You may have noticed a slight drop in the amount of coverage of ransomware on our Kaspersky Daily blog in recent years. Sadly, it’s not that ransomware attacks have stopped. Far from it — such incidents are now so commonplace that they’ve become part of the cyber-furniture. Nevertheless, some ransomware attacks still have the power to shock. In this post, we take you through the ransomware incidents of 2024 that made a lasting impression in terms of scale, impact, or mode of attack…

January 2024: ransomware attack on Toronto Zoo

One of the first major ransomware incidents of 2024 was the January attack on Canada’s biggest zoo, located in Toronto. The zoo’s management was quick to reassure the public that no systems related to animal care were impacted. Indeed, its website and ticketing service were also unaffected, so the zoo continued to welcome visitors as usual.

The official Toronto Zoo website reports a cyberattack and assures that all animals are fine. Source

It soon transpired that the attackers had stolen a significant amount of zoo employees’ personal information — dating back to 1989. This incident served as yet another reminder that even organizations far removed from critical sectors can become targets of ransomware attacks.

February 2024: $3.09 billion attack on UnitedHealth

February’s attack on the U.S. healthcare insurance giant UnitedHealth would easily claim the “ransomware incident of the year” award if such existed. The attack was in fact carried out on Optum Insight, a UnitedHealth subsidiary that provides technology-enabled services.

Getting granular here, the direct target was Change Healthcare, which has been part of Optum since 2022. This company’s platform serves as a financial intermediary between payers, patients, and healthcare providers. The attack took down over a hundred different Optum digital services. As a result, UnitedHealth was able to process neither electronic payments nor medical applications. Essentially, the company couldn’t perform its core function — causing chaos across the U.S. healthcare system.

The attack’s repercussions were so extensive that UnitedHealth even set up a dedicated website to provide updates about the process of restoring the company’s affected IT systems. The bulk of the restoration work was carried out in the first months after the attack. However, almost a year on, the site continues to post regular updates, and some systems still have the “service partially available” status.

A few days after the attack, the ransomware gang BlackCat/ALPHV claimed responsibility. In addition, they reported stealing 6TB of confidential data — including medical records, financial documents, personal data of U.S. civilians and military personnel, and a wealth of other sensitive information.

UnitedHealth ended up paying the gang a $22 million ransom. And it’s rumored that the company had to pay up again when BlackCat’s accomplices from the RansomHub group claimed they hadn’t received their share and began leaking the stolen data into the public domain.

However, compared to the total financial losses caused by the incident, the ransom was a mere drop in the ocean. UnitedHealth’s own financial reports estimate the damage in Q1 alone at $872 million. As for the total damage for the year 2024, it reached an eye-watering $3.09 billion.

According to the latest reports, the attackers stole medical data of more than 100 million patients, which is approximately one in three U.S. residents!

March 2024: Panera Bread’s week-long outage

In March, ransomware attackers targeted U.S. food-chain giant Panera Bread. The incident knocked out many of its IT systems, including the online ordering service, offline payment system, telephony, website and mobile apps, loyalty program, various internal systems for employees, and other services.

Stub message on the Panera Bread website. Source

Over 2000 restaurants in the Panera Bread chain continued to operate after the attack — but in stone-age conditions: payment was by cash only; subscription offers (such as unlimited drinks for $14.99 per month) were temporarily unavailable; loyalty program points weren’t awarded; and restaurant staff had to manually coordinate their work schedules with managers. The outage lasted about a week.

During the attack, as we learned three months later, the personal data of Panera Bread employees was stolen. By the looks of it, the company ended up paying a ransom to keep that data from being published.

April 2024: Hunters International attack on Hoya Corporation

Early April saw an attack on Hoya Corporation, the major Japanese optics manufacturer. In an official statement, the company said that the systems of some manufacturing plants, plus the ordering system for several products had been affected.

Hunters International demanded a ransom of $10 million (151.56 BTC at the then exchange rate) from Hoya Corporation. Source

A week after the incident, it was confirmed as a ransomware attack. The Hunters International ransomware-as-a-service group’s website reported that the attackers had stolen 1.7 million files from Hoya (around 2TB), and demanded a ransom of $10 million.

