted-by-ntt-com-data-breach/
https://securityaffairs.com/175090/data-breach/japanese-telecom-giant-ntt-data-breach.html - Cyberattack Disrupts National Presto Industries Operations
"Home appliance maker National Presto Industries is scrambling to restore operations disrupted by a cyberattack that caused a system outage. The incident, the company said in a regulatory filing with the Securities and Exchange Commission, occurred on March 1. “Upon discovery, [National Presto Industries] activated its incident response team, comprised of internal personnel and external cybersecurity experts retained to assist in addressing the incident,” the company says."
https://www.securityweek.com/cyberattack-disrupts-national-presto-industries-operations/
https://therecord.media/presto-home-appliances-manufacturer-cyberattack - Texas Border City Declares State Of Emergency After Cyberattack On Government Systems
"The government of Mission, Texas, filed a state of emergency declaration this week after a cyberattack exposed all of the data held on city systems. The city government notified residents of the incident on Wednesday, telling them cybercriminals targeted portions of their network. The attack required them to take systems offline but officials said emergency services were still operational. A local news outlet disputed this assessment, writing that police officers have lost the ability to run license plates and driver’s licenses through state databases. City leaders sent a memo to government workers on Tuesday warning that much of the IT system was shut down due to the incident."
https://therecord.media/texas-city-cyberattack-emergency-declaration
General News
- US Seizes $23 Million In Crypto Stolen Via Password Manager Breach
"U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack. Despite the threat actors' efforts, law enforcement agents traced $23,604,815.09 of the stolen digital assets between June 2024 and February 2025 to the following cryptocurrency exchanges: OKX, Payward Interactive, Inc. (dba Kraken), WhiteBIT, AscendEX Technology SRL, Ftrader Ltd (dba FixedFloat), SwapSpace LLC, and Rabbit Finance LLC (dba CoinRabbit)."
https://www.bleepingcomputer.com/news/security/us-seizes-23-million-in-crypto-stolen-via-password-manager-breach/ - US Charges Garantex Admins With Money Laundering, Sanctions Violations
"The administrators of the Russian Garantex crypto-exchange have been charged in the United States with facilitating money laundering for criminal organizations and violating sanctions. 46-year-old Lithuanian national and Russian resident Aleksej Besciokov and 40-year-old Russian national and United Arab Emirates resident Aleksandr Mira Serda—who controlled Garantex between 2019 and 2025—are charged with money laundering conspiracy which carries a maximum penalty of 20 years in prison."
https://www.bleepingcomputer.com/news/security/us-charges-garantex-admins-with-money-laundering-sanctions-violations/
https://www.bankinfosecurity.com/us-feds-take-down-garantex-indict-operators-a-27668
https://cyberscoop.com/garantex-seized-secret-service-doj-russia-crypto-sanctions/
https://www.securityweek.com/us-seize-garantex-in-cryptocurrency-money-laundering-bust/
https://www.theregister.com/2025/03/07/uncle_sam_charges_2_garantex/ - Russian DDoS Groups Frothing After Europe Backs Ukraine
"Russia's use of high-profile online nuisance attacks to amplify Moscow's geopolitical agenda continues. Multiple self-proclaimed Russian hacktivist groups over the past week have trumpeted their targeting of websites in the United Kingdom, France and Spain, among other NATO members, after those countries' governments pledged to increase their support for Ukraine following the Trump administration's decision to pare back aid."
https://www.bankinfosecurity.com/blogs/russian-ddos-groups-frothing-after-europe-backs-ukraine-p-3831 - Static Scans, Red Teams, And Frameworks Aim To Find Bad AI Models
"Malicious models are increasingly showing up on Hugging Face and other artificial intelligence (AI) model repositories. Cybersecurity companies are developing defensive tools to help organizations and developers identify which models are safe to use. In many ways, the problems facing these AI models mimic the security and trust issues plaguing open source components and projects, says Tal Zarfati, lead architect at JFrog Security. And addressing the problems requires using similar tools, such as security scanning; establishing the provenance of model components; and testing AI applications at run time."
https://www.darkreading.com/application-security/static-scans-red-teams-frameworks-aim-find-bad-ai-models - Update: Stopping Cybercriminals From Abusing Cobalt Strike
"Since 2023, Microsoft’s Digital Crimes Unit (DCU), Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) have been working together to combat the use of unauthorized, legacy copies of Cobalt Strike and compromised Microsoft software, which have been weaponized by cybercriminals to deploy ransomware and other malware, causing significant harm to critical sectors like healthcare."
https://www.cobaltstrike.com/blog/update-stopping-cybercriminals-from-abusing-cobalt-strike
https://therecord.media/malicious-cobalt-strike-use-down
https://www.darkreading.com/threat-intelligence/cybercrime-cobalt-strike-use-plummets-worldwide - How Cyberattacks Affect Your Staff
"As we continue to move into 2025, organizations are facing more threats to business continuity than ever before. Cyberattacks, now the leading cause of both data loss and IT downtime for businesses, are at the top of the threat list. At Databarracks, we surveyed 500 businesses in our 2024 Data Health Check and found that more than 50% of them were affected by cyber threats in the previous year. But what's even more alarming is that 37% of those incidents led directly to job losses."
https://www.darkreading.com/cyberattacks-data-breaches/how-cyberattacks-affect-your-staff - Can AI-Powered Gamified Simulations Help Cybersecurity Teams Keep Up?
