@zdnet.com
//
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.
Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.
Recommended read:
References :
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
- securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
- DataBreaches.Net: #StopRansomware: Medusa Ransomware
- Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
- securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
- www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
- : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
- www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
- Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
- SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
- be4sec: Medusa Ransomware is Targeting Critical Infrastructure
- be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
- aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
- www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
- cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
- Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
- techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
- Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
- eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
- Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
- thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
- www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
- www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
- Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
- The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
- www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer
@World - CBSNews.com
//
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.
The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.
Recommended read:
References :
- bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
- The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
- bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
- The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
- The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
- DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
- bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
- Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
- Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
- Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
- BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
- hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
- Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
- Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
- techxplore.com: US indicts 12 Chinese nationals in hacking
- : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
- Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
- Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
- blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
- Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
- Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.
do son@Daily CyberSecurity
//
The Medusa ransomware operation has significantly impacted critical infrastructure sectors, affecting over 300 organizations in the United States by February 2025. According to CISA, these attacks have targeted essential services across various industries, including medical, education, legal, insurance, technology, and manufacturing. This widespread impact highlights the vulnerability of critical infrastructure and the potential for severe disruptions. The healthcare sector has been a primary target, with ransom demands ranging from $100,000 to $15 million, potentially disrupting patient care and compromising sensitive data.
Educational institutions have also been significantly affected, with 21 attacks reported in February 2025 alone. These attacks disrupt academic activities and compromise personal information of students and staff. In response, CISA, in partnership with the FBI and MS-ISAC, released a joint Cybersecurity Advisory providing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with known Medusa ransomware activity. The advisory encourages organizations to ensure operating systems and software are up to date, segment networks to restrict lateral movement, and filter network traffic to prevent unauthorized access.
Recommended read:
References :
- Industrial Cyber: Recent findings from Symantec indicate a significant rise in Medusa ransomware activity, which is reportedly being operated as...
- securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
- : Symantec found that Medusa has listed almost 400 victims on its data leaks site since early 2023, demanding ransom payments as high as $15m
- Broadcom Software Blogs: Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- The DefendOps Diaries: Medusa Ransomware: A Growing Threat to Critical Infrastructure
- RedPacket Security: CISA: CISA and Partners Release Cybersecurity Advisory on Medusa Ransomware
- gbhackers.com: Medusa Ransomware Hits 300+ Critical Infrastructure Organizations Worldwide
- securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
- www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
- securityaffairs.com: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
- Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- CyberInsider: FBI: Medusa Ransomware Has Breached 300 Critical Infrastructure Organizations
- www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released - with at least one organisation hit with a "triple-extortion" threat. Read more in my article on the Tripwire State of Security blog.
- Resources-2: On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Medusa ransomware [1]. Medusa ransomware emerged as Ransomware-as-a-Service in June 2021 and gained infamy by compromising over 300 victims from critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology.
- : CISA, FBI Warn of Medusa Ransomware Impacting Critical Infrastructure
- www.cybersecuritydive.com: The ransomware-as-a-service gang tallied more than 300 victims in industries such as healthcare, manufacturing and technology.
- The Register - Security: Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand
- DataBreaches.Net: #StopRansomware: Medusa Ransomware
- hackread.com: FBI and CISA Urge Enabling 2FA to Counter Medusa Ransomware
- Talkback Resources: #StopRansomware: Medusa Ransomware | CISA [net] [mal]
- Tenable Blog: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
- SOC Prime Blog: Medusa Ransomware Detection: The FBI, CISA & Partners Warn of Increasing Attacks by Ransomware Developers and Affiliates Against Critical Infrastructure
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
@techradar.com
//
On March 10, 2025, the social media platform X, formerly known as Twitter, experienced a significant outage, impacting thousands of users in the US and the UK. Owner Elon Musk attributed the interruption to a "massive cyberattack," claiming that IP addresses originating from Ukraine were responsible. Reports indicated that problems peaked at 40,000 on Downdetector, marking it as the most substantial disruption of service the platform had faced in years, with effects lasting for several hours. Musk stated that the attack was done with a lot of resources.