May 2024: Major disruptions at U.S. healthcare network Ascension

In early May, Ascension, one of the largest healthcare networks in the United States, had some of its systems taken offline due to a “cybersecurity event”. The “event” in question was soon revealed to be a ransomware attack on the organization’s IT infrastructure. The disruption affected electronic medical records, telephony, and systems for ordering tests, procedures, and medications.

As a result, some hospitals run by Ascension couldn’t admit emergency patients, and had to divert ambulances to other facilities. Healthcare workers also reported having to switch to pen and paper and writing out medical referrals from memory.

Restoring the affected electronic systems took over a month. The Black Basta ransomware group claimed responsibility for the attack. The investigation revealed that the root cause of the attack was an employee who downloaded a malicious file onto a company device.

It was revealed in late 2024 that the cybercriminals had stolen the personal data of 5.6 million patients and hospital staff. This data included medical records, payment details, insurance information, social security and ID numbers, addresses, dates of birth, and more. As compensation, Ascension offered all those affected a free two-year subscription to its identity-theft protection service.

June 2024: Ransomware attack on healthcare provider hits London hospitals

In early June, news broke of a ransomware attack on Synnovis, a UK company providing pathology and diagnostic services to several major London hospitals. As a result, over 800 surgeries were canceled and some patients diverted to other facilities.

Major outage reported on the website of Synnovis, a healthcare provider for several major London hospitals. Source

One of the worst consequences of the attack was that doctors were unable to match donor and patient blood types, forcing them to use the universal blood type O. This quickly led to a shortage.

July 2024: Los Angeles County Superior Court shut down by ransomware

The Los Angeles County Superior Court, the largest single unified trial court in the United States, suspended all 36 courthouses in the county due to a ransomware attack. Both external services (such as the court’s website and the jury duty portal) and internal resources (including the case management system) were impacted.

The Los Angeles courts reopened two days later, but restoring publicly-accessible electronic services took about a week longer. After that, however, the Superior Court stopped updating the public about the incident, so it’s unknown how long it took to restore the courts’ internal systems. It also remains a mystery whether the court paid a ransom or what data the attackers may have gotten away with.

August 2024: Ransomware attack on vodka maker Stoli

In August, a ransomware attack targeted Stoli Group, the producer of Stolichnaya vodka and multiple other beverages. The incident had a serious impact on the company’s IT infrastructure and operations: an ERP system failure meant that all internal processes, including accounting, had to be transferred to manual mode.

In particular, the incident meant that Stoli Group companies couldn’t submit financial statements to creditors — which alleged that the Stoli companies failed to repay a debt of $78 million. Stoli Group had to file for bankruptcy in December.

September 2024: Highline Public Schools closure due to ransomware

In early October, Highline Public Schools, a public school district in the U.S. state of Washington, temporarily closed all 34 of its member schools, which serve more than 17,000 students and employ around 2000 staff. The cyberattack halted all educational activities, including sports events and meetings, for four school days.

About a month after the incident, Highline’s management confirmed that the attack was ransomware-related. Unfortunately, Highline Public Schools officials never disclosed whether any personal information of staff or students had been compromised. As a precaution, however, the district offered all Highline employees one year of free credit and identity monitoring services.

Although the schools were quite quick to reopen, it took a long time to restore the IT infrastructure back to normal operation. Regretfully, more than a month passed before employees and students were finally urged to change their passwords and reinstall the operating system on all school-supplied devices.

October 2024: Ransomware attack on Casio

In early October, Japan’s Casio, the renowned electronics manufacturer, reported unauthorized access to its network. According to its statement, the incident resulted in failure of IT systems and unavailability of certain unspecified services.

Five days later, the ransomware group Underground claimed responsibility for the attack. The group also stole data during the hack, which it posted on its website — including confidential documents, patent information, employees’ personal data, legal and financial documents, project information, and so on. The very next day, Casio confirmed the data theft.

In early 2025, Casio released more details about the number of people whose data had been stolen. According to the company, a total of 8500 people were affected, of which around 6500 were employees, and 2000 were business partners. At the same time, Casio reported not paying a ransom to the attackers and announced that most (but not all) services were already back up and running.

