• Umer Wajih
• May 6, 2025
• No Comments

Threat Landscape Summary (April 28 – May 5, 2025)

1. Report Overview

The global cybersecurity environment exhibited increased threat activity during the reporting period, driven by a surge in ransomware attacks, active exploitation of critical vulnerabilities, third-party supply chain risks, and emerging AI-enhanced threats. Healthcare, finance, government, and critical infrastructure sectors were significantly affected. Threat actors demonstrated evolving tactics including credential abuse, sophisticated phishing campaigns, Linux-targeted malware, and data exfiltration through compromised vendors. This report details the week’s key incidents, vulnerabilities, threat actor behaviors, malware trends, and provides actionable recommendations for defense enhancement.

2. Top 5 Security Incidents

Date	Organization	Threat	Sector	Impact
Apr 30	Yale New Haven Health	Data Breach	Healthcare	5.5M individuals’ data compromised
May 02	VeriSource Services	Data Breach	Services	4M individuals’ data exposed
May 01	Blue Shield of California	Data Breach	Healthcare	4.7M members affected
Apr 29	Hertz	Data Breach	Travel	1 M+ customers notified
May 03	Marks & Spencer	Ransomware	Retail	Disrupted deliveries, online transactions

Other notable incidents:

• Hitachi Vantara: Ransomware attack by the Akira group
• Epicenter K (Ukraine): Cyberattack disrupting operations
• Doctor’s Hospital (Cayman Islands): Systems crippled by cyberattack
• PJM Interconnection LLC: Breach claimed by threat actor “l33tfg”
• U.S. Cyber Command: Chinese malware discovered in Latin American networks

3. New Critical Vulnerabilities (CVEs)

CVE ID	Severity	Product	Exploited?	Action Needed
CVE-2025-29824	Critical	Windows Common Log File System Driver	Yes	Patch Immediately
CVE-2025-22457	Critical	Ivanti Connect Secure	Yes	Patch Immediately
CVE-2025-24813	Critical	Apache Tomcat	Yes	Patch Immediately
CVE-2025-32432	Critical	Craft CMS	Yes	Patch Immediately
CVE-2025-1976	Critical	Broadcom Brocade Fabric OS	Yes	Patch Immediately
CVE-2025-42599	Critical	Qualitia Active! Mail	Yes	Patch Immediately
CVE-2025-3928	Critical	Commvault Web Server	Yes	Patch Immediately
CVE-2025-31324	Critical	SAP NetWeaver	Yes	Patch Immediately

Vendor Updates:

• Microsoft: 121 vulnerabilities patched in April, including 1 zero-day and 11 critical flaws
• Apple: “Airborne” vulnerabilities affecting macOS, iOS, tvOS, iPadOS, and visionOS
• Multiple critical RCE vulnerabilities in Windows LDAP, RDP, TCP/IP, and Hyper-V
• Critical RCE flaws in Microsoft Office products

4. Malware Spotlight

• FOG Ransomware:
  • Exploits compromised SonicWall VPN credentials
  • Uses publicly available tools for attack stages
  • Shows operational connections to Akira ransomware
• Gunra Ransomware:
  • New strain targeting Windows systems
  • Appends “.ENCRT” extension to encrypted files
  • Employs anti-analysis techniques
  • Attempts to delete Volume Shadow Copies
• Brain Cipher Ransomware:
  • Uses double-extortion model
  • Employs AES-256 and RSA-2048 encryption
  • Targets critical infrastructure sectors
• Crocodilus:
  • New Android banking trojan
  • Targets cryptocurrency wallets
  • Uses deceptive overlays to steal seed phrases
  • Includes extensive RAT capabilities
• Other Active Malware:
  • TRAILBLAZE and BRUSHFIRE (deployed by UNC5221)
  • Akira, RansomHub, and Cl0p ransomware

5. Threat Actor Activity Highlights

• Ransomware Groups:
  • RansomHub: Most active during the reporting period
  • Cl0p: Significant resurgence, exploiting Cleo file transfer vulnerabilities
  • Black Basta: Leveraging AI tools like ChatGPT for malicious operations
  • Akira: Claimed responsibility for Hitachi Vantara attack
  • Brain Cipher: Targeting critical infrastructure sectors
• Nation-State Actors:
  • UNC5221 (China-nexus): Exploiting Ivanti vulnerability (CVE-2025-22457)
  • Billbug/Lotus Blossom: Targeting Southeast Asian entities
  • UTA0352/UTA0355 (Russia-linked): Social engineering via Signal and WhatsApp
  • APT28 (Russian GRU): Attributed to cyber espionage against French entities
  • Iranian Islamic Revolutionary Guard Corps: “Peach Sandstorm” campaign targeting aerospace
• Emerging Tactics:
  • AI-enhanced malware creation and evasion
  • Sophisticated supply chain attacks
  • Mobile malware targeting cryptocurrency assets
  • Geopolitically motivated targeting of critical infrastructure

6. Actionable Recommendations

Technical Recommendations:

• Implement a robust patch management program, prioritizing actively exploited vulnerabilities
• Secure remote access points with strong multi-factor authentication
• Deploy and maintain endpoint detection and response (EDR) solutions
• Implement network segmentation to limit lateral movement
• Conduct regular vulnerability assessments
• Monitor threat intelligence feeds from reputable sources
• Review and update incident response plans
• Apply specific recommendations for ICS as outlined in CISA advisories
• Patch Apple devices to mitigate AirBorne vulnerabilities

Non-Technical Recommendations:

• Conduct regular phishing awareness training
• Reinforce password security and multi-factor authentication
• Encourage prompt reporting of suspicious activity
• Educate on third-party vendor security risks
• Train on proper handling of sensitive data
• Create awareness of new ransomware tactics

CONTACT INFORMATION

For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.

• Website: www.meraal.me
• Email: Office@meraal.me , Naveed@meraal.me
• Phone: +92 42 357 27575, +92 323 497 947

Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.