Security experts suggest a different explanation, attributing the disruption to a distributed denial-of-service (DDoS) attack. This involves overwhelming X's servers with bogus traffic from numerous devices, making it difficult to pinpoint the attack's true origin. Analysts believe hackers routed traffic through hijacked IP addresses in several regions, masking their identities. A hacking group, Dark Storm Team, briefly claimed responsibility for the attack on Telegram.
Recommended read:
References :
- Check Point Blog: Dark Storm Team Claims Responsibility for Cyber Attack on X Platform – What It Means for the Future of Digital Security
- socradar.io: X Faces Cyberattack: Dark Storm Team Takes Credit, Musk Blames Ukraine
- Malwarebytes: X users report login troubles as Dark Storm claims cyberattack
- www.scworld.com: Disruptive DDoS attack against X claimed by pro-Palestinian hackers
- WIRED: What Really Happened With the DDoS Attacks That Took Down X
- Threats | CyberScoop: X suffered a DDoS attack. Its CEO and security researchers can’t agree on who did it.
- eSecurity Planet: Elon Musk Blames ‘Massive Cyberattack’ for Widespread X Outage
- Rescana: X Platform Outage Due to Massive Cyberattack
- Risky Business Media: A Pro Palestinian group claims credit for the X DDoS, CISA gets a new director as DOGE fires its red teams, and Asian scam compounds keep growing.
- Blog: Pro-Palestine group hits X with massive DDoS attack
- Davey Winder: X Under Attack—Who Was Really Behind The Musk Platform Outages?
- Information Security Buzz: X Under Siege: Massive Cyberattack Sparks Widespread Outages as Experts Call Musk’s Ukraine Claims ‘Garbage’
- Schneier on Security: In a stark reminder of the growing threat posed by hacktivist groups, the pro-Palestinian Dark Storm Team has taken credit for a major distributed denial-of-service (DDoS) attack on X (formerly Twitter).
- darkmarc.substack.com: Elon Musk's X Down in Cyberattack, Amazon Hosts Stalkerware, CISA Slashes State Funding
- The Next Web: What caused the X outage that Musk is blaming on Ukraine?
- John Brandon: Elon Musk Claims Twitter (Now Called X) Was Down Due To A Cyberattack
- www.techradar.com: Who was really behind the massive X cyberattack? Here’s what experts say about Elon Musk’s claims
Titiksha Srivastav@The420.in
//
Lee Enterprises, a major American media company with over 75 publications, has confirmed a ransomware attack that has disrupted operations across its network. The notorious Qilin ransomware gang has claimed responsibility for the February 3rd attack, alleging the theft of 350GB of sensitive data. This stolen data purportedly includes investor records, financial arrangements, payments to journalists and publishers, funding for tailored news stories, and even approaches to obtaining insider information. The cyberattack has resulted in widespread outages, significantly impacting the distribution of printed newspapers, subscription services, and internal business operations.
The attack has caused delays in the distribution of print publications and has partially limited online operations. Lee Enterprises anticipates a phased recovery over the next several weeks and has implemented temporary measures, including manual processing of transactions. The company has also launched a forensic investigation to determine the full extent of the breach. The Qilin ransomware group's actions have brought attention to the increasing threat facing media organizations and the importance of robust cybersecurity measures to protect sensitive information and maintain operational integrity.