Interestingly, in that same October 2024, Casio was the victim of another successful attack, unrelated to the above ransomware incident.

November 2024: Ransomware attack on Bologna FC

In November, ransomware claimed a rather atypical victim — the Italian soccer club Bologna FC. The club posted on its website an official statement about a ransomware attack, warning that “it is a serious criminal offence” to store or distribute stolen data.

The Italian soccer club Bologna FC website reports a ransomware attack. Source

The RansomHub group claimed responsibility for the hack. Later, it published the stolen data after the club refused to pay the ransom. According to the attackers, the leaked information included sponsorship contracts, the club’s complete financial history, personal and confidential player data, medical records, transfer strategies, confidential data of fans and club employees, and much more.

December 2024: Ransomware attacks medical tissue and equipment supplier Artivion

In December, Artivion, a global supplier of tissues and equipment for cardiac surgery, announced that its IT infrastructure had been compromised by a cyberattack. The attackers encrypted some of the company’s systems and stole data from affected computers.

According to Artivion, the incident caused “disruptions to some order and shipping processes”, as well as corporate operations. The company also reported being insured against such incidents, but the policy may not fully cover the damage caused by the attack.

How to defend against ransomware attacks

Ransomware continues to evolve, and every year the attacks take on new, complex forms. Therefore, in today’s world, effective protection against ransomware requires a comprehensive approach. We recommend the following security measures:

• Provide training courses for employees so they can learn about the basics of cybersecurity.
• Implement proper data storage and employee access
• Back up data regularly, and keep the backups in network-isolated storage.
• Install reliable protection on all corporate devices.
• Use an XDR solution to monitor suspicious network activity.
• Outsource threat detection and response to a specialist company if your in-house information-security service lacks the resources for it.

Kaspersky official blog – ​Read More

Overview

Cyble dark web researchers investigated more than 250 dark web claims by threat actors in January 2025, with more than a quarter of those targeting U.S.-based organizations.

Of threat actors (TAs) on the dark web targeting U.S. organizations during the month, 15 were ransomware groups claiming successful attacks or selling data from those attacks.

Ransomware group claims accounted for about 40% of the Cyble investigations. Most of the investigations examined threat actors claiming to be selling data stolen from organizations, or selling access to those organizations’ networks.

Several investigations focused on cyberattacks orchestrated by hacktivist groups – including a new Russian threat group identified here for the first time.

‘Sector 16’ Teams Up With Russian Hacktivists Z-Pentest

New on the scene is a group calling itself “Sector 16,” which teamed with Z-Pentest – a threat group profiled by Cyble last month – in an attack on a Supervisory Control and Data Acquisition (SCADA) system managing oil pumps and storage tanks in Texas. The groups shared a video showcasing the system interface, revealing real-time data on tank levels, pump pressures, casing pressures, and alarm management features.

Both groups put their logos on the video, suggesting a close alliance between the two (image below).

Sector 16 also claimed responsibility for unauthorized access to the control systems of a U.S. oil and gas production facility, releasing a video purportedly demonstrating their access to the facility’s operational data and systems. The video reveals control interfaces associated with the monitoring and management of critical infrastructure. Displayed systems include shutdown management, production monitoring, tank level readings, gas lift operations, and Lease Automatic Custody Transfer (LACT) data, all critical components in the facility’s operations. Additionally, they were also able to access valve control interfaces, pressure monitoring, and flow measurement data, highlighting the potential extent of access.

Russian hacktivist groups have posted several videos of their members tampering with critical infrastructure control panels in recent months, perhaps more to establish credibility or threaten than to inflict actual damage, although in one case, Z-Pentest claimed to disrupt a U.S. oil well system.

Among other hacktivist groups active in January, pro-Islamic hacktivists Mr. Hamza – who united with Z-Pentest and other pro-Russian groups in European attacks in December – teamed with Velvet Team to claim responsibility for a series of Distributed Denial-of-Service (DDoS) attacks on the U.S. government and military platforms. Targeted systems include a U.S. Army development and communications network, an FBI portal for bank robbery information, and the United States Africa Command’s official platform.

