Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Sıla Özeren | March 06, 2025 | 11 MIN READ

LAST UPDATED ON MARCH 06, 2025

FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Crypto Heist

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

KNOW WHO IS TARGETING YOU: GET YOUR FREE THREAT INTELLIGENCE REPORT

Top Threat Actors Observed in the Wild: February 2025

Here are the most active threat actors that have been observed in February in the wild.

Qilin Ransomware Takes Ownership of Lee Enterprises Cyber Attack, Leaks Stolen Data

  • Victim Location: United States
  • Sectors: Media & Publishing, Digital Media, Advertising
  • Threat Actor: Qilin Ransomware Gang
  • Actor Motivations: Extortion through ransom demands, with a threat to leak stolen sensitive data unless paid
  • Malware: Qilin Ransomware

On February 3, 2025, the Qilin ransomware gang claimed responsibility for a cyberattack that significantly disrupted operations at US-based Lee Enterprises—a media company owning 77 daily newspapers, 350 publications, and various digital platforms [1]. The attack resulted in the encryption of critical applications, loss of access to internal systems, and exfiltration of sensitive files, including government ID scans, financial spreadsheets, and contracts. 

Following the initial breach, the threat actors posted samples of the stolen data and have threatened to leak all of it on March 5, 2025, if their ransom demands are not met.

If you want to take an in-depth look at the TTPs of Qilin Ransomware, check out the latest blog here.

FBI Confirms North Korean Lazarus Group Behind $1.5B Bybit Crypto Heist

On February 21, 2025, the FBI confirmed that North Korea’s Lazarus Group—also known as TraderTraitor and APT38—stole about $1.5 billion in crypto from Bybit in the largest crypto heist ever. During a scheduled transfer from a cold to a hot wallet, the hackers intercepted and rerouted funds to addresses they controlled, quickly converting the loot into Bitcoin and other assets and dispersing them across thousands of blockchain addresses to obscure their trail.

Bybit CEO Ben Zhou explained that the breach originated from infrastructure tied to the multisig platform Safe{Wallet}. The Safe Ecosystem Foundation later revealed that hackers had compromised a developer machine to authorize a malicious, yet seemingly legitimate, transaction.

In response, the FBI issued a PSA urging cryptocurrency providers to block transactions linked to TraderTraitor, and released 51 Ethereum addresses used in laundering the funds

FBI’s Public Service Announcement for North Korean malicious cyber activity as "TraderTraitor."

This incident is part of a broader trend of North Korean cyber actors targeting financial systems—having stolen over $6 billion since 2017, including $1.34 billion in 2024 alone—to fund the nation’s economy and ballistic missile program.

The FBI remains committed to protecting the crypto ecosystem and encourages anyone with tips to contact their local FBI office or submit information through IC3.gov.

Akira Ransomware: The Medical Billing Specialists Cyberattack Exposed Sensitive Patient Data

On February 17, 2024, Medical Billing Specialists Inc. (MBS Select) experienced a cyberattack that exploited significant gaps in system monitoring and cybersecurity controls. The breach, stemming from the company’s failure to meet contractual and industry security standards, resulted in unauthorized access to a wide array of patient data. Compromised data included personally identifiable information (PII) such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, as well as sensitive medical details like diagnoses and treatment records.

Technical timelines and details:

  • February 17, 2024: MBS’s systems were breached due to inadequate monitoring and failure to enforce robust cybersecurity protocols.

  • March 6, 2024: The Akira ransomware gang, known for its double extortion tactics, added MBS to its dark web leak site. Their threat explicitly mentioned the exfiltration of over 120GB of data—encompassing detailed employee and patient information including background checks and internal correspondence.

  • December 15, 2024: MBS issued a public notice on their website, clarifying that while there was no evidence of active misuse of the data, the breach had exposed varying elements of sensitive information across individuals. The notice detailed that the affected data could include first and last names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient IDs, Medicare/Medicaid numbers, health insurance details, financial account data, and credit/debit card information.

The breach has not yet been cataloged in HHS’s public breach tool, and while Massachusetts residents were notified in February 2025, the total number of affected individuals remains undetermined. This incident is currently the subject of a proposed class action lawsuit filed in the US District Court for the District of Massachusetts, underscoring the need for more robust cybersecurity practices within healthcare billing systems.

Latest Vulnerabilities and Exploits in February 2025

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

CVE-2025-22225: VMware ESXi Arbitrary Write Vulnerability 

  • Affected Vendor: VMware (a subsidiary of Broadcom)​
  • Affected Product: VMware ESXi​
  • Fixes: To remediate CVE-2025-22225, apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found in VMware's advisory.

​CVE-2025-22225 is a high-severity arbitrary write vulnerability in VMware ESXi, identified by the Common Weakness Enumeration as CWE-123. This flaw allows an attacker with privileges within the VMX process to perform arbitrary kernel writes, leading to a potential sandbox escape. 

