🚨 Week 9 Debrief: Black Basta's Playbook Exposed, Apple's Find My Network Exploited, Russia Warns Financial Sector, Europe proposes a Cyber Blueprint and more

Black Basta's Playbook Exposed: Known Exploits and High-Value Targets in the Crosshairs Analysis of Black Basta's chat logs provides valuable insights into their tactics, targets, and the vulnerabilities they exploit. The ransomware group demonstrates a clear preference for known weaknesses, often leveraging available tools and proof-of-concept exploits, and focusing on vulnerabilities that already have available exploits. Black Basta targets a mix of initial access devices and Microsoft technologies. They prioritize high-revenue companies in sectors like legal, financial, and healthcare due to their higher likelihood of paying ransoms. They also target email and communication services. The group rapidly discusses newly published CVEs, sometimes even mentioning them before official publication. Of the 62 unique CVEs mentioned in the chats, 53 (85.5%) are known to be exploited and are listed in VulnCheck KEV. Defenders should prioritize vulnerability remediation using an evidence-based approach, especially for vulnerabilities confirmed to be exploited.

Key points:

• Black Basta focuses on known vulnerabilities and high-value targets.

• They target sectors like legal, financial, and healthcare.

• The group rapidly discusses new CVEs and leverages existing exploits.

• 53 of 62 CVEs (85.5%) mentioned are known to be exploited.

• Vulnerability remediation should be prioritized.

• Black Basta appears to be targeting a mix of initial access devices and Microsoft technologies.

• They also target email and communication services, which offer relatively safe vectors for phishing campaigns and can provide initial access into organizations' networks.

💻 Malware and Vulnerabilities

Critical Flaw in WordPress Plugin 'Essential Addons for Elementor' Exposes Millions to XSS Attacks: A high-severity XSS vulnerability (CVE-2025-24752) in the Essential Addons for Elementor WordPress plugin puts over two million websites at risk. The flaw, located in the "src/js/view/general.js" file, involves insufficient validation of the “popup-selector” query argument, enabling attackers to inject malicious JavaScript code. Update to version 6.0.15 immediately to patch this vulnerability.

Apple's Find My Network Exploited: Researchers Uncover New Tracking Vulnerability: George Mason University researchers have discovered "nRootTag," a novel attack that exploits Apple's Find My network to track devices. This method can turn devices like laptops and smartphones into "AirTags" without the owner's consent. The attack boasts a 90% success rate and can locate devices within minutes. It works on devices running Linux, Android, and Windows. Researchers advise caution with Bluetooth permissions and keeping software updated.

New PayPal Phishing Scam Exploits Address Feature to Target Users: A sophisticated phishing scam is abusing a new PayPal feature that lets users add "gift addresses" to their profiles. Scammers send emails from "[email protected]" claiming a new address was added and a MacBook M4 laptop was purchased. Victims are urged to call a fake number to cancel, leading to the installation of remote access software. The goal is to gain control over the victim's computer to steal data and make fraudulent transfers.

CISA Issues Alert on Exploited Vulnerabilities: CISA has updated its Known Exploited Vulnerabilities Catalog with two new entries: CVE-2024-49035 (Microsoft Partner Center) and CVE-2023-34192 (Synacor Zimbra Collaboration Suite). These vulnerabilities, frequent targets for cyberattacks, pose significant risks. While federal agencies are mandated to address these by Binding Operational Directive (BOD) 22-01, CISA urges all organizations to prioritize timely remediation to mitigate potential cyber threats.

GitVenom" Campaign Spreads Malware via GitHub: Security researchers are alerting users to the "GitVenom" campaign, which utilizes fake GitHub repositories to spread malware. The threat actors create numerous repositories with malicious code hidden in fake projects, such as Telegram bots and Bitcoin wallet managers. The attackers use techniques such as detailed documentation and numerous commits to create the illusion that the code is genuine. The malware steals credentials, crypto wallet data, and browser data. The campaign has been active for around two years, impacting developers in Brazil, Russia, and Turkey.

📈 Breaches and Incidents

Orange Group Hit by Cyberattack: Data Breach Exposes Sensitive Information: Orange Group confirmed a cyberattack impacting its Romanian operations. A hacker stole 6.5GB of data, including 380,000 email addresses, source code, and customer data. The breach exploited vulnerabilities in Jira software. Orange is investigating and working to mitigate the incident.

