Full Report
For the latest discoveries in cyber research for the week of 27th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Stark Aerospace, a US-based manufacturer specializing in missile systems and UAVs, contractor of the US Military and the Department of Defense (DoD), has been targeted by the INC ransomware group. The attackers […] The post 27th January – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: January 2025 Threat Landscape Summary
## Executive Summary
The summary highlights multiple high-profile security incidents occurring around the week of January 27th, 2025, impacting critical sectors including defense manufacturing (Stark Aerospace), telecommunications (TalkTalk), finance (ICICI Bank allegations), and cryptocurrency (Phemex). Key attack vectors involved ransomware groups, zero-day exploitation of networking appliances (Ivanti, SonicWall), and ongoing state-sponsored activity. Response actions varied from system shutdowns (Harrison County Schools) to operational pauses (Phemex) following significant data theft and financial loss allegations.
## Incident Details
- **Discovery Date:** Varied (Reports compiled week of January 27th, 2025)
- **Incident Date:** Varied (Specific dates often unconfirmed)
- **Affected Organization:** Stark Aerospace, TalkTalk, ICICI Bank (alleged), Phemex, Conduent, Rostelecom (contractor), Harrison County Schools
- **Sector:** Defense Manufacturing, Telecommunications, Finance, Cryptocurrency, Business Services, Education
- **Geography:** US, UK, India, Russia, Singapore
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Active exploitation reported for Ivanti/SonicWall)
- **Vector:** Ransomware deployment (INC group), Zero-day exploitation (Ivanti CSA, SonicWall SMA1000), Alleged unauthorized access (ICICI Bank, TalkTalk).
- **Details:** Attackers used exploits for Ivanti CSA vulnerabilities (CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, CVE-2024-9380) to gain initial access, execute RCE, and implant webshells. SonicWall SMA1000 RCE (CVE-2025-23006) was also exploited zero-day.
### Lateral Movement
- **Date/Time:** Occurred post-initial access for ongoing attacks.
- **Vector:** Not explicitly detailed for all incidents, but implied in ransomware attacks allowing deep network access (Stark Aerospace) and use of webshells (Ivanti).
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during active compromise period.
- **Impact:**
* **Stark Aerospace:** 4TB exfiltrated (design docs, source codes, UAV firmware, DoD contracts).
* **TalkTalk:** Customer data exposed (names, emails, IP addresses, phone numbers for ~18.8M customers).
* **ICICI Bank (Alleged):** Threat to leak sensitive bank data.
* **Phemex:** Theft of over $69 million in digital assets (ETH, BTC, BNB).
* **Rostelecom Contractor:** Leak of thousands of customer emails and phone numbers.
### Detection & Response
- **Date/Time:** Varied.
- **Detection:** For Harrison County Schools, the process was triggered upon discovery of the attack; Check Point products reportedly provided protection against specific ransomware variants.
- **Response actions taken:**
* **Harrison County Schools:** Network shutdown upon discovery.
* **Phemex:** Paused certain operations; manually reviewing withdrawals; developing compensation plan.
* **Conduent:** Incident confirmed as cause of service outages across multiple US states.
* **Agencies:** CISA/FBI issued advisories regarding exploited Ivanti vulnerabilities.
## Attack Methodology
| Category | Method(s) Identified |
| :--- | :--- |
| **Initial Access** | Exploitation of Ivanti CSA (CVEs), Exploitation of SonicWall SMA1000 RCE (CVE-2025-23006), Ransomware deployment (INC group). |
| **Persistence** | Implanting of webshells (reported in Ivanti exploitation chain). |
| **Privilege Escalation** | Implied necessary steps following initial vulnerability exploitation to reach data stores. |
| **Defense Evasion** | Implied, often associated with ransomware and state-sponsored techniques (e.g., FBI warning on North Korean IT workers). |
| **Credential Access** | Mentioned as part of the Ivanti exploit chain. |
| **Discovery** | Reconnaissance performed by attackers, including identifying target data (e.g., DoD contracts at Stark Aerospace). |
| **Lateral Movement** | Implied in sophisticated breaches like Stark Aerospace. |
| **Collection** | Gathering of 4TB data (Stark Aerospace), Exfiltration of customer PII (TalkTalk). |
| **Exfiltration** | Data theft (4TB from Stark), Theft of crypto assets ($69M from Phemex). |
| **Impact** | Data encryption/extortion (Ransomware groups), Financial loss (Phemex), Service outage (Conduent). |
## Impact Assessment
- **Financial:** $69 million stolen (Phemex); Potential massive costs associated with DoD contractor breach (Stark Aerospace).
- **Data Breach:** 4TB of sensitive defense/source code data (Stark Aerospace); PII/Contact data for ~18.8M customers (TalkTalk); Customer emails/phones (Rostelecom contractor).
- **Operational:** Service outage confirmed (Conduent); Operational pauses (Phemex); Network shutdown (Harrison County Schools).
- **Reputational:** Significant damage to defense contractor reputation (Stark Aerospace); Public disclosure of large-scale customer data exposure (TalkTalk).
## Indicators of Compromise
*(Note: IPs and URLs are defanged as per instructions. Specific IoCs require accessing the original research documents.)*
- **Network indicators:** Webshells implanted on compromised systems. Vulnerability-specific CISA/FBI advisories suggest specific endpoint behavior related to Ivanti exploits.
- **File indicators:** Ransomware payloads associated with INC group. Morpheus and Hellcat affiliates using identical payloads.
- **Behavioral indicators:** Unusual remote code execution attempts against vulnerable network appliances (Ivanti CSA, SonicWall SMA1000). North Korean actors posing as remote IT workers to steal source code.
## Response Actions
- **Containment:** Harrison County Schools shut down their network upon discovery. Phemex paused withdrawal requests pending manual review.
- **Eradication:** (Not explicitly detailed for specific victims, but implied required for ransomware clean-up and patching).
- **Recovery:** Phemex working on a compensation plan for affected users. Conduent actively working to restore services following confirmed incident.
## Lessons Learned
- Zero-day vulnerabilities in critical network infrastructure (VPNs, gateways like Ivanti CSA and SonicWall SMA) are actively and rapidly exploited, demanding immediate patch management, especially for EOL equipment (Ivanti 4.6).
- Cybercriminals (e.g., Hellcat/Morpheus) are sharing sophisticated, high-quality malicious codebases, increasing efficacy across different ransomware brands.
- State-sponsored threats (North Korean actors) leverage legitimate third-party IT pathways (remote contracting) to gain deep access for IP theft.
## Recommendations
- Immediately inventory and update all instances of Ivanti CSA and SonicWall SMA1000 appliances, prioritizing patching against CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, CVE-2024-9380, and CVE-2025-23006.
- Enhance vetting and monitoring processes for all third-party IT contractors, particularly those with access to source code or proprietary designs, given the FBI warnings on North Korean exploitation.
- Implement advanced endpoint protection capable of detecting newer, shared ransomware payloads (like those associated with Morpheus/Hellcat).