CyberSecurity Newsletter March 10th 2025
In this week’s news: Scammers are now targeting U.S. companies using fake BianLian ransom notes sent through postal mail, Silk Typhoon exploiting remote management tools, Akira gang use webcam to bypass EDR, Black Basta’s playbook released, EncryptHub, an emerging malware threat actor that has compromised more than 600 organizations and Cisco has issued a warning regarding a vulnerability in Webex
According to Microsoft, Silk Typhoon is now exploiting remote management tools and cloud services. This shift enables them to gain access to downstream customers through supply chain attacks.
https://dailysecurityreview.com/security-spotlight/silk-typhoon-hackers-now-target-it-supply-chains-to-breach-networks/
The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim's network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows. Cybersecurity firm S-RM team discovered the unusual attack method during a recent incident response at one of their clients.
https://www.bleepingcomputer.com/news/security/ransomware-gang-encrypted-network-from-a-webcam-to-bypass-edr/
Safe{Wallet} has revealed that the cybersecurity incident that led to the Bybit $1.5 billion crypto heist is a "highly sophisticated, state-sponsored attack," stating the North Korean threat actors behind the hack took steps to erase traces of the malicious activity in an effort to hamper investigation efforts.
https://thehackernews.com/2025/03/safewallet-confirms-north-korean.html
Black Basta Playbook Chat Leak
https://osintteam.blog/black-basta-playbook-chat-leak-d5036936166d
The US Justice Department has indicted Chinese state security officers and hackers from APT27 and i-Soon for widespread cyberattacks targeting global victims since 2011. This sophisticated campaign involved breaches of US federal and state government agencies, foreign ministries, dissidents, and a major US religious organization.
https://dailysecurityreview.com/security-spotlight/us-charges-chinese-hackers-targeting-critical-infrastructure-breaches/
An international law enforcement operation led by U.S. Secret Service seized the website (“garantex[.]org”) of the sanctioned Russian crypto exchange Garantex. In April 2022, the US Treasury Department sanctioned the virtual currency exchange. Garantex has been active since 2019, the service allowed customers to buy and sell virtual currencies using fiat currencies. Most of Garantex’s operations are carried out in Moscow, including at Federation Tower, and St. Petersburg, Russia, where other sanctioned virtual currency exchanges have also operated.
https://securityaffairs.com/175049/cyber-crime/international-law-enforcement-operation-seized-the-domain-of-the-russian-crypto-exchange-garantex.html
EncryptHub, an emerging malware threat actor that has compromised more than 600 organizations, had details about its operations and attack chain exposed by researchers. Outpost24’s KrakenLabs Threat Intelligence Team outlined the inner workings of the malware operation, including its structure and techniques for infecting and managing infected systems.
https://www.scworld.com/news/encrypthub-malware-operations-attack-chain-exposed
Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, the use of LOLBAS, and the various malware payloads. Get detailed analysis, IOCs, and mitigation recommendations.
https://hackread.com/microsoft-dismantle-malvertising-github-discord-dropbox/
Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025. "The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines," Cisco Talos researcher Chetan Raghuprasad said in a technical report published Thursday.
https://thehackernews.com/2025/03/php-cgi-rce-flaw-exploited-in-attacks.html
Cisco has issued a warning regarding a vulnerability in Webex for BroadWorks that could allow unauthenticated attackers to access sensitive credentials remotely. This issue affects the integration of Cisco Webex’s video conferencing features with the BroadWorks unified communications platform.
https://dailysecurityreview.com/security-spotlight/cisco-warns-of-broadworks-flaw-exposing-credentials/
A coalition of international law enforcement agencies has seized the website associated with the cryptocurrency exchange Garantex ("garantex[.]org"), nearly three years after the service was sanctioned by the U.S. Treasury Department in April 2022.
https://thehackernews.com/2025/03/us-secret-service-seizes-russian.html
Scammers are now targeting U.S. companies using fake BianLian ransom notes sent through postal mail. This alarming development was first reported by Guidepoint Security, with BleepingComputer later receiving a copy of the note from a CEO who encountered the scam.
https://dailysecurityreview.com/security-spotlight/fake-bianlian-ransom-notes-mailed-to-us-ceos-in-postal-mail-scam/
Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
https://securityaffairs.com/175013/malware/medusa-ransomware-targeted-over-40-organizations-in-2025.html
The Hunters International ransomware group has claimed responsibility for a cyberattack on Tata Technologies. This Ransomware attack reportedly occurred in January 2025 and involved the theft of approximately 1.4 TB of data, encompassing around 730,000 files from the company.
https://dailysecurityreview.com/security-spotlight/hunters-international-claims-ransomware-attack-on-tata-technologies-1-4tb-data-breached/
The BadBox malware, a notorious Android botnet, has been disrupted by cybersecurity experts, impacting over 500,000 infected devices globally. This operation involved the removal of 24 malicious applications from Google Play and sinkholing communications of the botnet.
https://dailysecurityreview.com/security-spotlight/badbox-malware-disrupted-on-500k-infected-android-devices/
YouTube issued a warning about a sophisticated phishing campaign leveraging an AI-generated video of its CEO, Neal Mohan. This deceptive tactic aims to steal creators’ credentials and access their accounts.
https://dailysecurityreview.com/security-spotlight/youtube-warns-of-ai-generated-phishing-attacks-targeting-creators/
Microsoft has disclosed details of a large-scale malvertising campaign that's estimated to have impacted over one million devices globally as part of what it said is an opportunistic attack designed to steal sensitive information.
https://thehackernews.com/2025/03/microsoft-warns-of-malvertising.html
Most (87%) security professionals have reported that their organization has encountered an AI-driven cyber-attack in the last year, with the technology increasingly takes hold, according to a new report by SoSafe.
https://www.infosecurity-magazine.com/news/majority-of-orgs-hit-by-ai/
Microsoft says a North Korean hacking group tracked as Moonstone Sleet has deployed Qilin ransomware payloads in a limited number of recent attacks. "Since late February 2025, Microsoft has observed Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of orgs," the company's threat intelligence experts said this week
https://www.bleepingcomputer.com/news/security/microsoft-north-korean-hackers-now-deploying-qilin-ransomware/
Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident. The data breach was discovered in early February 2025, but the exact date when the hackers gained initial access to NTT's systems hasn't been determined.
https://www.bleepingcomputer.com/news/security/data-breach-at-japanese-telecom-giant-ntt-hits-18-000-companies/
Threat hunters have shed light on a "sophisticated and evolving malware toolkit" called Ragnar Loader that's used by various cybercrime and ransomware groups like Ragnar Locker (aka Monstrous Mantis), FIN7, FIN8, and Ruthless Mantis (ex-REvil).
https://thehackernews.com/2025/03/fin7-fin8-and-others-use-ragnar-loader.html
More than 1,000 WordPress websites have been infected with four different backdoors through a malicious JavaScript code spread via the cdn.csyndication[.]com domain referenced across 908 websites, reports The Hacker News.
https://www.scworld.com/brief/malicious-backdoor-deploying-javascript-facilitates-widespread-wordpress-site-compromise
A Memphis man was arrested and charged with stealing DVD and Blu-ray discs of unreleased movies and sharing ripped digital copies online before their release.
https://www.bleepingcomputer.com/news/security/employee-charged-with-stealing-unreleased-movies-sharing-them-online/
A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. The flaw was discovered by Akamai researchers, who confirmed to BleepingComputer that the flaw is exploited in attacks that are still ongoing.
https://www.bleepingcomputer.com/news/security/unpatched-edimax-ip-camera-flaw-actively-exploited-in-botnet-attacks/