February 18, 2025 Cyber Threat Intelligence Briefing

February 18, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Feb 18, 2025
Kroll

February 18, 2025 Cyber Threat Intelligence Briefing

This week’s briefing covers:

00:00 - Intro and Situational Awareness

CL0P Update
CL0P updated their data leak site with a new victim list of approximately 43 organizations. The organizations are likely from the previous redacted list containing company names from C-E and are possibly associated with the Cleo zero-day vulnerability.

U.S. Sanctions LOCKBIT’s Bulletproof Hosting (BPH) Provider
The U.S., along with Australia and the UK, have sanctioned the bulletproof hosting provider Zservers. Zservers is a Russia-based provider and was essential for supplying attack infrastructure for LOCKBIT to utilize for its operations.

Ransomware Payments Dropped in 2024
According to Chainalysis, ransomware payments saw a decrease in payments last year compared to 2023 by 35%.

2:23 – [PATCHING] Microsoft Patch Tuesday Addresses 66 Issues, 2 Zero-Days
Microsoft has fixed 66 vulnerabilities in February’s patch cycle and Microsoft Edge releases.

3:56 – [CAMPAIGN] KTA029 (AKA Sandworm) Distributing Malware via KMS
Key Takeaways

  • KTA029 infecting pirated Microsoft software with malware
  • Campaign deploys BACKORDER and DCRAT
  • BACKORDER adds folders to Microsoft Defender’s exclusion lists
  • KTA029 used scheduled tasks used for persistence
  • A new backdoor that creates a Tor service also been deployed

Ransomware Roundup

6:02 – PHOBOS Ransomware Arrests and 8BASE Site Seized
A coordinated law enforcement global operation dubbed "Phobos Aetor" led to the arrest of four members of the Phobos ransomware group in Thailand. These individuals are believed to have extorted around $16 million in Bitcoin from over 1,000 victims worldwide.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q2 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q2-2024-threat-landscape-report-threat-actors-ransomware-cloud-risks-accelerate

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2024 OpsMatters™. All rights reserved.