Full Report
For the latest discoveries in cyber research for the week of 14th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The United States Office of the Comptroller of the Currency (OCC), an independent bureau of the Department of the Treasury, has suffered a significant security breach. Threat actors have gained access to […] The post 14th April – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
This summary focuses on the high-profile attacks mentioned in the provided weekly threat intelligence update.
# Incident Report: Compilation of Recent High-Profile Security Incidents (April 2025)
## Executive Summary
This compilation covers several significant security incidents reported in mid-April 2025, impacting various sectors including U.S. government finance (OCC), sports/entertainment (NASCAR), healthcare (LSC), manufacturing (WK Kellogg Co), and international institutions (Morocco CNSS). Attack vectors ranged from ransomware exploiting zero-days (WK Kellogg Co) to state-sponsored espionage (Shuckworm) and social media account takeovers. The resulting impacts included long-term email exposure, potential multi-million dollar ransomware demands, and the theft of sensitive PII and financial data for millions of individuals.
## Incident Details
- **Discovery Date:** Varied, with several incidents involving historical data compromise spanning months or years.
- **Incident Date:** Varied, occurring throughout late 2024 and early 2025.
- **Affected Organization:** OCC (US), NASCAR (US), CNSS (Morocco), Laboratory Services Cooperative (US), WK Kellogg Co (US), Czech Prime Minister's Office.
- **Sector:** Financial Regulation, Sports/Entertainment, Social Security/Government, Healthcare, Food Manufacturing, Government Communications.
- **Geography:** United States, Morocco, Czech Republic.
## Timeline of Events
The provided context mixes ongoing breaches with vulnerability disclosures for the week of April 14, 2025. Specific start dates are often historical, but the reporting date is around April 8-14, 2025.
### Initial Access
- **Date/Time:** Varied (e.g., OCC breach spanned over 1.5 years; WK Kellogg Co breach occurred late last year).
- **Vector:** Ransomware exploitation of known vulnerabilities (likely Cleo server zero-day for WK Kellogg Co); unspecified access mechanisms for OCC; X/Twitter compromise for Czech PM.
- **Details:** Threat actors targeted WK Kellogg Co via a Cleo server holding employee information. Algerian hackers targeted Moroccan CNSS.
### Lateral Movement
- **Details:** Not explicitly detailed for most incidents, though W K Kellogg Co's breach suggests internal data access after initial compromise of the Cleo server. APT group Shuckworm maintained persistence using the GamaSteel payload.
### Data Exfiltration/Impact
- **Details:**
* **OCC:** Threat actors spied on email messages for 1.5 years, compromising highly sensitive information regarding federally regulated financial institutions.
* **NASCAR:** Medusa ransomware group claims to have exfiltrated sensitive material, demanding $4M.
* **CNSS (Morocco):** Alleged theft of personal and financial data for 2 million citizens (names, addresses, bank details).
* **LSC (US):** Theft of personal and medical information for 1.6 million people, including SSNs and sensitive diagnosis/treatment details (Planned Parenthood patients).
### Detection & Response
- **How it was discovered:** Public disclosures or claims by threat actor groups (e.g., Medusa for NASCAR, JabaROOT for CNSS). WK Kellogg Co notified regulators after learning of the access.
- **Response actions taken:** Disclosure/Notification by affected entities; vulnerability patching by vendors (Microsoft patching CVE-2025-29824).
## Attack Methodology
* **Initial Access:** Ransomware exploits (WK Kellogg Co - Cleo server flaw); Direct social media account takeover (Czech PM); Unspecified access (OCC, NASCAR).
* **Persistence:** APT group Shuckworm utilized updated **GamaSteel** payload for persistence.
* **Privilege Escalation:** Not specified for the major breaches, but an Android zero-day (CVE-2024-53197) used for privilege escalation was noted in the vulnerability section.
* **Defense Evasion:** APT group ToddyCat exploited a vulnerability in **ESET security software** (CVE-2024-11859) to operate undetected within a trusted security ecosystem.
* **Credential Access:** Implied in the data compromise at OCC and LSC, but specific methods (e.g., phishing, dumping) are not detailed.
* **Discovery:** APT Shuckworm conducted surveillance targeting Ukrainian entities.
* **Lateral Movement:** Utilized by various actors once inside, though specifics are limited.
* **Collection:** Gathering of email archives (OCC); collection of PII/financial data (CNSS, LSC); collection of employee data (WK Kellogg Co).
* **Exfiltration:** Data theft claimed by Medusa, JabaROOT, and Clop affiliates.
* **Impact:** Financial extortion (NASCAR); Data theft and exposure (All breaches).
## Impact Assessment
- **Financial:** NASCAR faces a $4M ransom demand. Potential significant costs related to regulatory fines and remediation for the OCC and LSC breaches.
- **Data Breach:** Massive exposure of PII/Financial data (2M citizens in Morocco); 1.6M sensitive medical records (LSC); Sensitive financial regulatory emails (OCC); Employee data (WK Kellogg Co).
- **Operational:** Unclear operational impact for most, though the hack on the Czech PM’s X account caused immediate misinformation disruption.
- **Reputational:** Significant damage to the regulatory image of the OCC and privacy trust in LSC following the exposure of patient data.
## Indicators of Compromise
*Note: IPs/URLs are defanged.*
- **Network indicators:** None explicitly listed as IOCs for the confirmed breaches, beyond general threat actor naming (Medusa, JabaROOT).
- **File indicators:** Mention of **GamaSteel** payload variant (Shuckworm).
- **Behavioral indicators:** Unauthorized access/spying over prolonged periods (OCC); Foreign policy misinformation campaigns (Czech PM hack).
## Response Actions
- **Containment:** Not detailed for specific breaches, but underlying software vendors responded to zero-days.
- **Eradication:** Implied necessary action for all victims post-discovery.
- **Recovery:** Restoration of affected services; regulatory notifications.
## Lessons Learned
- **Key takeaways:** Supply chain risk remains critical (Cleo vulnerability exploited targeting WK Kellogg Co). Defense evasion techniques remain effective, including exploiting trusted security software (ESET exploitation by ToddyCat). Prolonged, undetected access is a critical failure mode (OCC).
- **What could have been done better:** Enhanced monitoring to detect prolonged data access (OCC); Timely patching for third-party components (Cleo).
## Recommendations
- Implement rigorous continuous monitoring to detect prolonged anomalous activity within network segments (especially high-value targets like government email).
- Aggressively prioritize patching for third-party software components and vendor-supplied servers (like Cleo).
- Enhance security posture around social media account administration to prevent unauthorized account takeovers and the spread of disruptive misinformation.
- Review access controls regarding sensitive medical and financial data held by non-profit service providers (LSC).