Recommended read:
References :
- securityaffairs.com: SecurityAffairs: Qilin ransomware gang claimed responsibility for the Lee Enterprises attack
- www.cysecurity.news: CySecurity News: Lee Enterprises Faces Prolonged Ransomware Attack Disrupting Newspaper Operations
- The420.in: The420.in: American Media Group Hit by Cyber Attack, 75 Newspapers Disrupted & Informers’ Data Leaked
- bsky.app: The Qilin ransomware gang has claimed
responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
- bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
- Information Security Buzz: Qilin Claims Lee Enterprises Ransomware Attack
- securityaffairs.com: The Qilin ransomware group claimed responsibility for the recent cyberattack on Lee Enterprises, which impacted dozens of local newspapers. Lee Enterprises, Inc. is a publicly traded American media company. It publishes 79 newspapers in 25 states, and more than
- CyberInsider: Reports that Qilin ransomware gang claimed responsibility for Lee Enterprises attack, threatens to leak stolen data
- www.cysecurity.news: reports on Ransomware
- Zack Whittaker: Lee Enterprises is still experiencing disruption and outages after a ransomware attack.
- Metacurity: UK ICO launches children's social media privacy probe, Qilin claims attack on Lee Enterprises, Polish Space Agency breached, Cellebrite zero days used to hack Serbian student's phone, Man sentenced to 24 years for putting CSAM on dark web, Canceled CFPB contracts threaten data security, much more
- Konstantin :C_H:: Qilin claims attack on Lee Enterprises,
- The420.in: Qilin ransomware group claimed responsibility for the Lee Enterprises attack.
- Kim Zetter: Reports Qilin claims attack on Lee Enterprises
- BleepingComputer: Qilin claiming responsibility for the cyberattack on Lee Enterprises.
- BleepingComputer: Qilin Ransomware Gang Claims Lee Enterprises Attack
- DataBreaches.Net: Japanese cancer hospital confirms breach; Qilin gang claims responsibility
- The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
- www.cysecurity.news: Qilin Ransomware Outfit Claims Credit for Lee Enterprises Breach
- securityaffairs.com: Qilin Ransomware group claims to have breached the Ministry of Foreign Affairs of Ukraine, marking a significant cybersecurity attack.
- www.scworld.com: The ransomware group Qilin has taken credit for the cyberattack on Lee Enterprises.
Amar Ćemanović@CyberInsider
//
Japanese telecom giant NTT Communications has confirmed a data breach impacting nearly 18,000 corporate customers. The company discovered unauthorized access to its internal systems on February 5, 2025. Hackers are reported to have accessed details of these organizations, potentially compromising sensitive data.
The stolen data includes customer names, contract numbers, phone numbers, email addresses, physical addresses, and information on service usage belonging to 17,891 organizations, according to NTT Com. While NTT Com has restricted access to compromised devices and disconnected another compromised device, the specific nature of the cyberattack and the identity of the perpetrators remain unknown. It’s not yet known how many individuals had personal data stolen.
Recommended read:
References :
- Carly Page: Japanese telecom giant NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack. It’s not yet known how many individuals had personal data stolen or who was behind the NTT breach
- CyberInsider: NTT Communications Suffers Data Breach Impacting 18,000 Companies
- BleepingComputer: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
- techcrunch.com: Unidentified hackers breached NTT Com’s network to steal personal information of employees at thousands of corporate customers
- bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
- The DefendOps Diaries: Lessons from the NTT Data Breach: A 2025 Perspective
- bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
- www.scworld.com: NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack
- securityaffairs.com: Japanese telecom giant NTT suffered a data breach that impacted 18,000 companies
- The420.in: Japanese Telecom Giant NTT Suffers Data Breach, Impacting 18,000 Companies
- www.it-daily.net: The Japanese ICT provider NTT Communications (NTT Com) has admitted to a serious security breach that resulted in the loss of information on a total of 17,891 corporate customers.
- www.scworld.com: Nearly 18K orgs' data compromised in NTT Communications hack
info@thehackernews.com (The@The Hacker News
//
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.
Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.
Recommended read:
References :
- The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
- : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
- www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
- Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
- The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
- www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
- Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
- hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
- Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
- www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
solomon.klappholz@futurenet.com (Solomon@Latest from ITPro
//
Cyber experts are raising serious concerns about operational technology (OT) security after the Volt Typhoon threat group went undetected within the US electric grid for almost a year. This prolonged compromise, lasting over 300 days, marks the first known infiltration of the US electric grid by the Voltzite subgroup, linked to the Chinese APT Volt Typhoon. The attackers targeted critical OT infrastructure data, underscoring the persistent and sophisticated cyber espionage efforts aimed at US infrastructure.
