Week that Was for 02.22.25

At a glance.

• Threat actors exploit recently patched Palo Alto firewall vulnerability.
• PoC exploit released for Ivanti flaws.
• BlackLock has become a top player in the ransomware space.
• New macOS malware delivered via web injects.
• Newspaper publisher Lee Enterprises still recovering from ransomware attack.
• Thailand will take in thousands of people rescued from Myanmar scam compounds.
• NailaoLocker ransomware targets European healthcare organizations.
• CISA and FBI issue advisory on the Ghost ransomware.
• Credential theft puts sensitive corporate and military networks at risk.
• Black Basta chat logs leaked.
• SEC rebrands its Crypto Assets and Cyber Unit.
• Insight Partners discloses cyber incident.

Threat actors exploit recently patched Palo Alto firewall vulnerability.

Palo Alto Networks has confirmed that threat actors are exploiting a recently patched vulnerability (CVE-2025-0108) affecting its PAN-OS firewall software, SecurityWeek reports. The vulnerability is an authentication bypass flaw that can allow "an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts."

The company patched the flaw last week, and a proof-of-concept (PoC) exploit is publicly available. Palo Alto says it's "observed exploit attempts that utilize the PoC, chaining it with the exploit for CVE-2024-9474 on unpatched and unsecured PAN-OS web management interfaces."

PoC exploit released for Ivanti flaws.

A proof-of-concept (PoC) exploit is available for a string of vulnerabilities affecting Ivanti Endpoint Manager, the Register reports. Researchers at Horizon3.ai published a technical write-up of the flaws on Wednesday. The four vulnerabilities (CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159) were assigned CVSS scores of 9.8, and can "allow an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially allowing for server compromise." Ivanti issued patches for the flaws last month, and organizations should look to apply the fixes with renewed urgency.

BlackLock has become a top player in the ransomware space.

ReliaQuest is tracking the rapidly growing ransomware-as-a-service (RaaS) group BlackLock (also known as "El Dorado"), which emerged in March 2024 and saw a 1,425% increase in activity during the fourth quarter of 2024. The group has a good reputation on underground forums, and it retains control over all stages of the attack flow.

ReliaQuest found evidence that BlackLock "may be planning to exploit Microsoft Entra Connect synchronization mechanics as part of its evolving attack strategy, providing early warnings about its likely campaign focus in 2025." The researchers note, "What makes BlackLock’s interest in Entra Connect stand out is its overt focus on initial access—a rarity among RaaS groups, which usually stick to post-compromise stages."

BlackLock's leak site also includes measures intended to block researchers and victims from analyzing the stolen data: "Unlike most other leak sites, BlackLock’s platform is packed with features likely designed to prevent targeted organizations from assessing the scope of their breaches. This, in turn, ramps up pressure on the organizations to quickly pay ransoms, often before they can fully evaluate the situation."

New macOS malware delivered via web injects.

Proofpoint is tracking a new strain of macOS malware dubbed "FrigidStealer" that's being distributed via web inject campaigns. The malware is designed to steal sensitive information, including passwords, browser cookies, and files related to cryptocurrency.

The researchers explain, "Typically, an attack chain will consist of three parts: the malicious injects served to website visitors, which are often malicious JavaScript scripts; a traffic distribution service (TDS) responsible for determining what user gets which payload based on a variety of filtering options; and the ultimate payload that is downloaded by the script. Sometimes each part of the attack chain is managed by the same threat actor, but frequently the different parts of the chain may be managed by different threat actors."

In this case, the compromised websites inform visitors that they must update their browsers before continuing. If the user clicks the "Update now" button, the threat actor's TDS will download a DMG file. Proofpoint says, "Right clicking and selecting Open bypassed the MacOS security feature called Gatekeeper, which would otherwise warn the user that the application is unsigned and untrusted. (This is a very common technique used by Mac malware authors to effectively run malware on a host.) Clicking Open ran the embedded Mach-O executable, which led to the installation of FrigidStealer."

Newspaper publisher Lee Enterprises still recovering from ransomware attack.

US newspaper publisher Lee Enterprises continues to grapple with a cyberattack the company sustained on February 3rd, TechCrunch reports. The company said in an SEC filing that "threat actors unlawfully accessed the Company’s network, encrypted critical applications, and exfiltrated certain files," indicating the incident was a ransomware attack. The company added, "The incident impacted the Company’s operations, including distribution of products, billing, collections, and vendor payments. Distribution of print publications across our portfolio of products experienced delays, and online operations were partially limited."

