Full Report
For the latest discoveries in cyber research for the week of 24h February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Check Point Research covers the recent ByBit hack, one of the largest thefts in digital asset history, its implications for crypto security, and security recommendations. In this event, hackers gained access to […] The post 24th February – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Compilation of Recent Cyber Incidents and Vulnerability Exploitation (Week of Feb 24, 2025)
## Executive Summary
This compilation summarizes several significant security events, including a $1.5 billion digital asset theft attributed to the Lazarus Group against ByBit, data breaches affecting organizations like Genea and Thermomix, and various zero-day or actively exploited vulnerabilities targeting Microsoft Power Pages and Ivanti Endpoint Manager. The incidents highlight diverse attack vectors ranging from direct blockchain manipulation to social engineering and supply chain exploitation, necessitating urgent patching and enhanced defense mechanisms across sectors.
## Incident Details
- **Discovery Date:** Ongoing throughout the week of February 24, 2025.
- **Incident Date:** Varied (ByBit occurred during a routine transfer; Insight Partners hack in January 2025).
- **Affected Organization:** ByBit, Ecuador’s National Assembly, Genea, Insight Partners, Vorwerk (Thermomix), CarMoney.
- **Sector:** Cryptocurrency Exchange, Government/Elections, Healthcare (Fertility), Venture Capital/Finance, E-commerce/Consumer Tech, Microfinance.
- **Geography:** Global (ByBit systems, Germany, Australia (Genea), USA (Insight Partners), various EU/Global nations (Thermomix)).
## Timeline of Events
### Initial Access
- **Date/Time:** Varied.
- **Vector:** Blockchain transaction manipulation (ByBit); Social engineering (Insight Partners); Exploitation of unpatched vulnerabilities (Power Pages/Ivanti); Compromised third-party server (Thermomix).
- **Details:** Attackers intercepted or manipulated a routine transfer from ByBit's cold wallet, diverting funds. Insight Partners was compromised via social engineering. Thermomix breach stemmed from a compromised external service provider’s server.
### Lateral Movement
- Limited details provided for most breaches, but the ongoing campaign exploiting CVE-2024-24919 saw the deployment of ShadowPad and potentially NailaoLocker ransomware, indicating established persistence and network movement capability.
### Data Exfiltration/Impact
- **ByBit:** Theft of $1.5 billion in digital assets.
- **Thermomix:** Exposure of 3.3 million user records (names, addresses, emails, contact info, preferences).
- **Genea:** Unauthorized access to unspecified sensitive data, under investigation.
- **Insight Partners:** Unauthorized access to data within information systems.
- **CarMoney:** Data breach leading to system shutdown and dissemination of confusing spam messages to customers.
### Detection & Response
- **Discovery:** ByBit's theft was realized during a routine transfer check. Thermomix discovered a breach stemming from a known compromised external server.
- **Response Actions:** Insight Partners initiated an investigation. Genea took some systems offline as a precaution. Microsoft patched the Power Pages zero-day. CISA flagged the Craft CMS vulnerability for active exploitation.
## Attack Methodology
- **Initial Access:** Blockchain manipulation (ByBit), Social Engineering (Insight Partners), Zero-day exploitation (CVE-2025-24989 in Power Pages), Exploitation of patched but actively targeted vulnerabilities (CVE-2024-24919 leading to ShadowPad).
- **Persistence:** Implied via ShadowPad/NailaoLocker campaign activity.
- **Privilege Escalation:** Possible via Power Pages zero-day (bypassing access restrictions); Ivanti vulnerabilities allow relay attacks using machine account credentials.
- **Defense Evasion:** Advanced evasion techniques noted in research, including statistical manipulation of human interaction modules in sandboxes. Criminals used sophisticated URL tricks (exploiting the 'userinfo' segment) to hide phishing destinations.
- **Credential Access:** Implied in relay attacks targeting Ivanti EPM machine accounts.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Achieved in the ShadowPad/NailaoLocker deployment campaigns (targeting manufacturing sector).
- **Collection:** Gathering user profile information (Thermomix); theft of digital assets (ByBit).
- **Exfiltration:** Direct transfer of cryptocurrency (ByBit); leakage of user records (Thermomix).
- **Impact:** Massive financial loss (ByBit); PII exposure (Thermomix); System disruption (Ecuador’s Assembly, CarMoney).
## Impact Assessment
- **Financial:** $1.5 Billion loss for ByBit. Ongoing costs for Genea, Insight Partners, and Thermomix for remediation and potential fines.
- **Data Breach:** 3.3 million user profiles exposed (PII, contact info, preferences). Potential sensitive data exposure at Genea and Insight Partners.
- **Operational:** Disruption at Ecuador’s National Assembly; CarMoney shutting down all systems; Genea implementing precautionary system shutdowns.
- **Reputational:** Significant reputational damage to ByBit due to the scale of the theft; impact on Genea and Thermomix regarding data handling trust.
## Indicators of Compromise
- **Network indicators (Defanged):** (No specific external IPs/URLs provided in the summary context for listing).
- **File indicators:** `ShadowPad` malware; `NailaoLocker` ransomware. Protection signatures for Lazarus Group activity: `APT.Wins.Lazarus.*`, `APT.Win.Lazarus.*`, `APT.Wins.Lazarus.ta.*`.
- **Behavioral indicators:** Exploitation of CVE-2024-24919; Unusual transaction diversion during cold wallet transfer; Phishing using URL `userinfo` field manipulation; Exploitation of CVE-2025-24989 (Power Pages access bypass).
## Response Actions
- **Containment:** ByBit requires blockchain-level tracing/freezing (if possible). Genea took precautionary system shutdowns.
- **Eradication:** Microsoft patched Power Pages vulnerability. Ivanti, Craft CMS fixed their respective flaws. Organizations targeted by ShadowPad/NailaoLocker must scan and purge affected systems.
- **Recovery:** CarMoney forced to completely restart operations after spam attack. All breached entities must engage in full system review and credential rotation.
## Lessons Learned
- Multi-signature controls and rigorous procedural verification are critical when moving assets from secure offline storage (cold wallets), as single points of failure during transfer were exploited.
- Third-party risk management is paramount; the Thermomix breach originated from a compromised external service provider.
- Zero-day vulnerabilities (CVE-2025-24989) require immediate, coordinated patching by vendors to prevent rapid widespread exploitation.
- Threat actors continuously refine evasion techniques, forcing security solutions to evolve beyond basic sandbox analysis.
## Recommendations
- Implement enhanced multi-factor authentication and strict access controls, especially for systems handling high-value assets or regulated data.
- Immediately apply all vendor patches for Microsoft Power Pages, Ivanti EPM, and Craft CMS.
- Enhance security awareness training to counter social engineering, particularly focusing on sophisticated URL obfuscation techniques.
- Review monitoring for statistical anomalies in system behavior, especially related to human interaction emulation, to detect advanced evasion attempts.
- For cryptocurrency holdings, establish out-of-band, human-verified approval processes for any movement authorized from cold storage.