The security breach, discovered in November 2023, involved the Littleton Electric Light and Water Department (LELWD) in Massachusetts. Investigations revealed that Volt Typhoon likely gained access to LELWD's IT environment in February 2023. During the attack the Chinese hackers sought specific data related to operational technology operating procedures and spatial layout data relating to energy grid operations, The incident led to LELWD expediting the deployment of its OT security solutions.
Recommended read:
References :
- hackread.com: Chinese Volt Typhoon Hackers Infiltrated US Electric Utility for Nearly a Year
- PCMag UK security: Chinese Hackers Sat Undetected in Small Massachusetts Power Utility for Months
- www.itpro.com: Cybersecurity firm Dragos has revealed the Volt Typhoon threat group remained undetected in the US electric grid for nearly a year.
- www.scworld.com: US electric utility subjected to almost year-long Volt Typhoon compromise
- CyberInsider: Revealing the Volt Typhoon threat group's covert access to a Massachusetts electric utility network.
- bsky.app: Massachusetts Power Utility hacked by Chinese 'hackers' (cyber operators) for more than 300 days.
- : Volt Typhoon Accessed US OT Network for Nearly a Year
- Information Security Buzz: Volt Typhoon Found Inside Massachusetts Electric Utility for Nearly a Year
- Industrial Cyber: Dragos details the hacking of LELWD and the VOLTZITE group.
- Matthias Schulze: China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days
info@thehackernews.com (The@The Hacker News
//
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.
Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems.
Recommended read:
References :
- The Register - Security: Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift
- The Hacker News: SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
- www.it-daily.net: SideWinder now also attacks nuclear power plants
- securityaffairs.com: SideWinder APT targets maritime and nuclear sectors with enhanced toolset
- Rescana: Inside the Mind of Sidewinder: A Real-World Look at a Sophisticated Cyber Adversary
Dhara Shrivastava@cysecurity.news
//
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.
Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data.
Recommended read:
References :
- cyble.com: February Sees Record-Breaking Ransomware Attacks, New Data Shows
- The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
- iHLS: Ransomware Group Targets Cancer Clinic, Exposes Sensitive Health Data
- securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
- thecyberexpress.com: Ransomware attacks set a single-month record in February that was well above previous highs.
- The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
- blog.knowbe4.com: A new report from Arctic Wolf has found that 96% of attacks now involve data theft as criminals seek to force victims to pay up.
- DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim's network.
Pierluigi Paganini@Security Affairs
//
The Polish Space Agency (POLSA) has shut down its systems and disconnected from the internet following a major cyberattack detected over the weekend. The agency confirmed the unauthorized intrusion into its IT infrastructure, prompting an immediate response to secure sensitive data. Cybersecurity teams are actively working to restore operations, with the Polish Computer Security Incident Response Team (CSIRT NASK) and the Polish Military CSIRT (CSIRT MON) assisting POLSA in securing affected systems.
Poland's Minister of Digital Affairs, Krzysztof Gawkowski, stated that the systems under attack were secured and that intensive operational activities are underway to identify the perpetrators behind the cyberattack. While the exact nature of the breach remains undisclosed, sources suggest that POLSA’s internal email systems were compromised, forcing employees to communicate via phone. Amid escalating cyber threats, Poland is significantly ramping up its cybersecurity defenses, with suspicions pointing towards Russian involvement.
Recommended read:
References :
- Report Boom: Reportboom article on Polish Space Agency cyberattack.
- techcrunch.com: Details on the Polish Space Agency (POLSA) IT infrastructure breach
- thecyberexpress.com: Cyberattack on POLSA
- securityaffairs.com: Polish Space Agency POLSA disconnected its network following a cyberattack
- www.cysecurity.news: Poland’s space agency, POLSA, has reported a cyberattack on its systems, prompting an ongoing investigation.
