This Week in Cyber 7th March 2025

Analyst Insight

This week in cyber, we see continued reports of ransomware gangs targeting large organisations, demanding high ransom payments with the growing Qilin Ransomware Gang threatening to leak 350GB of stolen data from a large newspaper publishing company. We have also seen the Silk Typhoon threat actor group targeting IT Supply Chains exploiting RMM and cloud-based solutions to elevate privileges and conduct espionage. ISPs were targeted by a large-scale campaign to deliver infostealers to compromised machines, and threat actors targeted AWS misconfigurations to launch phishing campaigns. There were also 3 actively exploited VMWare ESX vulnerabilities promptly patched by Broadcom this week, highlighting the importance of vulnerability management in all systems within an organisation. 

Lee Enterprises Ransomware Attack Claimed by Qilin Ransomware Group

On February 3rd, the newspaper publishing giant Lee Enterprises experienced a ransomware attack, leading to major disruptions in their internal systems, cloud storage, and corporate VPNs. This comes after a disclosure to the U.S. Securities and Exchange Commission about the company suffering a cyberattack. This week, the Qilin ransomware gang claimed responsibility for the attacks on Lee Enterprises with threats to release the stolen data on March 5th unless the ransom requested was paid. The threat actors claimed to have stolen 120,000 files totalling 350GB in size according to BleepingComputer. It is currently unclear whether the leak has occurred.

Broadcom Fixes Three VMWare Zero-Day Vulnerabilities Exploited in Attacks

Three actively exploited zero-days affecting multiple VMware ESX products, including VMware ESXi, vSphere, Workstation and Fusion have been disclosed this week by Broadcom. Identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 these vulnerabilities allow attackers to execute code, perform arbitrary kernel writes, and leak sensitive memory. An attacker with local administrator access inside a virtual machine can exploit these vulnerabilities to break out of the virtual machine's sandbox, potentially gaining control over the host system.

IT Supply Chains Targeted in Silk Typhoon Espionage Campaigns

The state-sponsored threat actor group "Silk Typhoon," known for hacking the U.S. Office of Foreign Assets Control (OFAC) in early December 2024, has recently been targeting organizations using remote management tools (RMM) and cloud services in supply chain attacks. According to a report by Microsoft Threat Intelligence, Silk Typhoon exploits unpatched applications to elevate their access within targeted organizations and conduct further malicious activities. After compromising a network, they use stolen credentials to gain higher privileges by leveraging various applications within the network, successfully achieving their espionage objectives.

ISPs Targeted in Global Infostealer Attacks

Internet Service Providers across the globe have become the targets of a large-scale campaign that seeks to deploy information stealers and cryptocurrency miners on compromised hosts. The Splunk Threat Research Team, which identified the activity, has stated that the delivery of various binaries is used to enable data exfiltration as well as establish persistence. The Stealer malware uses clipper-like properties to search clipboard content for wallet addresses for major cryptocurrencies. The crypto-miner launches a payload that turns off security products and disables services that may be associated with cryptominer detection. It also deploys seven executables via PowerShell that will perform further network scanning, information theft, and ensure that the XMRig cryptocurrency mining is properly installed on the host victim.

AWS Misconfigurations lead to SES and WorkMail Phishing Attacks.

Threat Actors are currently targeting Amazon Web Services in an attempt to launch phishing campaigns onto unsuspecting targets. Palo Alto Networks Unit 42, credited with the discovery, have identified the threat actor 'TGR-UNK-0011'. They've stated that the group has notable overlaps with JavaGhost and have been active since 2019. The group was historically known for defacing websites but, according to Margaret Kelley, "In 2022, they pivoted to sending out phishing emails for financial gain." These attacks are not exploiting a vulnerability in AWS, instead, they are leveraging misconfigurations in victim's environments that cause the exposure of AWS access keys. This then enables them to send phishing messages by abusing Amazon Simple Email Services and WorkMail. Through this the group are able to avoid having their own infrastructure, making it harder to track their activity and also reducing their operating costs. Over time the group have continued to become more sophisticated, with a recent significant advancement in their advanced defense evasion techniques that allow them to obfuscate identities from Cloudtrail Logs. A tactic used previously by Scattered Spider.