"Traditional training often lacks the hands-on experience cybersecurity teams need to counter advanced threats. AI-powered gamified simulations combine artificial intelligence with interactive learning to enhance their skills. Conventional cybersecurity training programs frequently rely on static content, which can become outdated. These programs may also lack the engagement necessary to maintain participant interest, leading to suboptimal retention of critical skills. In contrast, gamified simulations introduce dynamic, scenario-based learning environments that mirror real-world cyber threats, fostering more profound understanding and retention."
https://www.helpnetsecurity.com/2025/03/07/ai-gamified-simulations-cybersecurity/ - Ransomware Groups Favor Repeatable Access Over Mass Vulnerability Exploits
"Ransomware groups have shifted away from mass compromise events from vulnerability exploits towards “reliable and repeatable” methods to gain access to victim networks, according to Travelers’ latest Cyber Threat Report. These tactics include targeting weak credentials on VPN and gateway accounts that are not protected by multifactor authentication (MFA). The researchers noted that this activity began to take hold in the second half of 2023, and spread widely among ransomware operators and initial access brokers (IAB) throughout 2024."
https://www.infosecurity-magazine.com/news/ransomware-repeatable-access/ - Majority Of Orgs Hit By AI Cyber-Attacks As Detection Lags
"Most (87%) security professionals have reported that their organization has encountered an AI-driven cyber-attack in the last year, with the technology increasingly takes hold, according to a new report by SoSafe. The new SoSafe 2025 Cybercrime Trends report also noted that 91% of all security experts anticipate a significant surge in AI-driven threats over the next three years. The World Economic Forum’s Global Cybersecurity Outlook 2025 cited a 223% increase in the trade of deepfake-related tools on dark web forums between Q1 2023 and Q1 2024."
https://www.infosecurity-magazine.com/news/majority-of-orgs-hit-by-ai/ - The Role Of Differential Privacy In Protecting Sensitive Information In The Era Of Artificial Intelligence
"Differential privacy (DP) protects data by adding noise to queries, preventing re-identification while maintaining utility, addressing Artificial Intelligence -era privacy challenges."
https://securityaffairs.com/175061/security/differential-privacy-in-protecting-sensitive-information-in-the-era-of-artificial-intelligence.html - Black Basta's Rapid Collapse
"When we profiled Black Basta last May, the group had already extorted over $107 million from 329+ victims. It had just pulled off the big attack on Ascension Health, disrupting 142 hospitals across 19 states and Washington DC. The group seemed to keep going strong through the end of 2024, but internal divisions were chipping away at the operations. Divided loyalties resulted in some members attacking Russian targets, which is always prohibited by Russian-based groups. Others were scamming victims by collecting ransom payments without providing working decryption keys, which is considered damaging to the group’s reputation. High-profile attacks and target selection further contributed to the rift. The group appears to have ended operations as of January 11, 2025. There are no known victims since that date, and all three of the group’s websites are unavailable."
https://blog.barracuda.com/2025/03/07/black-basta-s-rapid-collapse - Like Whitebox Servers, Rent-a-Crew Crime 'affiliates' Have Commoditized Ransomware
"There's a handful of cybercriminal gangs that Jason Baker, a ransomware negotiator with GuidePoint Security, regularly gets called in to respond to these days, and a year ago only one of these crews — Akira — was on threat hunters' radars and infecting organizations with the same ferocity as it is today. "As far as the ones that we're seeing most often in the last couple of months: Akira remains quite a prolific one," Baker tells The Register. "Qilin has really taken off this year. Hunters International and RansomHub really took off following the disruption of AlphV and LockBit early last year.""
https://www.theregister.com/2025/03/07/commoditization_ransomware/ - Who Is Responsible And Does It Matter?
"At Talos we bat on behalf of our customers, protecting them against all manner of cyber threats that may affect them. The nature of the threat actor and their origin or affiliation makes no difference; if they are attacking or planning to attack a customer, we do our utmost to stop them. In practice, identifying the origin of attacks can be surprisingly difficult, much harder than identifying the attack itself. Attacks do not arrive wrapped in a flag with a certificate of origin. Typically, attackers seek to hide their origin so as to avoid the attention of law enforcement or the international community. However, although not an easy task, the attacker will often unwittingly leave clues to their identity."
https://blog.talosintelligence.com/who-is-responsible-and-does-it-matter/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - MITRE EMB3D For OT & ICS Threat Modeling Takes Flight