Pierluigi Paganini@Security Affairs
//
CISA has added multiple vulnerabilities in Advantive VeraCore to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The five flaws impact both Advantive VeraCore and Ivanti Endpoint Manager (EPM) with agencies being urged to apply patches by March 31, 2025.
The VeraCore vulnerabilities, CVE-2024-57968 and CVE-2025-25181, are being exploited by the XE Group, a Vietnamese threat actor, to deploy reverse shells and web shells for persistent remote access. CVE-2024-57968 is an unrestricted file upload vulnerability, while CVE-2025-25181 is an SQL injection vulnerability. There are currently no public reports about how the three Ivanti EPM flaws are being weaponized in real-world attacks.
Recommended read:
References :
- securityaffairs.com: U.S. CISA adds Advantive VeraCore and Ivanti EPM flaws to its Known Exploited Vulnerabilities catalog
- The Hacker News: CISA Adds Five Actively Exploited Vulnerabilities in Advantive VeraCore and Ivanti EPM to KEV List
- Talkback Resources: CISA Adds Five Actively Exploited Vulnerabilities in Advantive VeraCore and Ivanti EPM to KEV List [exp] [ics]
- www.scworld.com: Advantive VeraCore, Ivanti EPM flaws added to CISA vulnerabilities catalog
- cyble.com: CISA Adds Five New Vulnerabilities to Its Known Exploited Vulnerabilities Catalog
Sam Bent@Sam Bent
//
Ascom, a Swiss global solutions provider specializing in healthcare and enterprise communication systems, has confirmed a cyberattack on its IT infrastructure. The attack, suspected to be carried out by the Hellcat group, exploited vulnerabilities in Jira servers. The company revealed that hackers breached its technical ticketing system.
The Hellcat group claimed responsibility, stating they stole approximately 44GB of data potentially impacting all of Ascom's divisions. Hellcat hackers are known for using compromised credentials to infiltrate Jira systems, leading to data breaches in multiple organizations. Security experts advise implementing multi-factor authentication, regular security audits, prompt patching, and employee training to mitigate such attacks.
Recommended read:
References :
- Sam Bent: Ascom Hit by Cyberattack: Hellcat Group Exploits Jira Server Vulnerabilities
- The DefendOps Diaries: HellCat Hackers Exploit Jira: A Global Cybersecurity Threat
- BleepingComputer: Hellcat hackers go on a worldwide Jira hacking spree
- securityaffairs.com: Security Affairs Article about Ransomware Group Claims Attacks on Ascom
@Risky Bulletin
//
Hacktivists are claiming responsibility for a cyber-sabotage operation targeting 116 Iranian ships. The attack, which reportedly occurred around March 18, 2025, is said to have severely disrupted the communication networks of the vessels. The primary impact is on VSAT (Very Small Aperture Terminal) systems, which are critical for maritime operations, especially for offshore coordination.
The affected entities include the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). According to Cydome, Lab Dookhtegan claimed responsibility for the attack on their Telegram channel. The hacktivist group stated they successfully disrupted both external ship-to-shore and internal onboard communications.
Analysis suggests the attackers exploited vulnerabilities in the maritime satellite communication systems that these ships rely on. While specific malware or tools used have not been identified, Lab Dookhtegan's history indicates a high likelihood of advanced techniques being employed.
Recommended read:
References :
- Risky Business Media: Risky Bulletin: Hacktivists claim cyber-sabotage of 116 Iranian ships
- Rescana: Cyber Attack on Iranian Shipping Lines: Impact on VSAT Systems and Maritime Operations
- Industrial Cyber: Cydome analyzes Lab Dookhtegan cyber attack on Iranian oil tankers, provides mitigation action
- DataBreaches.Net: Hacktivists claim cyber-sabotage of 116 Iranian ships
- Risky.Biz: Risky Bulletin: Hacktivists claim cyber-sabotage of 116 Iranian ships
|
|
FlagThis - #cyberattack