February 24, 2025 Cyber Threat Intelligence Briefing

February 24, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Feb 24, 2025
Kroll

February 24, 2025 Cyber Threat Intelligence Briefing

This week’s briefing covers:

00:00 - Intro and Situational Awareness

KTA080 (CL0P) Update
CL0P has again updated their data leak site with a new list of redacted victim organizations possibly linked to the Cleo vulnerability. The list contains company names beginning with the letters E-H. This follows the current pattern the group has established with releasing redacted names to then later slowly start releasing the actual entity and published data associated with it if the victim organization has not reached out to CL0P.

CISA Adds PAN-OS and SonicWall Vulnerabilities to Known Exploited Vulnerability Catalogue
CISA has added two vulnerabilities within common network appliances to its exploited vulnerabilities list. The two vulnerabilities are in software and were disclosed earlier this month.

Attackers Steal Record $1.46 billion From Bybit ETH Cold Wallet
On 21st February 2025, cryptocurrency exchange Bybit disclosed the theft of more than $1.46 billion worth of cryptocurrency from one of its cold wallets in the largest cryptocurrency hack ever, almost doubling the $620 million stolen from Sky Mavis in March 2022.

4:10 [CAMPAIGN] KTAC008 Uses Device Code Phishing to Bypass MFA, Stealing Data
Key Takeaways

  • Recent reporting from Volexity and Microsoft highlights a new campaign of device code phishing.
  • Attacks have been conducted by a threat cluster consistent with Russian state aligned goals.
  • Device code phishing is not a new technique, and Kroll has robust detections to discover abuse of device code authentication flows on the Microsoft stack.

8:03 [MALWARE] FINALDRAFT AND PATHLOADER Campaign
Key Takeaways

  • Elastic has identified several previously unknown malware families, including FINALDRAFT, GUIDLOADER and PATHLOADER.
  • FINALDRAFT was identified in both Windows and Linux environments, indicating extensive development efforts.
  • The malware leverages Microsoft's Graph API for command and control (C2) communications, blending malicious traffic with legitimate network activity.
  • Despite sophisticated malware engineering, the attackers exhibited poor operational security, exposing additional infrastructure and pre-production samples.

10:35 [VULNERABILITY] whoAMI: A Cloud Image Name Confusion Attack

  • Researchers identified a pattern in the way multiple software projects retrieve Amazon Machine Image (AMI) IDs to create EC2 instances, and how it could be exploited.
  • Failure to specify the owner, owner-alias, or owner-id parameters, allows anyone that publishes an AMI with a specially crafted name to gain code execution within vulnerable AWS accounts.
  • The vulnerable pattern was found in a host of private and open-source code repositories, with an estimated one percent of organizations using AWS vulnerable to this attack.
  • Internal non-production AWS systems were vulnerable to this attack, which would allow an attacker to execute code within.
  • AWS have introduced an “Allowed AMIs” feature to create an allow list of AWS accounts trusted as AMI providers to prevent this attack.

Ransomware Roundup

15:09 – BLACKBASTA Chat Logs Leaked
Researchers identified leaked chat logs between BLACKBASTA group members spanning from September 18, 2023, to September 28, 2024. The leak was initially posted on the file sharing site MEGA and is now accessible via Telegram.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q2 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q2-2024-threat-landscape-report-threat-actors-ransomware-cloud-risks-accelerate

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2024 OpsMatters™. All rights reserved.