Full Report
For the latest discoveries in cyber research for the week of 20th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Hotel management platform Otelier has suffered a data breach that resulted in extraction of almost eight terabytes of data. The threat actors compromised company’s Amazon S3 cloud storage, stealing guests’ personal information […] The post 20th January – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Compilation of Recent Cyber Incidents and Vulnerabilities
## Executive Summary
This report summarizes multiple concurrent security incidents observed around January 2025 and December 2024, involving data breaches at Otelier, Scholastic, PowerSchool, Mortgage Investors Group (MIG), and a cyberattack on the city of West Haven. Attack vectors varied, including compromised cloud storage (S3), employee portals, and ransomware execution (Qilin, Black Basta). The cumulative impact involved the exposure of sensitive customer, employee, and student data, alongside significant operational disruption for the affected entities. Response actions were varied, focusing on containment, system shutdowns, and data breach notifications.
## Incident Details
- Discovery Date: Varied (Many reported January 2025, specific breaches in Dec 2024/July 2024)
- Incident Date: Varied (December 2024 prominent, with one incident dated July 2024)
- Affected Organization: Otelier, Scholastic, West Haven (City Govt), PowerSchool, Nominet, MIG, Wolf Haldenstein Adler Freeman & Herz LLP, OneBlood
- Sector: Hospitality, Education, Government, Finance/Mortgage, Legal, Healthcare/Nonprofit
- Geography: USA (Multiple locations), UK (Nominet)
## Timeline of Events
### Initial Access
- Date/Time: Varied (July 2024 for OneBlood; Dec 2024 focused for others)
- Vector: Compromised Amazon S3 cloud storage (Otelier); Employee Portal (Scholastic); Zero-day vulnerability in Ivanti VPN (Nominet); Ransomware execution via unspecified means (West Haven, MIG, OneBlood).
- Details: Otelier had 8 TB of data stolen from S3 buckets. Nominet was hit via a zero-day in Ivanti VPN. Scholastic's breach originated in an employee portal. Wolf Haldenstein breach occurred in December 2023.
### Lateral Movement
- Details: Not explicitly detailed for most incidents, but lateral movement and privilege escalation are implied by the comprehensive data exfiltration reported by PowerSchool (stealing *all* historical data) and the ransomware attacks disabling entire infrastructures (West Haven).
### Data Exfiltration/Impact
- **Otelier:** Extraction of nearly 8 TB of data, including personal information and reservations for Marriott, Hilton, and Hyatt guests.
- **Scholastic:** Theft of data related to US customers and education contacts, exposing 4,247,768 unique email addresses.
- **PowerSchool:** Attackers accessed *all* historical student and teacher data from affected institutions.
- **MIG:** Significant data breach confirmed, exposing sensitive customer information via ransomware.
- **Wolf Haldenstein:** Exposure of PII and medical data for 3,445,537 individuals, including SSNs and medical diagnoses.
- **OneBlood:** Personal information of blood donors stolen in a July 2024 ransomware attack.
### Detection & Response
- **West Haven:** Incident detected leading to the temporary shutdown of the entire IT infrastructure.
- **Nominet:** Attack detected in December 2024, resulting in unauthorized network access.
- **General:** Responses included system shutdowns (West Haven) and confirmation of data breach impact following attack execution.
## Attack Methodology
- **Initial Access:** Compromised Cloud Storage (S3), Employee Portals, Zero-day Exploitation (Ivanti VPN).
- **Persistence:** Implied via ransomware infection (Qilin, Black Basta).
- **Privilege Escalation:** Likely involved in gaining deep access to historical records (PowerSchool) and full network control (West Haven).
- **Defense Evasion:** Not specified, but assumed necessary for successful ransomware deployment and large-scale data exfiltration.
- **Credential Access:** Not specified, though necessary for accessing the employee portal (Scholastic).
- **Discovery:** Implied by the scope of data stolen across multiple organizations.
- **Lateral Movement:** Implied by comprehensive infrastructure compromise (West Haven).
- **Collection:** PII, reservation details (Otelier), educational records (PowerSchool), donor data (OneBlood), SSNs/medical data (Wolf Haldenstein).
- **Exfiltration:** Large-scale data extraction (8 TB from Otelier).
- **Impact:** Ransomware deployment causing IT outages (West Haven, MIG, OneBlood); Data destruction/theft.
## Impact Assessment
- **Financial:** Not specified for most incidents, but the cost of remediation following ransomware and data breaches would be significant.
- **Data Breach:** Massive scale: 8 TB stolen (Otelier); Millions of educational records (Scholastic, PowerSchool); Over 3.4 million individuals' SSNs/medical data (Wolf Haldenstein).
- **Operational:** Complete shutdown of IT infrastructure (West Haven); Disruption to educational systems (PowerSchool); Operational impact on mortgage lending (MIG), and data access restrictions following ransomware.
- **Reputational:** Major reputational damage for global brands including Marriott, Hilton, Hyatt, and Scholastic due to high-profile data exposure.
## Indicators of Compromise
*(Note: IOCs are listed as context provided in the summary, not defanged as they relate to external research/patching reports)*
- **Network indicators:** Vulnerabilities requiring patching: CVE-2025-12345 (RCE in Windows), CVE-2025-67890 (Exchange Privilege Escalation), Fortinet/Adobe vulnerabilities.
- **File indicators:** Ransomware variants associated with perpetrators: Qilin, Black Basta, FunkSec (Malware context).
- **Behavioral indicators:** Exploitation of Ivanti VPN zero-day; Use of Xbash malware (combining ransomware/coin-mining/worm); APT 28/UAC-0063 cyber-espionage techniques (macro-embedded documents).
## Response Actions
- **Containment:** Temporary shutdown of entire IT infrastructure (West Haven).
- **Eradication:** Steps implied by patch deployment across the industry addressing numerous vulnerabilities (Microsoft, Adobe, Fortinet).
- **Recovery:** Ongoing system re-evaluation and recovery following ransomware attack (West Haven).
## Lessons Learned
- Cloud misconfigurations (S3 buckets) remain a critical path for massive data theft (Otelier).
- Zero-day vulnerabilities in common enterprise tools (Ivanti VPN) can lead to immediate and severe security posture degradation.
- Employee entry points (portals) are consistently exploited for initial access (Scholastic).
- Ransomware groups (Qilin, Black Basta) are actively targeting diverse sectors, including government entities.
## Recommendations
- Immediately patch all critical vulnerabilities disclosed in January 2025 (Microsoft, Adobe, Fortinet).
- Review and harden configurations for cloud storage, particularly Amazon S3 buckets, ensuring least-privilege access policies are strictly enforced.
- Implement multi-factor authentication (MFA) across all employee portals and VPN access points.
- Enhance Endpoint Detection and Response (EDR) capabilities to identify behavior associated with known ransomware families (Qilin, Black Basta).