Active Ransomware Groups and Targets

The 15 active ransomware groups observed by Cyble in January included:

• CL0P
• INC
• Lynx
• Akira
• Rhysida
• SafePay
• RansomHub
• Monti
• Qilin
• BianLian
• Medusa
• Cactus
• FOG
• LockBit
• BlackBasta

CL0P has claimed at least 115 victims from attacks on Cleo MFT vulnerabilities.

Victims claimed by the 15 ransomware groups span a wide range of sectors, including a major port, a chip equipment maker, an automotive parts manufacturer, major universities and colleges, state and local police, defense contractors, a casino, a water utility, multiple government agencies, a food company, a plumbing equipment manufacturer, a telecom company, numerous healthcare companies, and more.

Several victims had been targeted previously by other ransomware groups.

Data Breach Claims

Some of the U.S. data breach claims Cyble investigated in January included:

A threat actor offering a SIM-swapping service targeting subscribers of a U.S.-based telecommunications service suggests that the TA may possess unauthorized access to an internal portal that facilitates such swap requests, or they could be leveraging insider access.

A TA advertised a web shell and unauthorized admin access to an undisclosed U.S. government website.

Another threat actor offered unauthorized access to an undisclosed ISP, a router manufacturer, a real estate company, and a logistics and transportation organization. The TA claimed to have gained root access to the company’s servers.

One TA advertised data stolen from a large IT company, claiming that the compromised data included source code from private GitHub repos, Docker builds, certificates (private and public keys), and more.

Another TA claimed to be selling unauthorized network access to a subdomain belonging to a major retail corporation for $16,000, claiming that the access could be leveraged to illicitly execute arbitrary commands on the compromised system.

Conclusion

Dark web monitoring is an important tool for detecting leaks early before they escalate into much bigger cyberattacks and data breaches.

Along with cybersecurity best practices such as zero trust, risk-based vulnerability management, segmentation, tamper-proof backups, and network and endpoint monitoring, there are a number of ways organizations can reduce risk and limit any cyber attacks that do occur.

The post Dark Web Activity January 2025: A New Hacktivist Group Emerges appeared first on Cyble.

Blog – Cyble – ​Read More

Many macOS users believe their operating system is immune to malware, so they don’t need to take extra security precautions. In reality, it’s far from the truth, and new threats keep popping up.

Are there viruses for macOS?

Yes — and plenty of ’em. Here are some examples of Mac malware we’ve previously covered on Kaspersky Daily and Securelist:

• A crypto-wallet-stealing Trojan disguised as pirated versions of popular macOS apps.

This Trojan’s malicious payload is stored in the “activator”. The cracked app won’t work until it’s launched.Source

• Another crypto-stealing Trojan, this one masquerading as a PDF document titled “Crypto-assets and their risks for financial stability”.
• A Trojan that used infected Macs to create a network of illegal proxy servers for routing malicious traffic.
• The Atomic stealer, distributed as a fake Safari update.

We could go on with this list of past threats, but let’s instead now focus on one of the latest attacks targeting macOS users, namely – the Banshee stealer…

What the Banshee stealer does

Banshee is a fully-fledged infostealer. This is a type of malware that searches the infected device (in our case, a Mac) for valuable data and sends it to the criminals behind it. Banshee is primarily focused on stealing data related to cryptocurrency and blockchain.

Here’s what this malware does once it’s inside the system:

• Steals logins and passwords saved in various browsers: Google Chrome, Brave, Microsoft Edge, Vivaldi, Yandex Browser, and Opera.
• Steals information stored by browser extensions. The stealer targets over 50 extensions – most of which are related to crypto wallets, including Coinbase Wallet, MetaMask, Trust Wallet, Guarda, Exodus, and Nami.
• Steals 2FA tokens stored in the Authenticator.cc browser extension.
• Searches for and extracts data from cryptocurrency wallet applications, including Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger.
• Harvests system information and steals the macOS password by displaying a fake password entry window.

Banshee compiles all this data neatly into a ZIP archive, encrypts it with a simple XOR cipher, and sends it to the attackers’ command-and-control server.

