Full Report
For the latest discoveries in cyber research for the week of 10th February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Grubhub, the US-based online food ordering and delivery platform, suffered a data breach due to unauthorized access through a compromised third-party service provider’s account. The incident exposed personal details of customers, drivers, […] The post 10th February – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Compilation of Weekly Cyber Incidents (Week of Feb 10th)
## Executive Summary
This report aggregates several significant security incidents reported during the week of February 10th, highlighting diverse attack vectors including third-party compromise, sophisticated ransomware, active exploitation of vulnerabilities, and widespread DDoS attacks. Impacts ranged from customer data exposure at Grubhub and the City of McKinney to severe operational disruption at Bohemia Interactive and the University of The Bahamas. Response efforts focused on containment, investigation, and providing identity protection services.
## Incident Details
- **Discovery Date:** Varies (Detection dates provided: Nov 14, 2024 for McKinney; Feb 02 for U. Bahamas; various ongoing)
- **Incident Date:** Varies (October 31, 2024 for McKinney; August 2024 for Yazoo Valley; ongoing for others)
- **Affected Organization:** Grubhub, City of McKinney (TX), Bohemia Interactive, Yazoo Valley Electric Power Association (MS), University of The Bahamas, IMI (UK), Trimble/Cityworks customers, Cisco ISE customers, Android device users.
- **Sector:** Food Delivery/Tech, Government (Municipal), Gaming, Energy/Utilities, Education, Engineering/Manufacturing, Various.
- **Geography:** US (Various states), Bahamas, UK.
## Timeline of Events
### Initial Access
- **Date/Time:** Various (e.g., Grubhub incident predates discovery; McKinney on Oct 31, 2024)
- **Vector:** Compromised third-party service provider account (Grubhub), Active remote exploitation of unpatched vulnerabilities (Trimble/Cityworks CVE-2025-0994), Phishing exploiting SmokeLoader (Ukrainian orgs), Ransomware deployment (Yazoo Valley, U. Bahamas).
- **Details:**
* **Grubhub:** Unauthorized access gained via a third-party vendor credential, leading to database access.
* **City of McKinney:** Attack detected Nov 14, suggesting breach occurred earlier (approx. Oct 31).
* **Trimble/Cityworks:** Exploitation of CVE-2025-0994 (Authenticated RCE via deserialization) leading to Cobalt Strike beacon deployment.
* **Academic/Utility Targets:** Phishing campaigns delivering SmokeLoader or ransomware payloads.
### Lateral Movement
- **Date/Time:** Post-initial access, prior to detection/eradication.
- **Vector:** Attackers used compromised credentials/malware (e.g., Cobalt Strike beacons) to move through environments.
* **City of McKinney:** Likely extensive internal movement leading to data exfiltration of PII and financial data.
* **IMI:** Unauthorized access suggested potential internal reconnaissance.
### Data Exfiltration/Impact
- **Date/Time:** Varies.
- **Impact:**
* **Grubhub:** Exposure of customer/driver/merchant PII, payment types, and hashed passwords.
* **City of McKinney:** Exfiltration of SSNs, driver's licenses, credit card details, financial/medical insurance info for ~17,751 residents.
* **Yazoo Valley:** Theft of SSNs and financial records claimed by Akira ransomware group.
* **U. Bahamas:** Critical systems (internet, telephone, online applications) shut down by ransomware, leading to class cancellations.
* **Bohemia Interactive:** Severe disruption to online services (DayZ, Arma Reforger) due to sustained DDoS.
### Detection & Response
- **Date/Time:** Varies.
- **Detection/Response:**
* **Grubhub:** Incident detected, service provider access revoked immediately, investigation launched.
* **City of McKinney:** Detected Nov 14, 2024; Residents notified and offered one year of identity protection.
* **U. Bahamas:** Detected Feb 2nd; Collaboration with law enforcement, user password resets urged.
* **IMI:** Detected; External cybersecurity experts engaged for investigation and containment.
* **Trimble/Cisco/Android:** Patches released to address actively exploited or critical vulnerabilities (CVE-2025-0994, CVE-2025-20124/20125, CVE-2024-53104).
