Threat Pulse – January 2025
Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.
If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.
DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the largest Open Threat Exchange database available.
XE Group’s Evolving Campaigns
XE Group shifted from credit card skimming to more targeted information theft, exploiting zero-day vulnerabilities to maintain persistent access through webshells.
Their operations focus on long-term stealth, leveraging vulnerabilities in VeraCore to gain unauthorised access to systems and exfiltrate data.
Lazarus’ Software Supply Chain Attack
Lazarus, a North Korean threat group, used a sophisticated command-and-control infrastructure to execute a software supply chain attack, infecting 233 victims globally.
The group employed advanced obfuscation tactics to disguise its origin, targeting software developers and cryptocurrency assets.
KEPServerEX Vulnerability Exploitation
A critical vulnerability in KEPServerEX’s OPC UA protocol allows attackers to trigger a stack overflow remotely, potentially crashing devices.
The flaw, identified as CVE-2023-3825, remains unexploited publicly, but its remote attack vector poses risks to vulnerable systems.
Ransomware Through Remote Sessions
Attackers used social engineering tactics to offer remote assistance, deploying malware once access was granted via tools like Microsoft Quick Assist. The attack chain is linked to ransomware campaigns, utilising C2 connections and legitimate processes to evade detection and steal credentials.
FlexibleFerret Malware in Job Interview Scams
FlexibleFerret, part of the “Contagious Interview” campaign, masquerades as job interview software to deliver malicious payloads.
The malware, primarily targeting developers and users of GitHub, uses Dropbox for exfiltration and adapts to avoid detection through legitimate Apple Developer credentials.
Coyote Trojan’s Broad Financial Targeting
Coyote Trojan employs a variety of tactics, such as keylogging and phishing overlays, to steal financial credentials. It has targeted over a thousand sites, using persistence mechanisms and sophisticated communication methods to expand its scope of attacks.
Crazy Evil’s Cryptocurrency and Gaming Scams
Crazy Evil targets cryptocurrency users and influencers through social engineering and spearphishing, utilising infostealer malware to exfiltrate digital assets.
The group operates in multiple subteams, adapting its tactics to exploit decentralised finance and cryptocurrency platforms.
Sector 16’s Critical Infrastructure Attacks
Sector 16 claimed unauthorised access to U.S. critical infrastructure systems, including SCADA and oil and gas production facilities.
The dark web also revealed activities from multiple ransomware groups targeting diverse sectors, with CL0P exploiting vulnerabilities to compromise major organisations worldwide.
PyPI Infostealer Campaign Targeting Developers
Malicious packages uploaded to PyPI targeted developers, exfiltrating sensitive data such as API keys and credentials.
The infostealers affected 222 developers, primarily in the US, but also impacted users from several other countries, highlighting a shift towards targeting the development community.
RedDelta’s Cyber-Espionage Campaign
The China-linked APT group RedDelta intensified its cyber-espionage activities across Asia, targeting government and political entities in multiple countries.
Utilising sophisticated spear-phishing tactics, they delivered a modified PlugX backdoor. Notable breaches included the Mongolian Ministry of Defence and the Communist Party of Vietnam, highlighting RedDelta’s evolving methods and broad geographical reach.
APT28’s Cyber-Espionage Campaign
The Russian-linked APT28 (also known as Fancy Bear) conducted a cyber-espionage campaign targeting government officials in Central Asia. They used leaked Kazakhstan government documents as lures, deploying tools like HATVIBE and CHERRYSPY to infiltrate systems and gather intelligence. This operation underscores APT28’s ongoing efforts to maintain geopolitical influence in key regions.
Codefinger Ransomware Attacks
A new ransomware group named Codefinger emerged, targeting AWS S3 buckets by exploiting compromised AWS keys. They employed server-side encryption with customer-provided keys to lock critical data, threatening deletion within seven days if ransoms were not paid.
This tactic specifically endangered native AWS software developers and highlighted the evolving nature of ransomware threats within the technology sector.
Home Office Data Breach Affecting Healthcare Workers
In mid-January 2025, hackers breached the UK Home Office’s Visas and Immigration database, accessing personal data of over 171 foreign healthcare workers.