In its latest versions, Banshee’s developers have added the ability to bypass the built-in macOS antivirus, XProtect. Interestingly, to evade detection, the malware uses the same algorithm that XProtect uses to protect itself, encrypting key segments of its code and decrypting them on the fly during execution.

How the Banshee stealer spreads

The operators of Banshee primarily used GitHub to infect their victims. As bait, they uploaded cracked versions of expensive software such as Autodesk AutoCAD, Adobe Acrobat Pro, Adobe Premiere Pro, Capture One Pro, and Blackmagic Design DaVinci Resolve.

The creators of Banshee used GitHub to spread the malware under the guise of pirated software. Source

The attackers often targeted both macOS and Windows users at the same time: Banshee was often paired with a Windows stealer called Lumma.

Another Banshee campaign, discovered after the stealer’s source code was leaked (more on that below), involved a phishing site offering macOS users to download “Telegram Local” – supposedly designed to protect against phishing and malware. Of course, the downloaded file was infected. Interestingly, users of other operating systems wouldn’t even see the malicious link.

A phishing site offers to download Banshee disguised as “Telegram Local”, but only to macOS users (left). Source

The past and future of Banshee

Let’s now turn to Banshee’s history, which is really quite interesting. This malware first appeared in July 2024. Its developers marketed it as a malware-as-a-service (MaaS) subscription, charging $3000 per month.

Business must not have been great, as by mid-August they’d slashed the price by 50% – bringing the monthly subscription down to $1500.

A hacker site ad announcing a discount on Banshee: $1500 instead of $3000 per month. Source

At some point, the creators either changed their strategy, or decided to add an affiliate program to their portfolio. They began recruiting partners for joint campaigns. In these campaigns, Banshee’s creators provided the malware, and the partners executed the actual attack. The developers’ idea was to split the earnings 50/50.

However, something must have gone very wrong. In late November, Banshee’s source code was leaked and published on a hacker forum – thus ending the malware’s commercial life. The developers announced they were quitting the business – but not before attempting to sell the entire project for 1BTC, and then for $30,000 (most likely having learned of the leak).

Thus, for several months now, this serious stealer for macOS has been available to essentially anyone completely free of charge. Even worse, with the source code also available, cybercriminals can now create their own modified versions of Banshee.

And judging from the evidence, this is already happening. For example, the original versions of Banshee stopped working if the operating system was running in the Russian language. However, one of the latest versions has removed the language check, meaning Russian-speaking users are now also at risk.

How to protect yourself from Banshee and other macOS threats

Here are some tips for macOS users to stay safe:

• Don’t install pirated software on your Mac. The risk of running into a Trojan by doing so is very high, and the consequences can be severe.
• This is especially true if you use the same Mac for cryptocurrency transactions. In this case, the potential financial damage could significantly exceed any savings you make on purchasing genuine software.
• In general, avoid installing unnecessary applications, and remember to uninstall programs you no longer use.
• Be cautious with browser extensions. They may seem harmless at first glance, but many extensions have full access to the contents of all web pages, making them just as dangerous as full-fledged apps.
• And of course, be sure to install a reliable antivirus on your Mac. As we’ve seen, malware for macOS is a very real threat.

Finally, a word on Kaspersky security products. They can detect and block many Banshee variants with the verdict Trojan-PSW.OSX.Banshee. Some new versions resemble the AMOS stealer, so they can also be detected as Trojan-PSW.OSX.Amos.gen.

Kaspersky official blog – ​Read More

Threat actors increasingly deployed web shells against vulnerable web applications and primarily exploited vulnerable or unpatched public-facing applications to gain initial access in Q4, a notable shift from previous quarters. The functionality of the web shells and targeted web applications varied across incidents, highlighting the multitude of ways threat actors can leverage vulnerable web servers as a gateway into a victim’s environment. Prior to this quarter, use of valid accounts had been Cisco Talos Incident Response (Talos IR)’s most observed method of initial access for over a year.  

Ransomware made up a slightly smaller portion of threats observed this quarter than in the past. Notably, the end of the year saw a surge of ransomware and pre-ransomware incidents, primarily involving BlackBasta ransomware, suggesting this as a threat to monitor going into 2025.  