Recognizing the active exploitation of this vulnerability, the CISA added CVE-2025-22225 to its KEV Catalog on March 4, 2025. CISA's inclusion of this vulnerability underscores its significant risk and mandates that Federal Civilian Executive Branch agencies remediate it by March 25, 2025. CISA strongly recommends that all organizations prioritize the timely remediation of vulnerabilities listed in the KEV Catalog to reduce exposure to cyberattacks.

CVE-2023-20118: Cisco Small Business RV Series Routers Command Injection Vulnerability

  • Affected Vendor: Cisco
  • Affected Product: Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers
  • CVEs: CVE-2023-20118
  • Fixes: 
    • Cisco has released firmware updates to address this vulnerability. Users should upgrade to the latest firmware version as recommended in the Cisco Security Advisory
    • Disabling remote management and limiting access to trusted devices is also advised as a temporary mitigation.

CVE-2023-20118 is a command injection vulnerability affecting Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers. The vulnerability arises from improper input validation in the web-based management interface, allowing an authenticated attacker with administrative privileges to execute arbitrary commands as the root user. 

The flaw was added to CISA’s Known Exploited Vulnerabilities Catalog on March 3, 2025, indicating active exploitation. Cisco has released firmware updates to address this issue, and users are advised to upgrade immediately. As a temporary mitigation, disabling remote management and restricting access to trusted devices can reduce exposure to potential attacks.

Critical Hitachi Vantara Pentaho BA Server Vulnerabilities: Authorization Bypass & Special Element Injection 

  • Affected Vendor: Hitachi Vantara​
  • Affected Product: Pentaho Business Analytics (BA) Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x.
  • CVEs:
    • CVE-2022-43939
    • CVE-2022-43769
  • Fixes: Both vulnerabilities are addressed in Pentaho BA Server versions 9.4.0.1 and 9.3.0.2. Users should upgrade to these versions or later to mitigate the risks. ​

CISA has added two critical vulnerabilities affecting Hitachi Vantara's Pentaho Business Analytics (BA) Server to its KEV catalog.

The first, CVE-2022-43939, is an authorization bypass issue arising from the use of non-canonical URL paths for authorization decisions, potentially allowing unauthorized access to protected resources.

The second, CVE-2022-43769, is a special element injection vulnerability that permits attackers to inject Spring templates into properties files, which could lead to arbitrary command execution. 

Both vulnerabilities have been actively exploited in the wild, underscoring the necessity for organizations to promptly upgrade to Pentaho BA Server versions 9.4.0.1 or 9.3.0.2 to mitigate these critical security risks.

CVE-2018-8639: Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability

  • Affected Vendor: Microsoft
  • Affected Products: 
  • Client Operating Systems: Windows 7, Windows 8.1 (including Windows RT 8.1), and Windows 10
  • Server Operating Systems: Windows Server 2008 (including R2), Windows Server 2012 (including R2), Windows Server 2016, and Windows Server 2019

​CVE-2018-8639 is a critical elevation of privilege vulnerability identified in Microsoft's Windows operating systems.This flaw resides within the Win32k component, which fails to handle objects in memory properly, allowing attackers to execute arbitrary code in kernel mode.  If exploited, this vulnerability allows an attacker to run arbitrary code in kernel mode. Consequently, the attacker could install programs; view, change, or delete data; or create new accounts with full user rights, leading to a complete system compromise.  

On March 3 2025, CISA added this vulnerability to its KEV catalog. To address this vulnerability, Microsoft released security updates as part of their December 2018 Patch Tuesday. Users and administrators are strongly advised to apply these patches promptly to mitigate potential risks.

CVE-2024-49035: Microsoft Partner Center Improper Access Control Vulnerability

  • Affected Vendor: Microsoft
  • Affected Product: Microsoft Partner Center (powered by the Microsoft Power Apps online service)
  • CVEs & Available Fixes:
    • CVE-2024-49035 – Patch available via the automatic update deployed to the Microsoft Power Apps online service.

  • Fixes: Microsoft has automatically deployed the necessary patch to the Power Apps online service, requiring no manual intervention from customers.

The Microsoft Partner Center vulnerability (CVE-2024-49035) permits unauthenticated privilege escalation due to inadequate access control in the Microsoft Power Apps backend. Initially disclosed in November 2024 with a CVSS score of 8.7, its severity was later raised to 9.8 [2]. The vulnerability enables attackers to compromise enterprise networks, conduct lateral movement, and escalate privileges without authentication. 

CISA confirms active exploitation, prompting Microsoft to automatically deploy patches. Immediate updates and strict mitigation measures are essential to prevent data breaches and supply chain risks.