Thailand will take in thousands of people rescued from Myanmar scam compounds.

Thailand will take in 7,000 people rescued from scam call centers in Myanmar, the Record reports. Most of the individuals are from China, Thailand, Vietnam, and other Southeast Asian countries, and were essentially slaves tricked into traveling to Myanmar under false promises of employment.

Organized criminal gangs set up compounds in the area following Myanmar's coup in 2021 and used them as bases to launch various online scams against victims around the world, causing billions of dollars in losses. China and Thailand have been pressuring Myanmar to crack down on these networks, but regional instability has hampered the efforts.

NailaoLocker ransomware targets European healthcare organizations.

Orange Cyberdefense has published a report on a relatively new strain of ransomware dubbed "NailaoLocker" that targeted European healthcare organizations between June and October 2024. The intrusions involved ShadowPad and PlugX, two strains of malware frequently used by Chinese espionage actors. The researchers note the possibility that an individual or group with access to Chinese espionage tools is moonlighting as a ransomware actor for financial gain. Symantec recently observed a similar operation involving the RA World ransomware.

The researchers believe initial access was achieved via exploitation of CVE-2024-24919, a vulnerability affecting Check Point Security Gateways that received a patch in May 2024. The NailaoLocker ransomware itself is "unsophisticated and poorly designed, seemingly not intended to guarantee full encryption."

CISA and FBI issue advisory on the Ghost ransomware.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory on the Ghost ransomware. The ransomware's operators, which are based in China, have compromised organizations in more than seventy countries (including China). Victims have included "critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses."

The threat actors gain initial access via flaws affecting unpatched internet-facing servers, including "vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain)."

Credential theft puts sensitive corporate and military networks at risk.

Hudson Rock has published an analysis of compromised credentials for sale on criminal marketplaces, finding hundreds of credentials belonging to US military agencies and contractors, Infosecurity Magazine reports. The credentials were likely stolen by infostealer malware delivered via social engineering.

The researchers identified credentials belonging to accounts at Lockheed Martin, Boeing, and Honeywell, as well as the US Army and Navy, the FBI, and the Government Accountability Office. Some of the logs also included active session cookies that could allow attackers to bypass multifactor authentication.

Black Basta chat logs leaked.

An individual who goes by the alias "ExploitWhispers" has leaked nearly 200,000 internal messages belonging to the Black Basta ransomware gang, BleepingComputer reports. Researchers at PRODAFT note that the leaker "claimed they released the data because the group was targeting Russian banks."

BleepingComputer says the data, which was uploaded to a Telegram channel, contains "a wide range of information, including phishing templates and emails to send them to, cryptocurrency addresses, data drops, victims' credentials," and details on tactics. The dump also includes information on some of the gang's leaders and members.

SEC rebrands its Crypto Assets and Cyber Unit.

The US Securities and Exchange Commission (SEC) announced Thursday that it's changed the Crypto Assets and Cyber Unit to the "Cyber and Emerging Technologies Unit (CETU)," CyberScoop reports. The newly rebranded unit, consisting of about thirty fraud specialists and attorneys led by Laura D’Allaird, will "focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space."

The CETU will focus on combatting misconduct in the following areas:

• Fraud committed using emerging technologies, such as artificial intelligence and machine learning
• Use of social media, the dark web, or false websites to perpetrate fraud
• Hacking to obtain material nonpublic information
• Takeovers of retail brokerage accounts
• Fraud involving blockchain technology and crypto assets
• Regulated entities’ compliance with cybersecurity rules and regulations
• Public issuer fraudulent disclosure relating to cybersecurity

Insight Partners discloses cyber incident.

Technology-focused investment firm Insight Partners has disclosed a "cyber incident" in which "an unauthorized third-party accessed certain Insight information systems through a sophisticated social engineering attack." The firm stated, "As soon as this incident was detected, we moved quickly to contain, remediate, and start an investigation within a matter of hours. We notified stakeholders connected to Insight in January to alert them and encourage vigilance and tightened security protocols irrespective of having shared data compromised. We also notified law enforcement in relevant jurisdictions. There is no evidence that the threat actor was present after January 16, 2025."

The company says the full investigation will take several weeks, but it doesn't believe the incident will have any material impact on portfolio companies or other stakeholders.