Web shells increasingly observed in adversaries’ post-compromise toolkits 

In 35 percent of incidents in Q4, threat actors deployed a variety of open-source and publicly available web shells against vulnerable or unpatched web applications, a significant increase from less than 10 percent in the previous quarter. In one incident, Talos IR observed the adversary uploading a web shell with the file name “401.php”, which was also seen last quarter. This PHP web shell is based on the publicly available Neo-regeorg web shell on GitHub and has been leveraged in several adversaries’ attack chains, according to a CISA advisory. Another incident involved the web fuzzer Fuzz Faster U Fool, which is used to perform brute force attacks against web applications to discover usernames and passwords and perform directory and virtual host discovery.  

Adversaries also leveraged older tools to support their post-compromise objectives, serving as a reminder for organizations to remain vigilant in adding applications to the allowlist/blocklist to control what software operates on their systems. In one incident, the attacker targeted a vulnerable server of JBoss using a tool called JexBoss, which was originally released on Github in 2014 and can be used to test and exploit vulnerabilities in Java platforms. The adversary saved JexBoss as a WAR file, and the contents included a malicious web shell named “jexws4.jsp”.  

Ransomware trends 

Ransomware, pre-ransomware, and data theft extortion accounted for nearly 30 percent of engagements this quarter, a slight decrease from the previous quarter, in which these types of engagements accounted for 40 percent. Talos IR observed Interlock ransomware for the first time, while also responding to previously seen ransomware variants BlackBasta and RansomHub. Talos IR was able to identify dwell times in the majority of engagements this quarter, which ranged from approximately 17 to 44 days. For example, in the Interlock ransomware incident, it took the adversary 17 days from the initial compromise stage until the deployment of the ransomware encryptor binary. Longer dwell times can indicate that an adversary is trying to expand their access, evade defenses, and/or identify data of interest for exfiltration. For example, in a RansomHub incident this quarter, operators had access to the compromised network for over a month before executing the ransomware and performed actions such as internal network scanning, accessing passwords for backups, and credential harvesting.  

Operators leveraged compromised valid accounts in 75 percent of ransomware engagements this quarter to obtain initial access and/or execute ransomware on targeted systems, highlighting the risk of identity-based attacks and the need for secure authentication methods. In a BlackBasta incident, for example, operators posed as the targeted entity’s IT department and used social engineering to gain access to an employee’s account, which consequently facilitated lateral movement into the network. In a RansomHub engagement, affiliates leveraged a compromised Administrator account to execute the ransomware, dump credentials, and run scans using a commercial network scanning tool. Of note, all organizations impacted by ransomware incidents this quarter did not have multifactor authentication (MFA) properly implemented or MFA was bypassed during the attack. 

As forecasted in last quarter’s IR quarterly trends report, this quarter featured two RansomHub incidents, in which affiliates leveraged newly identified tools and techniques. Talos IR observed affiliates leveraging a Veeam password stealer to target the Veeam data backup application, and KMS Auto, a tool designed to illicitly activate cracked Microsoft products. The operators also used a previously unseen persistent access technique, modifying Windows Firewall settings on targeted hosts to enable remote access. This activity occurred shortly before the ransomware was executed, potentially as a method to maintain direct access to the compromised systems. 

Talos IR observed operators leveraging remote access tools in 100 percent of ransomware engagements this quarter, a significant uptick from last quarter, when it was only seen in 13 percent of ransomware or pre-ransomware engagements. Commercial remote desktop software Splashtop in particular was involved in 75 percent of ransomware engagements this quarter, and other observed remote access tools included Atera, Netop, AnyDesk, and LogMeIn. In at least 50 percent of engagements, these tools were used to facilitate lateral movement, as actors used this remote access to pivot to other systems in the environment. 

Looking forward: Talos IR saw BlackBasta ransomware in one engagement that closed this quarter, as well as in a number of engagements that kicked off near the end of the year. In the observed attack chain, BlackBasta operators impersonate IT personnel to conduct double extortion attacks, which involves exfiltration of sensitive information that is then encrypted to pressure victims into paying. Our observations and corresponding public reporting on the group’s recent uptick in activity since December indicate that this is a ransomware threat to monitor going into the new year. 