CVE-2024-4885: Progress WhatsUp Gold Path Traversal Vulnerability

  • Affected Vendor: Progress Software
  • Affected Product: WhatsUp Gold
  • CVEs & Available Fixes: CVE-2024-4885; fixes are available in WhatsUp Gold version 2023.1.3 and later

CVE-2024-4885 is a path traversal vulnerability in Progress WhatsUp Gold that allows unauthenticated attackers to traverse directories and execute commands with system privileges, potentially compromising affected systems [3]. With a critical CVSS score of 9.8, this vulnerability poses a significant threat. 

Recognizing its severity, CISA has added CVE-2024-4885 to the KEV catalog, underlining the urgency for organizations to upgrade to WhatsUp Gold version 2023.1.3 or later to mitigate risk.

Recent Malware Attacks in February 2025

In February 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month. 

Auto-color: Stealthy Linux Backdoor Threatens US and Asian Institutions

  • Victim Location: North America and Asia
  • Sectors: Educational institutions and government entities
  • Threat Actor: Unattributed advanced threat group (APT/cybercriminal)
  • Actor Motivations: Espionage, intelligence gathering, and maintaining persistent control over targeted systems
  • Malware: Auto-color Linux backdoor, libcext.so.2

Auto-color is a newly discovered Linux backdoor malware targeting educational institutions and government entities in North America and Asia. Researchers at Palo Alto Networks Unit 42 found it active between November and December 2024. 

The malware employs deceptive file names, identical file sizes with differing hashes, and advanced evasion techniques to avoid detection. It installs a malicious library that mimics legitimate system libraries using ld.preload, allowing it to intercept and alter core system functions. Auto-color conceals its network activity by modifying system files and uses custom encryption with a stream cipher, underscoring the need for enhanced Linux security measures vital.

Silver Fox APT Is Spreading ValleyRAT Backdoor in a Trojanized Medical Imaging Software

  • Victim Location: United States and Canada
  • Sectors: Healthcare (with potential spillover to government and other sectors)
  • Threat Actor: Chinese APT group Silver Fox
  • Actor Motivations: Espionage, data exfiltration, and financial gain through persistent access and monetization
  • Malware: ValleyRAT backdoor (disguised within trojanized Philips DICOM viewer), accompanied by keylogging and cryptomining components

Silver Fox APT, a notorious Chinese threat group, has been exploiting vulnerabilities in medical imaging software to distribute the ValleyRAT backdoor [4]

In this campaign, attackers trojanize the Philips DICOM viewer executable, which serves as the initial payload. When run, the malware uses Windows commands and PowerShell scripts to check connectivity and disable Windows Defender. It then downloads encrypted components—disguised as image files—from an Alibaba Cloud bucket. After decryption, these components create a second-stage executable that installs ValleyRAT, a remote access tool providing attackers control over infected systems. This tool also includes a keylogger and cryptominer, making the threat particularly severe for healthcare organizations.

References

[1] S. Özeren, “Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024,” Feb. 14, 2025. Available: https://www.picussecurity.com/resource/blog/qilin-ransomware. [Accessed: Mar. 05, 2025]

[2] G. Swain, “Critical Microsoft Partner Center vulnerability under attack, CISA warns,” CSO Online, Feb. 27, 2025. Available: https://www.csoonline.com/article/3834674/critical-microsoft-partner-center-vulnerability-under-attack-cisa-warns.html. [Accessed: Mar. 05, 2025]

[3] Divya, “Progress WhatsUp Gold Path Traversal Vulnerability Exposes Systems to Remote code Execution,” GBHackers Security | #1 Globally Trusted Cyber Security News Platform, Mar. 04, 2025. Available: https://gbhackers.com/progress-whatsup-gold-path-traversal-vulnerability/. [Accessed: Mar. 05, 2025]

[4] D. Ahmed, “Silver Fox APT Hides ValleyRAT in Trojanized Medical Imaging Software,” Hackread - Latest Cybersecurity, Tech, AI, Crypto & Hacking News, Feb. 25, 2025. Available: https://hackread.com/silver-fox-apt-valleyrat-trojanized-medical-imaging-software/. [Accessed: Mar. 05, 2025]

Table of Contents

Picus-Exposure-Validation-UseCase-Preview
Use Case Adversarial Exposure Validation
LEARN MORE
an introduction to exposure validation
EBOOK Introduction to Exposure Validation
DOWNLOAD NOW
Exposure-Validation-Checklist-Preview2
CHECKLIST Checklist for Exposure Validation Solutions in CTEM
GET YOUR COPY
picus-benefits-Adv-exp-validation-blog-preview
BLOG Top 5 Benefits of Implementing Adversarial Exposure Validation
READ NOW
Picus-ExposureSummit-Content-Post-on-demand-1
WEBINAR Exposure Validation Briefing
WATCH NOW