## Attack Methodology
| Category | Method(s) Used |
| :--- | :--- |
| **Initial Access** | Third-party vendor compromise (Grubhub), Active RCE exploitation (Cityworks/CVE-2025-0994), Ransomware deployment, Phishing leading to malware download (SmokeLoader). |
| **Persistence** | Cobalt Strike beacons deployed post-exploitation; Ransomware payload delivery. |
| **Privilege Escalation** | Cisco ISE vulnerabilities allow privilege escalation (CVE-2025-20124/20125). |
| **Defense Evasion** | Threat actors utilizing AI models (DeepSeek/Qwen) to optimize infostealer malware and bypass fraud protections. |
| **Credential Access** | Unauthorized database access (Grubhub); Implied access/theft associated with ransomware operations. |
| **Discovery** | Implied internal reconnaissance following initial access in data theft incidents. |
| **Lateral Movement** | Execution of arbitrary commands on compromised hosts (Cisco/Trimble), movement facilitated by Cobalt Strike. |
| **Collection** | Targeting PII, financial records, medical information (McKinney, Yazoo Valley). AI assisting in optimizing collection tools. |
| **Exfiltration** | Data exfiltration confirmed in municipal/utility breaches. |
| **Impact** | Denial of Service (DDoS on Bohemia Interactive), System encryption/disruption (Ransomware at U. Bahamas), Data exposure (Grubhub, McKinney). |
## Impact Assessment
- **Financial:** Ransom demands (Bohemia Interactive - unverified/dismissed), costs associated with investigation, remediation, and identity protection services (McKinney).
- **Data Breach:** PII, SSNs, Driver's Licenses, Payment Card Types (limited digits), Financial/Medical Insurance data exposed across multiple entities (Grubhub, McKinney, Yazoo Valley).
- **Operational:** Complete shutdown of online services (Bohemia Interactive), cancellation of online classes and disruption of communication infrastructure (University of The Bahamas).
- **Reputational:** Public disclosure of significant data breaches affecting essential services (food delivery, municipal utilities).
## Indicators of Compromise
*(Note: Indicators are summarized based on reported threats and are defanged per instruction; specific hashes/domains were not detailed in the synopsis)*
- **Network indicators:** Communication channels associated with Cobalt Strike beacons; DDoS traffic patterns targeting gaming services.
- **File indicators:** SmokeLoader malware signatures (Trojan-Downloader.Win.Smokeloader); Akira Ransomware deployment artifacts.
- **Behavioral indicators:** Unauthorized process execution via deserialization flaw exploitation; AI-generated malicious content exhibiting optimized evasion techniques.
## Response Actions
- **Containment:** Immediate revocation of third-party service provider access (Grubhub); Engagement of external cybersecurity experts (IMI); Collaboration with law enforcement (U. Bahamas).
- **Eradication:** Patching critical vulnerabilities associated with active exploitation (Trimble, Cisco, Google Android kernel).
- **Recovery:** Offering identity protection services to affected residents (McKinney); Restoring internet/phone services (U. Bahamas); Updating software to patched versions (Cityworks 15.8.9+).
## Lessons Learned
- Reliance on third-party vendors introduces critical supply chain risk, necessitating stringent access controls and monitoring.
- Actively exploited zero-day vulnerabilities (like CVE-2025-0994) require rapid vendor response and immediate patching by end-users, especially in critical infrastructure (utilities, local government).
- Threat actors are rapidly integrating new technologies (AI/new LLMs) to enhance malware development and bypass existing security controls.
- Organizations utilizing legacy systems remain highly susceptible to sophisticated ransomware strains like Akira.
## Recommendations
- Implement robust multi-factor authentication and strict access revocation policies for all third-party vendor accounts.
- Prioritize patching known actively exploited vulnerabilities (especially RCEs like in Cityworks) immediately upon vendor notification.
- Enhance endpoint detection capabilities to identify behavioral indicators consistent with Cobalt Strike C2 or known ransomware deployment paths (e.g., SmokeLoader execution).
- Isolate and segment critical infrastructure (energy, municipal services) to limit lateral movement in the event of a successful phishing or RCE exploit.