Targeting  

Organizations in the education vertical were most affected for the second quarter in a row, accounting for nearly 30 percent of engagements. This is also consistent with Talos IR Q1 2024 (January–March) targeting trends, where the education sector was tied for the top targeted industry vertical. 

Initial access 

For the first time in over a year, the most observed means of gaining initial access was the exploitation of public-facing applications, accounting for nearly 40 percent of engagements when initial access could be determined. This is a significant departure compared to previous quarters, where the use of valid accounts was consistently a top observed technique leveraged for initial access. While we still observed adversaries leverage compromised credentials and valid accounts to gain access, this shift is likely largely due to the number of web shell and ransomware incidents that took advantage of poorly patched or publicly exposed applications. 

Looking forward: Since early December 2024, Talos IR has observed a surge in password-spraying attacks, leading to user account lockouts and denied VPN access. These attacks are often characterized by large volumes of traffic. For example, one organization reported nearly 13 million attempts were made in 24 hours against known accounts, indicating the adversary was likely running automated attacks. This activity primarily affected organizations in the public administration sector and was likely random and opportunistic. Although adversaries have been using password-spraying attacks for credential access for years, the sheer volume of authentication attempts in quick succession is a reminder that organizations should continue to stress the importance of MFA and strong password policies to limit unauthorized access attempts. 

Recommendations for addressing top security weaknesses 

 Implement MFA and other identity and access control solutions  

Talos IR recommends ensuring MFA is enforced on all critical services, including all remote access and identity and access management (IAM) services. In addition, to defend against MFA bypass via social engineering where prompts are accepted by a legitimate user, regular cybersecurity awareness training should cover relevant and updated social engineering topics. 

We continue to see a significant number of compromises involving misconfigured, weak, or lack of MFA. This issue was present in nearly 40 percent of total engagements this quarter and, as mentioned above, 100 percent of organizations impacted by ransomware incidents did not have MFA properly implemented or it was bypassed via social engineering.  

Since compromised accounts remains a top initial access vector, consider investing in IAM sevices and User Behavior Analytics (UBA), which can help identity suspicious account usage. 

Patch regularly and replace end-of-life assets 

Talos IR also strongly recommends organizations ensure all operating systems and software in the environment are currently supported and replace those that have reached end-of-life. Unpatched and/or vulnerable software helped facilitate initial access across several incidents this quarter, and nearly 15 percent of incidents suffered from outdated and end-of-life software.  

If patching is not possible consider other mitigations, such as monitoring, especially for typical post-exploitation tools and behaviors; improving segmentation through firewalls, switch VLANs, subnetting, etc.; and disabling access to administrative shares.  In 40 percent of the web shell engagements, poor network segmentation and access to administrative shares resulted in adversaries moving laterally. 

Implement properly configured EDR solution  

Implement properly configured EDR and other security solutions. If an organization lacks the resources to successfully implement these solutions, they can consider outsourcing to a Managed XDR vendor to ensure proper configuration and 24/7 monitoring by security experts. 

Misconfigured or missing EDR solutions affected over 25 percent of all incidents for the quarter.   

Top-observed MITRE ATT&CK techniques  

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.  

Key findings from the MITRE ATT&CK framework include: 

• The use of remote access tooling, such as Splashtop or AteraAgent, was leveraged in nearly 40 percent of engagements, compared to 5 percent in the previous quarter. 
• Remote access tooling was leveraged in 100 percent of the ransomware incidents observed in Q4, a significant shift compared to that of the previous quarter. 
• This is the first quarter in well over a year in which the use of valid accounts was not the top initial access technique. Instead, exploitation of public-facing applications, largely contributed by the high number of web shell incidents, was the top means of gaining access this quarter. 

Cisco Talos Blog – ​Read More

Overview

A pair of 9.8-severity flaws in mySCADA myPRO Manager SCADA systems were among the vulnerabilities highlighted in Cyble’s weekly Industrial Control System (ICS) Vulnerability Intelligence Report.