DISA Global Solutions, Inc Data Breach: Millions Affected: DISA Global Solutions, Inc reported a data breach affecting 3,332,750 individuals, including 15,198 Maine residents. The breach, which occurred on February 9, 2024, was discovered on April 22, 2024, and was the result of an external system breach (hacking). Consumers were notified in writing, and the company is offering 12 months of credit monitoring and identity theft protection services through Experian.

North Korean Hackers Steal $1.5 Billion in Bybit Crypto Heist: North Korea's Lazarus Group has been linked to the theft of over $1.5 billion from the Bybit cryptocurrency exchange. The attackers manipulated a routine transfer of ETH from a cold wallet to a hot wallet. Crypto investigator ZachXBT connected the hackers to previous Phemex, BingX, and Poloniex hacks. The stolen funds were laundered through various methods, including meme coins and centralized mixers.

🚨 Threat Intel & Info Sharing

Russia Warns Financial Sector of Major IT Provider Hack: Russia's National Coordination Center for Computer Incidents (NKTsKI) is warning the country's financial sector about a breach at LANIT, a major Russian IT service and software provider. The attack, which occurred on February 21, 2025, potentially impacted LLC LANTER and LLC LAN ATMservice. Impacted organizations are advised to rotate passwords and enhance threat monitoring. LANIT's clientele includes the Russian Ministry of Defense and entities in the military-industrial complex.

EU Sanctions North Korean Tied to Lazarus Group Over Ukraine War Involvement The European Union has sanctioned Lee Chang Ho, head of North Korea's Reconnaissance General Bureau (RGB), for supporting Russia's war against Ukraine. Lee is accused of deploying North Korean personnel and overseeing cyberattack units like Lazarus and Kimsuky. The EU also targeted individuals and media outlets involved in pro-Russian propaganda and disinformation campaigns.

DragonForce Ransomware Group Targets Major Saudi Arabian Enterprise, Leaks 6 TB of Data: The DragonForce ransomware group has claimed its first large KSA enterprise victim, initiating extortion on February 14, 2025, and leaking over 6 TB of sensitive files after the deadline on February 28, 2025. The leaked data includes internal and confidential documents. Cybersecurity experts warn that attacks like these against critical infrastructure could have severe implications for affected companies, national security, and economic stability in the MENA region and beyond.

Massive Botnet Targets Microsoft 365 Accounts with Password-Spraying Attack: A botnet of over 130,000 compromised devices is launching coordinated password-spraying attacks against Microsoft 365 (M365) accounts. The attack exploits Non-Interactive Sign-Ins to bypass traditional security measures like MFA. Organizations relying on M365 for email, document storage, and collaboration are particularly at risk, including those in financial services, healthcare, government, and education. Security teams should review non-interactive sign-in logs, rotate credentials, and implement conditional access policies.

North Korean Hackers Target macOS Users with 'DriverEasy' and 'ChromeUpdate' Malware: North Korean cyber actors are employing sophisticated cyber-espionage tactics, targeting macOS users with malware disguised as fake job interview applications. The malware, named 'DriverEasy' and 'ChromeUpdate', uses social engineering to steal user credentials by displaying deceptive prompts. Captured passwords are then sent to a Dropbox account controlled by the attackers via Dropbox APIs. These apps share the same Dropbox API credentials, linking them to North Korean cyber campaigns.

TopSec Data Leak Exposes Censorship-as-a-Service Operations: A data leak reveals that Chinese cybersecurity firm TopSec provides censorship-as-a-service, offering web content monitoring to enforce censorship for public and private sectors. TopSec worked with China's Ministry of Public Security and uses a tool called Sparta to filter content. The leak highlights the complex relationship between Chinese government entities and private cybersecurity companies in managing politically sensitive content.

⚖️ Laws, Policies and Regulations

The European Commission has proposed a Cyber Blueprint to enhance the EU's response to large-scale cyber incidents. This initiative aims to present the EU framework for cyber crisis management in a clear and accessible way. The Cyber Blueprint is a non-binding instrument that identifies specific actions for relevant actors in a cyber crisis to enhance the overall effectiveness of the cyber crisis management framework. It promotes structured cooperation between civilian and military actors, including NATO. The blueprint updates Commission Recommendation (EU) 2017/1584, incorporating lessons learned from Union-level exercises.

