Full Report
For the latest discoveries in cyber research for the week of 10th March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The City of Mission, Texas, has declared a local state of emergency following a severe cybersecurity incident that threatens to expose protected personal information, health records, and other critical data managed by […] The post 10th March – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
This report summarizes multiple, distinct security incidents reported in the week of March 10, 2025, focusing on the identified breaches amongst various organizations.
# Incident Report: Week of March 10, 2025 - Multi-Entity Cyber Incidents
## Executive Summary
Several organizations experienced significant cybersecurity incidents, including ransomware attacks (Toronto Zoo, Penn-Harris-Madison), emergency declarations due to potential data exposure (City of Mission, TX), and significant data breaches via system compromise (NTT Communications, National Presto Industries). The incidents highlight threats from ransomware groups like Akira and Qilin, as well as vulnerabilities in critical infrastructure management systems like VMware ESXi.
## Incident Details
- Discovery Date: Varied (Late January 2024 to Early March 2025, based on disclosures)
- Incident Date: Varied (Ranging from January 2024 to March 2025)
- Affected Organization: City of Mission (TX), National Presto Industries, Toronto Zoo, Ukraine's Ministry of Foreign Affairs, NTT Communications Corporation, Penn-Harris-Madison School District, POLSA (Poland Space Agency).
- Sector: Government (Municipal/Foreign Affairs), Manufacturing, Zoo/Recreation, Telecommunications, Education, Space/Aerospace.
- Geography: USA (Texas, Indiana), Canada (Toronto), Ukraine, Japan, Poland.
## Timeline of Events
### Initial Access (Varied Dates)
- **Toronto Zoo:** January 2024 (Ransomware attack).
- **National Presto Industries:** March 1, 2025 (Cyberattack began).
- **City of Mission, TX:** Identified February 28, 2025 (Cybersecurity incident).
- **NTT Communications:** Discovered February 5, 2025 (Unauthorized access to distribution system).
- **POLSA:** Recently announced (Unauthorized access detected).
### Lateral Movement
- **Ukraine MFA (Alleged):** Qilin group allegedly breached systems to steal sensitive data.
- **National Presto:** Implied internal system movement leading to outages across shipping, receiving, and manufacturing.
### Data Exfiltration/Impact
- **Toronto Zoo:** Exfiltration of 133GB containing visitor transaction data (names, addresses, phone, emails, partial credit card details from 2000-2023) by Akira.
- **Ukraine MFA (Alleged):** Theft of private correspondence and personal information.
- **NTT Communications:** Compromise of customer data (names, contract numbers, addresses, service usage) for over 17,000 companies.
- **City of Mission, TX:** Threat of exposure of protected personal information and health records.
### Detection & Response
- **City of Mission, TX:** Incident identified February 28, 2025; Local state of emergency declared March 4, 2025.
- **National Presto:** Systems experienced outages starting March 1; Temporary measures implemented; Law enforcement notified; Forensic analysis underway.
- **POLSA:** Unauthorized access detected; Affected systems secured; Investigation launched.
## Attack Methodology
*Note: Specific TTPs are generally inferred based on the reported effects (ransomware/breach) as detailed technical data was largely absent from the summary.*
- **Initial Access:**
- **Ransomware/Exploitation:** Implied exploitation of vulnerabilities or phishing (for ransomware victims like Toronto Zoo, PHM).
- **System Intrusion:** Unauthorized access to NTT’s distribution system.
- **Persistence:** (Not specified)
- **Privilege Escalation:** (Not specified, though active exploitation of CVE-2025-22224 on VMware ESXi implies a potential technique used in unlisted incidents).
- **Defense Evasion:** (Not specified)
- **Credential Access:** (Not specified)
- **Discovery:** (Implied internal reconnaissance to locate sensitive data).
- **Lateral Movement:** Implied in outages at National Presto.
- **Collection:** Data gathered for exfiltration (e.g., 133GB from Toronto Zoo).
- **Exfiltration:** Data stolen prior to potential encryption (Double Extortion tactics noted for Akira and Medusa).
- **Impact:** System outages (National Presto) and data exposure threats (City of Mission, Toronto Zoo).
## Impact Assessment
- **Financial:** Not quantified for most incidents; National Presto experienced operational outages affecting core processes.
- **Data Breach:**
- **Personally Identifiable Information (PII):** High risk across multiple entities (Mission, NTT, Toronto Zoo).
- **Sensitive/Regulated Data:** Health records (Mission); Confidential agreements (Toronto Zoo).
- **Financial Data:** Partial credit card details (Toronto Zoo).
- **Operational:** Significant disruption at National Presto (shipping, manufacturing); Disruptions in school operations (PHM).
- **Reputational:** High, particularly for public entities like the City of Mission and Toronto Zoo facing data exposure concerns.
## Indicators of Compromise
*Note: Specific IOCs for the reported breaches were not furnished in the provided context, only the attack groups and relevant product protections.*
- **Network indicators:** (None specified, defanged)
- **File indicators:** (Protection noted against Akira, Qilin, Medusa malware families)
- **Behavioral indicators:** (Ransomware encryption, unauthorized access patterns)
## Response Actions
- **City of Mission, TX:** Issued a local state of emergency to manage the crisis.
- **National Presto:** Implemented temporary measures to maintain critical operations; Law enforcement notified; Forensic analysis initiated.
- **POLSA:** Affected systems secured; Investigation launched.
- **General:** Incident response teams engaged; Law enforcement notified in relevant cases.
## Lessons Learned
- **Patch Management Criticality:** Widespread, actively exploited vulnerabilities (like CVE-2025-22224 in VMware ESXi) remain unpatched across thousands of widely used systems, presenting a persistent entry vector.
- **Supply Chain Risk:** NTT breach highlights the risk inherent in vendor distribution systems exposing customers.
- **Ransomware Tactics:** Groups like Akira and Medusa continue to employ double-extortion (theft plus encryption/disruption).
## Recommendations
- Immediately prioritize patching for critical, actively exploited vulnerabilities, especially those affecting infrastructure components like VMware ESXi.
- Review and segment distribution and manufacturing network segments to limit the blast radius of similar operational technology (OT) or supply chain compromises (National Presto model).
- Enhance data segmentation and access controls around PII and health records, particularly for municipal entities (City of Mission model).