Cyble Research & Intelligence Labs (CRIL) examined eight ICS vulnerabilities in the January 28 report for clients, including high-severity flaws in critical manufacturing, energy infrastructure, and transportation networks.

OS Command Injection (CWE-78) and Improper Security Checks (CWE-358, CWE-319) accounted for half of the vulnerabilities in the report, “indicating a persistent challenge in securing authentication and execution processes in ICS environments,” Cyble said.

Critical mySCADA Vulnerabilities

The critical mySCADA myPRO supervisory control and data acquisition (SCADA) vulnerabilities haven’t yet appeared in the NIST National Vulnerability Database (NVD) or the MITRE CVE database, but they were the subject of a CISA ICS advisory on January 23.

The mySCADA myPRO Manager system provides user interfaces and functionality for real-time monitoring and control of industrial processes across a range of critical industries and applications. CISA said the vulnerabilities can be exploited remotely with low attack complexity, potentially allowing a remote attacker to execute arbitrary commands or disclose sensitive information.

CVE-2025-20061 was assigned a CVSS v3.1 base score of 9.8 and is an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability. CISA said mySCADA myPRO does not properly neutralize POST requests sent to a specific port with email information, so the vulnerability could be used to execute arbitrary commands on an affected system.

CVE-2025-20014 is also a 9.8-severity OS Command Injection vulnerability, as myPRO also does not properly neutralize POST requests sent to a specific port with version information, which could potentially lead to an attacker executing arbitrary commands.

The following mySCADA products are affected:

• myPRO Manager: Versions prior to 1.3
• myPRO Runtime: Versions prior to 9.2.1

mySCADA recommends that users update to the latest versions:

• mySCADA PRO Manager 1.3
• mySCADA PRO Runtime 9.2.1

CISA also recommended that users minimize network exposure for all control system devices and systems to ensure they are not accessible from the Internet, locate control system networks and remote devices behind firewalls, and isolate them from business networks. If remote access is necessary, additional security steps, such as an updated VPN on a secure device, should be used.

Recommendations for Mitigating ICS Vulnerabilities 

Cyble recommends several controls for mitigating ICS vulnerabilities and improving the overall security of ICS systems. The measures include:

1. Staying on top of security advisories and patch alerts issued by vendors and regulatory bodies like CISA is recommended. A risk-based approach to vulnerability management reduces the risk of exploitation.
2. Implementing a Zero-Trust Policy to minimize exposure and ensure that all internal and external network traffic is scrutinized and validated.
3. Developing a comprehensive patch management strategy that covers inventory management, patch assessment, testing, deployment, and verification. Automating these processes can help maintain consistency and improve efficiency.
4. Proper network segmentation can limit the potential damage caused by an attacker and prevent lateral movement across networks. This is particularly important for securing critical ICS assets.
5. Conducting regular vulnerability assessments and penetration testing to identify gaps in security that might be exploited by threat actors.
6. Establishing and maintaining an incident response plan and ensuring that it is tested and updated regularly to adapt to the latest threats.
7. All employees, especially those working with Operational Technology (OT) systems, should be required to undergo ongoing cybersecurity training programs. The training should focus on recognizing phishing attempts, following authentication procedures, and understanding the importance of cybersecurity practices in day-to-day operations.

Conclusion

Industrial Control Systems (ICS) vulnerabilities can threaten critical infrastructure environments, with the potential to disrupt operations, compromise sensitive data, and cause physical damage. Staying on top of ICS vulnerabilities and applying good cybersecurity hygiene and controls are critical cybersecurity practices for ICS, OT, and SCADA environments.

To access the full report on ICS vulnerabilities observed by Cyble, along with additional insights and details, click here. By adopting a comprehensive, multi-layered security approach that includes effective vulnerability management, timely patching, and ongoing employee training, organizations can reduce their exposure to cyber threats. With the right tools and intelligence, such as those offered by  Cyble, critical infrastructure can be better protected, ensuring its resilience and security in an increasingly complex cyber landscape.

The post ICS Vulnerability Report: Cyble Urges Critical mySCADA Fixes appeared first on Cyble.

Blog – Cyble – ​Read More