Australian Government Mandates Removal of Kaspersky Lab Products Over Security Risks: Australian Government entities must remove all Kaspersky Lab, Inc. products and web services from their systems and devices by April 1, 2025. This directive, PSPF Direction 002-2025, cites concerns of foreign interference, espionage, and sabotage. Exemptions may be granted for national security and regulatory functions, provided appropriate mitigations are in place.

NIST Faces Layoffs Amidst Efficiency Push and AI Safety Concerns: The National Institute of Standards and Technology (NIST) is bracing for mass firings, with approximately 500 staffers expected to lose their jobs. The cuts are part of the Department of Government Efficiency (DOGE) purge, impacting even lab directors. The AI Safety Institute (AISI), created after a Biden executive order, is particularly affected after Trump rescinded the order. Concerns rise over potential conflicts of interest and the impact on critical infrastructure.

EU Financial Entities to Submit Digital Operational Resilience Act (DORA) Reports by April 2025: EU financial entities must submit Register of Information (ROI) reports on all contractual arrangements for ICT services to their national supervisory authorities in April 2025. These reports should differentiate between critical and non-critical providers and include details on ICT third-party service providers, the nature of services, contractual arrangements, risk classification, monitoring, sub-outsourcing, and ICT-related incidents. The Irish Central Bank will collect ROIs between April 1-4, 2025, while Germany's BaFin has set a deadline of April 11.

Cellebrite Halts Product Use in Serbia Following Amnesty Surveillance Report: Cellebrite has stopped some of its Serbian customers from using its digital forensic equipment after an Amnesty International report revealed misuse. The report detailed how Serbian authorities misused Cellebrite's technology to target activists and journalists. Amnesty International urges a thorough investigation and implementation of safeguards to prevent future abuses before reinstating customers or issuing new licenses. Cellebrite stated it takes potential misuse seriously and investigated the claims.

Microsoft Finalizes EU Data Boundary: Microsoft has completed its EU Data Boundary project, ensuring EU data stays within Europe when using its cloud services. This covers the EU and the European Free Trade Association, allowing local storage and processing of customer and pseudonymized personal data. Key services like Microsoft 365 and Azure are included.

⚖️ Cybersecurity Start Ups and VCs

NinjaOne Valued at $5 Billion After Massive Funding Round: NinjaOne, an endpoint management, security, and monitoring provider, has secured $500 million in Series C extensions, achieving a $5 billion valuation. The funding was led by Iconiq Growth and Google’s CapitalG. This investment will drive innovation across NinjaOne's platform, focusing on endpoint and patch management, AI, IT, and security use cases. The company's CEO, Sal Sferlazza, emphasizes the importance of supporting users and their devices. This funding follows another security startup, Verkada, securing a $4.5B valuation.

📊 Trends, Reports, Analysis

Ghostwriter Campaign Targets Ukraine and Belarus with Weaponized Excel Documents: The Ghostwriter campaign, linked to Belarusian government espionage, is targeting Ukrainian and Belarusian entities using weaponized Excel documents. Active since 2016, the campaign employs malicious macros to deliver malware like PicassoLoader. Recent attacks involve decoy documents and attempts to retrieve further payloads from compromised websites, using tactics adapted from previous Ghostwriter operations.

ENISA's 2024 Cybersecurity Threat Landscape: Top Threats and Trends: The ENISA Threat Landscape 2024 report provides a comprehensive overview of the cybersecurity landscape, identifying key threats such as ransomware, malware, social engineering, and denial-of-service attacks. The report emphasizes the importance of understanding threat actor trends and vulnerabilities for effective cyber threat management. It also addresses the rising concern of information manipulation and interference, highlighting the need to protect data integrity and authenticity.

📅 Upcoming Events

🚀 Join us for an exclusive virtual event in March, where AI and cybersecurity experts will discuss how AI and Machine Learning are revolutionizing cyber defense. This session will feature expert panel discussions exploring AI-driven threat detection, automated response strategies, and the future of intelligent security.

This is a limited virtual event tailored for CISOs and executives. It is free to join so register today Form

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.