By the CyberWire staff
At a glance.
- CISA says it will continue monitoring Russian cyber threats.
- Broadcom patches zero-days that can lead to VM escape.
- US Justice Department charges employees of Chinese IT contractor i-Soon.
- Law enforcement shutters Garantex crypto exchange.
- NTT discloses breach affecting corporate customers.
- Amnesty International publishes analysis of Cellebrite exploit chain.
- Silk Typhoon targets the IT supply chain for initial access.
- Botnets exploit critical IP camera vulnerability.
- Scammers impersonate ransomware gang via snail mail.
- Hunters International threatens to leak data stolen from Tata Technologies.
CISA says it will continue monitoring Russian cyber threats.
The US Department of Homeland Security says the Cybersecurity and Infrastructure Security Agency (CISA) will continue monitoring cyber threats from Russia, asserting that media reports to the contrary are false. The Guardian reported over the weekend that CISA staff received a memo directing them to prioritize threats from China, with no mention of Russia. Tricia McLaughlin, Assistant Secretary for Public Affairs at DHS, told CyberScoop that such a memo was never sent, adding, "CISA remains committed to addressing all cyber threats to U.S. critical infrastructure, including from Russia. There has been no change in our posture or priority on this front."
The Guardian's story is separate from reports that Defense Secretary Pete Hegseth ordered Cyber Command to halt offensive operations against Russia during negotiations over the war in Ukraine. The full scope of the directive is unclear, but it does not include the NSA or its signals intelligence operations targeting Russia. The Washington Post cites a current US official familiar with the order as saying the pause is meant to last only as long as negotiations over the war in Ukraine continue. The Post says the operations being halted "could include exposing or disabling malware found in Russian networks before it can be used against the United States, blocking Russian hackers from servers that they may be preparing to use for their own offensive operations or disrupting a site promoting anti-U.S. propaganda."
The New York Times notes, "Former officials said it was common for civilian leaders to order pauses in military operations during sensitive diplomatic negotiations, to avoid derailing them. Still, for President Trump and Mr. Hegseth, the retreat from offensive cyberoperations against Russian targets represents a huge gamble. It essentially counts on Mr. Putin to reciprocate by letting up on what many call the 'shadow war' underway against the United States and its traditional allies in Europe."
The Pentagon hasn't officially commented on these reports, but Bloomberg quotes an anonymous senior defense official as saying that "Hegseth has neither canceled nor delayed any cyber operations directed against malicious Russian targets and there has been no stand-down order whatsoever from that priority."
Kim Zetter at Zero Day has written up a useful summary that clarifies reporting on these two stories.
Enhance Your Network Security with Zero Trust!
IT pros, are you ready to fortify your defenses? Discover ThreatLocker® Network Control, a powerful Zero Trust host-based firewall with dynamic ACLs. Gain full visibility, granular control, and advanced filtering to secure your network like never before. Learn how to stop breaches, implement microsegmentation, and integrate seamlessly with the ThreatLocker Platform. Download the whitepaper now and get the insights you need to enhance your organization’s defenses!
Broadcom patches zero-days that can lead to VM escape.
Broadcom has issued patches for three actively exploited zero-days affecting VMware ESX and any products that contain ESX, including vSphere, Cloud Foundation, and Telco Cloud Platform.
SecurityWeek reports that tens of thousands of ESXi instances remain vulnerable to the chain of vulnerabilities. The vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) can allow an attacker to perform a VM escape and gain access to the ESXi hypervisor. Security researcher Kevin Beaumont explains that attackers can "[u]se that to access every other VM, and be on the management network of VMware cluster." Beaumont added, "[Once] you have this level of access, traditionally you'll see groups like ransomware actors steal files and wipe things."
While the vulnerabilities are being exploited by unnamed threat actors, details of the exploit aren't yet publicly available. Organizations should prioritize patching before an exploit is released.
US Justice Department charges employees of Chinese IT contractor i-Soon.
The US Justice Department has charged twelve Chinese nationals for their alleged involvement in hacking US entities on behalf of the Chinese government. Two of the individuals are officers with the PRC's Ministry of Public Security (MPS), and eight are employees of Chinese IT security contractor i-Soon. Two additional defendants are freelancers tied to the APT27 threat actor, who assisted i-Soon in some operations.
The Justice Department says the MPS and the Ministry of State Security (MSS) hired i-Soon to carry out espionage campaigns against organizations around the globe, including the US Defense Intelligence Agency, the US Commerce Department, a major US religious organization, and news organizations based in the US and Hong Kong. i-Soon also allegedly hacked the foreign ministries of India, Indonesia, South Korea, and Taiwan. The FBI says i-Soon's activities have been publicly tracked as Aquatic Panda, Red Alpha, Red Hotel, Charcoal Typhoon, Red Scylla, Hassium, Chromium, and TAG-22.
Justice said in a press release, "From approximately 2016 through 2023, i-Soon and its personnel engaged in the numerous and widespread hacking of email accounts, cell phones, servers, and websites at the direction of, and in close coordination with, the PRC’s MSS and MPS. i-Soon generated tens of millions of dollars in revenue and at times had over 100 employees. i-Soon’s primary customers were PRC government agencies. It worked with at least 43 different MSS or MPS bureaus and charged the MSS and MPS between approximately $10,000 and $75,000 for each email inbox it successfully hacked."
i-Soon sustained a major breach in early 2024 that exposed its inner workings and ties to the Chinese government, as well as its hacking tools and services.