The compromised information included passports, work permits, UK visas, and bank statements. While the specific APT group responsible has not been identified, the attack underscores the vulnerabilities in systems managing sensitive healthcare personnel data.
Unit 29155’s Targeting of Healthcare Sectors
Reports from late January 2025 indicate that Unit 29155, a Russian-linked APT group, has been accused of cyberattacks targeting various sectors, including healthcare, across NATO member states and other regions.
Smiths Group Cyberattack
Smiths Group, a global engineering and technology conglomerate, suffered a significant cyberattack that led to unauthorised access to its systems.
The company promptly isolated the affected systems and activated business continuity plans, collaborating with cybersecurity experts to assess and recover from the incident. The attack resulted in a 1.7% drop in the company’s share price. While the specific APT group responsible was not disclosed, the incident underscores the manufacturing sector’s vulnerability to sophisticated cyber threats.
Sanctions Against Integrity Technology Group
The US Treasury Department sanctioned Beijing-based Integrity Technology Group, alleging its involvement in hacking incidents targeting critical US infrastructure.
The company is accused of operating the hacking group “Flax Typhoon” under the direction of the Chinese government.
Russian APT Targets Government Officials via WhatsApp
In mid-January 2025, the Russian state-linked APT group known as “Star Blizzard” targeted the WhatsApp accounts of government ministers and officials worldwide.
They employed phishing emails containing QR codes, which, when scanned, linked the officials’ WhatsApp accounts to the attackers’ devices, granting them access to sensitive communications.
NAO Warns of Escalating Cyber Threats to UK Government Departments
On January 29, 2025, the UK’s National Audit Office (NAO) reported that government departments face a severe and rapidly advancing threat from cyberattacks.
The report highlighted significant vulnerabilities in critical IT systems and criticised senior civil servants for not prioritising cyber-resilience, leading to inadequate investment and staffing.
Ticket Sales Disruption for Scotland’s Six Nations Rugby Matches
The Scottish Rugby Union (SRU) paused ticket sales for the Six Nations rugby matches due to a cyberattack. The attack, allegedly executed by ticket touts using automated bots, aimed to purchase large quantities of tickets before the general public could access them.
The SRU is collaborating with Ticketmaster to investigate and address the issue, ensuring tickets are allocated to genuine fans. Revised sale dates were announced following the incident.
Earth Simnavaz Targeting Gulf Energy Organisations
The Iranian-linked APT group, Earth Simnavaz, intensified its cyber-espionage activities against energy sector entities in the Gulf region, particularly focusing on oil and gas industries.
The group exploited vulnerabilities in Microsoft Exchange servers, including CVE-2024-30088, to deploy backdoors, steal credentials, and establish persistent access within targeted networks. Their tactics involved the use of customised .NET tools, PowerShell scripts, and IIS-based malware to evade detection.
PowerSchool Data Breach
PowerSchool, a prominent K-12 educational technology company serving over 60 million students globally, suffered a significant data breach. Discovered on December 28, 2024, and publicly disclosed in January 2025, the breach potentially exposed personal information, including names, addresses, Social Security numbers, medical records, and grades of students and staff across the US and Canada.
The breach was attributed to unauthorised access via compromised credentials to PowerSchool’s support platform. In response, the company paid a ransom and received assurances that the stolen data had been deleted. PowerSchool is offering identity theft protection and two years of credit monitoring to affected individuals.
Hyena Ransomware Targeting Utility Companies
The Hyena ransomware variant emerged, targeting utility companies by exploiting vulnerabilities in Microsoft Windows systems. This ransomware encrypts critical data, demanding ransom payments for decryption, posing significant operational risks to utility providers.
IMI Engineering Group Cyberattack
IMI, a UK-based engineering group, reported a cyberattack. This incident occurred weeks after a similar attack on its competitor, Smiths Group. Upon detecting unauthorised access, IMI engaged external cybersecurity experts to investigate and contain the breach.
While specific details were limited, analysts suggested that the impact on IMI was likely comparable to the less disruptive incidents at Smiths Group and Vesuvius.
DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.
Talk to the team to see how you can start protecting your business against cyberattacks today.
