Ransom demands and medical data for sale.

A cyberattack targeting Oracle Health compromises patient data. The DOJ nabs over $8 million tied to romance scams. Trend Micro examines a China-linked APT group conducting cyber-espionage. A new Android banking trojan called Crocodilus has emerged. North Korea’s Lazarus Group targets job seekers in the crypto industry. CISA IDs a new malware variant targeting Ivanti Connect Secure appliances. Maria Varmazis, host of N2K’s T-Minus Space Daily show chats with Jake Braun, former White House Principal Deputy National Cyber Director and chairman of DEF CON Franklin. They discuss designating space as critical infrastructure. Nulling out your pizza payment.

Today is Monday March 31st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A cyberattack targeting Oracle Health compromises patient data. 

A cyberattack targeting Oracle Health, formerly Cerner, compromised patient data from legacy servers not yet migrated to Oracle Cloud. The breach, discovered on February 20, 2025, affected multiple U.S. hospitals and healthcare providers. A threat actor reportedly used stolen credentials to access and exfiltrate patient records from these outdated systems. Oracle Health privately informed affected customers but has not publicly acknowledged the breach. The attacker, using the alias “Andrew,” is demanding millions in cryptocurrency and has launched public websites to pressure victims. Oracle’s response has drawn criticism for its lack of transparency and formal documentation. Though Oracle is offering support tools, it’s leaving HIPAA notifications to hospitals. 

Healthcare remains a top target for ransomware due to its large, under-secured attack surface and critical need for operational continuity. Patching medical devices is slow, often delayed over a year due to FDA regulations and outdated systems. Claroty’s Team82 analyzed over 2.25 million IoMT and 647,000 OT devices across 351 healthcare organizations. They found that 99% are vulnerable to known exploits, and 20% of hospital systems with these vulnerabilities are also insecurely connected to the internet. Using a triage method based on exploit presence, ransomware links, and insecure connectivity, researchers identified the most at-risk devices. For OT, only 0.3% of devices met all three risk criteria; for IoMT, about 1%. Claroty has published a five-step process to identify and remediate these threats.

The DOJ nabs over $8 million tied to romance scams. 

The U.S. Department of Justice has seized over $8.2 million in USDT (Tether) tied to “romance baiting” scams—also known as “pig butchering.” In these scams, victims are manipulated into investing on fake platforms that appear to offer high returns. Once large sums are invested, victims are blocked from withdrawing funds and ultimately discover the platforms are fraudulent. The FBI traced laundering patterns linked to these scams, enabling a legal forfeiture under wire fraud and money laundering laws. Tether froze and reissued the stolen funds to law enforcement-controlled wallets. The seizure could help compensate victims, including 38 individuals with losses over $5.2 million. The scam operation is believed connected to human trafficking rings in Southeast Asia. Authorities stress vigilance when approached with “guaranteed return” investments.

Trend Micro examines a China-linked APT group conducting cyber-espionage. 

Researchers at Trend Micro take a closer look at Earth Alux, a China-linked APT group, which has been conducting cyber-espionage operations since mid-2023.  Initially targeting the Asia-Pacific region before expanding into Latin America, the group focuses on government, tech, telecom, and retail sectors, exploiting exposed servers to implant web shells like GODZILLA. Their primary backdoor, VARGEIT, allows persistent access, data theft, and stealthy operations using multiple communication channels, including Microsoft Outlook via Graph API. A unique technique involves injecting malicious code into mspaint.exe processes, enabling fileless attacks. This method uses Windows APIs to avoid detection while performing reconnaissance and exfiltrating data to attacker-controlled cloud storage. Earth Alux’s use of sophisticated, stealthy malware and long-term infiltration tactics highlights the growing cyber threat to critical industries in targeted regions.

A new Android banking trojan called Crocodilus has emerged. 

A new Android banking trojan called Crocodilus has emerged, with advanced capabilities for remote device takeover, keylogging, and stealing credentials, according to ThreatFabric. Targeting users in Spain and Turkey, it bypasses Android 13+ security using a custom dropper and gains full control through Accessibility Services. Once permissions are granted, Crocodilus connects to its command-and-control server, runs silently in the background, and uses overlays to steal login data. It also logs accessibility events to capture text inputs and even reads OTPs from Google Authenticator. The malware can mute sound, display black screens to hide activity, and deploy social engineering tricks—like fake wallet backup prompts—to steal crypto keys. Though linked to actor ‘sybra’, evidence suggests a new, likely Turkish-speaking developer is behind it.

North Korea’s Lazarus Group targets job seekers in the crypto industry. 

North Korea’s Lazarus Group is back with a new cyber campaign, ClickFake Interview, targeting job seekers in the crypto industry. Using fake interview websites built with ReactJS, attackers trick victims into downloading malware during staged recruitment processes. These sites deploy GolangGhost, a cross-platform backdoor that enables remote control, data theft, and credential exfiltration on Windows and macOS. The campaign expands on the earlier Contagious Interview tactic and now focuses on centralized finance (CeFi) platforms like Coinbase and Bybit. It also targets non-technical roles, exploiting their lower cybersecurity awareness. Malware like FrostyFerret and scripts in VBS or Bash help establish persistence and avoid detection. This campaign highlights Lazarus’ continued evolution and its strategic pivot to support North Korea’s financial and military goals through crypto heists.

CISA IDs a new malware variant targeting Ivanti Connect Secure appliances. 

CISA has identified a new malware variant named RESURGE, targeting Ivanti Connect Secure appliances via the already-patched CVE-2024-0282 vulnerability. This flaw, exploited since December and flagged in January, allowed threat actors to gain access to critical infrastructure. Upon analyzing compromised systems, CISA discovered RESURGE alongside another variant, SPAWNSCLOTH, and an open-source shell script bundled with BusyBox tools. RESURGE shares traits with Spawnchimera, such as reboot persistence, but adds new functions like webshell deployment, file manipulation, and integrity check tampering. It can also embed itself into Ivanti’s boot disk and manipulate the coreboot image. CISA advises full factory resets, along with widespread credential and password resets, to mitigate the threat. 

Nulling out your pizza payment. 

And finally, our five-finger discount desk tells us about Diogo Gouveia, a Portuguese software developer and cyber-sleuth who uncovered a sneaky flaw in a local food delivery app. The bug? A sneaky little null character (\u0000) in the payment_mode parameter. Turns out, this unassuming character can tell the system to ignore everything that comes after it—like your actual bank balance.

Diogo found that by slipping a null character into a payment request, he could order food without, you know, having the system actually check to see if you had any available cash.  The system just nodded and said, “Sure, that sounds legit.”

This loophole let users sidestep payment checks, potentially costing businesses big. Diogo’s step-by-step exploit shows just how easy it was to game the system using tools like Burp Suite.

His advice? Sanitize inputs, validate parameters, enforce strict data types, and maybe don’t trust strings at face value—especially when food is involved. Because no one should be able to order pizza with Monopoly money.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.