Stop Identity-Based Cybercrime with SpyCloud’s Holistic Identity Threat Protection
Stolen identity data is the hot commodity for cybercriminals. With the full scope of your users’ digital footprints at risk for exposure, traditional account-centric security is no longer enough to protect your business from cyberattacks. SpyCloud helps security teams correlate and automatically remediate individuals' hidden identity exposures from breaches, malware, and phishing across their many online personas. Eliminate identity-based cyber threats and proactively defend against account takeover, fraud, and ransomware with SpyCloud.
Law enforcement shutters Garantex crypto exchange.
The US Secret Service, working with international law enforcement partners, has seized domains used by the Russian cryptocurrency exchange Garantex, which was frequently used by ransomware gangs for money laundering. A Secret Service spokesperson told The Register, "The US Secret Service has seized website domains associated with the administration and operation of Russian cryptocurrency exchange Garantex as part of an ongoing investigation. We are unable to provide additional comments at this time and will release additional information when available."
A notice on the exchange's website states, "The domain for Garantex has been seized by the United States Secret Service pursuant to a seizure warrant obtained by the United States Attorney's Office for the Eastern District of Virginia under the authority of 18 U.S.C §§ 981 and 982."
Stablecoin operator Tether has also blocked Garantex wallets as a result of EU sanctions levied last week.
NTT discloses breach affecting corporate customers.
Japanese telecom giant NTT Communications Corporation has disclosed a breach that affected nearly 18,000 of its corporate customers, BleepingComputer reports. The breach, which was discovered in February, affected names, contract numbers, phone numbers, email addresses, physical addresses, and service usage information. The hackers gained access to NTT's Order Information Distribution System, which holds information on corporate customers. NTT says some of the information "might have been leaked externally."
Amnesty International publishes analysis of Cellebrite exploit chain.
Amnesty International has published a follow-up to its December 2024 report on the Serbian government's alleged misuse of Cellebrite's cell phone data extraction tool. Amnesty's latest report, published on Friday, outlines "a new case of misuse of a Cellebrite product to break into the phone of a youth activist in Serbia." The report shares technical details on "a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite."
Amnesty explains, "The exploit, which targeted Linux kernel USB drivers, enabled Cellebrite customers with physical access to a locked Android device to bypass an Android phone’s lock screen and gain privileged access on the device. As the exploit targets core Linux kernel USB drivers, the impact is not limited to a particular device or vendor and could affect a very wide range of devices. The same vulnerabilities could also expose Linux computers and Linux-powered embedded devices to physical attacks, although there is no evidence of this exploit chain has been designed to target non-Android Linux devices."
Last week, Cellebrite announced it would suspend its services in Serbia, citing Amnesty's December report.
Many Voices. One Community
Join Us at the RSAC 2025 Conference. Join us at RSAC, April 28 - May 1 in San Francisco and gain access to cybersecurity innovators, expert-led sessions, and hands-on workshops. Leave with new strategies, insights, and connections to elevate your cybersecurity journey.
Silk Typhoon targets the IT supply chain for initial access.
Microsoft has published a report on the Chinese espionage actor Silk Typhoon, finding the group is "now targeting common IT solutions like remote management tools and cloud applications to gain initial access." Microsoft states, "While they haven’t been observed directly targeting Microsoft cloud services, they do exploit unpatched applications that allow them to elevate their access in targeted organizations and conduct further malicious activities. After successfully compromising a victim, Silk Typhoon uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications, including Microsoft services and others, to achieve their espionage objectives."
BleepingComputer notes that Silk Typhoon recently made headlines for hacking the US Treasury's Office of Foreign Assets Control (OFAC) in December 2024.
Botnets exploit critical IP camera vulnerability.
The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory on an actively exploited vulnerability (CVE-2025-1316) affecting Edimax IP cameras. The flaw can lead to remote code execution, and received a CVSS score of 9.3.
SecurityWeek reports that multiple Mirai-based botnets are exploiting the vulnerability. Researchers at Akamai, who discovered the flaw, told SecurityWeek that attackers have been exploiting it since fall of last year.
Scammers impersonate ransomware gang via snail mail.
Scammers are impersonating the BianLian ransomware gang and sending physical letters with fake ransom demands to C-suite employees in the US, BleepingComputer reports. The letters inform the recipient that their organization's data has been stolen and will be published if a ransom isn't paid within ten days. The letters contain a QR code leading to a Bitcoin wallet address, and recipients are instructed to pay up to $350,000.
GuidePoint Security, which is tracking the scam, assesses "with a high level of confidence" that the extortion demands are fake and are not tied to the BianLian gang. The security firm hasn't observed any evidence of intrusions at the targeted organizations, and the information in the letters is copied from BianLian's public websites.
Hunters International threatens to leak data stolen from Tata Technologies.
The Hunters International ransomware gang has claimed responsibility for an attack against Tata Technologies, a product engineering subsidiary of Indian auto manufacturing giant Tata Motors. The company disclosed in January that it had sustained a ransomware attack that affected some of its IT systems, SecurityWeek reports. The Hunters gang is threatening to publish 1.4 terabytes of stolen data if a ransom isn't paid by next week.
Hunters hasn't shared what the stolen data contains, and Tata hasn't commented on the gang's claims.
Crime and punishment.
The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the administrator of the Nemesis darknet marketplace, which was shuttered by law enforcement last year. Treasury says Iranian national Behrouz Parsarad maintained full control of the marketplace and its illicit profits, pocketing millions of dollars while Nemesis was active.
Courts and torts.
The state of California's Privacy Protection Agency (CPPA) last Thursday ordered a data broker to cease operations for three years for failing to register with the state, the Record reports. The California Delete Act, which took effect in January 2024, requires data brokers to register with the CPPA in order to provide a mechanism through which consumers can request to have their data deleted. The broker in this case, called "Background Alert," has agreed to the settlement terms. The Record notes that such a ruling against a data broker is unprecedented.
