Full Report
For the latest discoveries in cyber research for the week of 31st March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES New York University (NYU) suffered a cyber-attack which resulted in the exposure of over 3 million applicants’ data, including names, test scores, majors, and zip codes. The hacker redirected NYU’s website to […] The post 31st March – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Summary of Q1 2025 Cyber Incidents and Vulnerabilities
## Executive Summary
This summary covers several significant cyber incidents reported in late March/early April 2025, including data breaches at educational institutions (NYU) and infrastructure targets (KLIA, Ukrzaliznytsia), and ransomware activity targeting government (Union County) and retail (Sam's Club). The summary also details critical vulnerabilities exploited by APT groups and notable ransomware operations like BlackLock.
## Incident Details
- **Discovery Date:** Late March / Early April 2025 (Reporting Period)
- **Incident Date:** Varies (Some date ranges provided, e.g., Numotion: Sept–Nov 2024)
- **Affected Organization:** New York University (NYU), Kuala Lumpur International Airport (KLIA), Ukrzaliznytsia, Union County (PA), Numotion, Abracadabra Finance.
- **Sector:** Education, Aviation/Transportation, Government, Finance/Crypto, Retail.
- **Geography:** USA (NY, PA), Malaysia, Ukraine.
## Timeline of Events
### Initial Access
- **NYU:** Vector undocumented, but involved redirecting the public website to display sensitive admissions data.
- **KLIA:** Vector undocumented, but resulted in disruption to the immigration system.
- **Ukrzaliznytsia:** Vector undocumented, resulting in disruption of online ticketing services.
- **Sam’s Club:** Claims made by Clop ransomware group; vector currently unconfirmed by the organization.
- **Union County (PA):** Vector undocumented; resulted in ransomware deployment and data exfiltration.
- **Numotion:** **Vector:** Successful phishing emails targeting employee email accounts.
- **Abracadabra Finance:** **Vector:** Exploitation of vulnerabilities in "cauldrons" (isolated lending markets).
### Lateral Movement
- **Weaver Ant (Telecommunications Target):** Leveraged web shells and tunneling techniques to maintain persistence and move within the network post-infiltration of home routers.
### Data Exfiltration/Impact
- **NYU:** Exposure of over 3 million applicants’ data (names, test scores, majors, zip codes) dating back to 1989.
- **KLIA:** Disruption of the immigration system, affecting check-in and causing significant travel delays.
- **Union County (PA):** Exfiltration of Social Security Numbers and driver’s licenses.
- **Abracadabra Finance:** Theft of approximately $13 million in digital currency.
- **Numotion:** Data breach of nearly 500,000 individuals following email account compromise.
- **BlackLock Group:** Accused of compromising 46 victims across multiple sectors, suggesting **Data Exfiltration** as a primary goal.
### Detection & Response
- **KLIA:** Authorities confirmed the incident and were dealing with a $10 million ransom demand.
- **Abracadabra Finance:** Investigating the breach and offered a 20% bug bounty to the attacker for return of funds.
- **Vulnerabilities:** Multiple vendors (Google, Veeam, Speedify, Microsoft) released patches for critical vulnerabilities discovered or actively exploited.
## Attack Methodology
| Category | Method/Technique Observed |
| :--- | :--- |
| **Initial Access** | Phishing (Numotion); Exploiting lending market vulnerabilities (Abracadabra Finance); Exploiting zero-days in software (e.g., CVE-2025-26633 in MMC by Water Gamayun). |
| **Persistence** | Web shell deployment, SSH tunneling (Resurge malware, Weaver Ant). |
| **Privilege Escalation** | Local attacker exploitation of CVE-2025-25364 (Speedify VPN) leading to potential full system compromise. |
| **Defense Evasion** | Behavior related to Resurge malware suggests file manipulation to evade detection. |
| **Credential Access** | Implied in phishing failures (Numotion) and actively targeted via Resurge malware. |
| **Discovery** | Implied in operations by APT groups (Water Gamayun, Weaver Ant). |
| **Lateral Movement** | Tunneling techniques (Weaver Ant). |
| **Collection** | Gathering of academic/admissions data (NYU); Gathering financial data (Abracadabra). |
| **Exfiltration** | Data loaded onto a dark web leak site (Sam's Club claim by Clop); Direct exfiltration of SSNs/DLs (Union County). |
| **Impact** | Ransomware encryption (Union County); Denial of service/disruption (KLIA, Ukrzaliznytsia); Theft of cryptocurrency (Abracadabra). |
## Impact Assessment
- **Financial:** $10 million ransom demanded at KLIA; ~$13 million stolen from Abracadabra Finance.
- **Data Breach:** 3+ million academic records (NYU); SSNs and Driver’s Licenses (Union County); ~500,000 individuals affected (Numotion).
- **Operational:** Significant travel delays at KLIA; Disruption of passenger ticket sales for Ukrzaliznytsia.
- **Reputational:** Public data exposure regarding sensitive admissions policies (NYU); Brand risk associated with ransomware claims (Sam’s Club).
## Indicators of Compromise
*Note: Specific IoCs were not provided in the context, generally referring to malware families or CVE IDs.*
- **Network Indicators:** SSH Tunneling activity, web shell communications.
- **File Indicators:** Resurge backdoor artifact deployment.
- **Behavioral Indicators:** Use of non-standard MUIPath manipulation leading to RCE (Water Gamayun via CVE-2025-26633).
## Response Actions
- **Containment:** Implied investigation into compromised email accounts (Numotion); Security firms engaged (Abracadabra Finance).
- **Eradication:** Not specified for most breaches, but implied patching efforts by vendors (Google, Veeam, Microsoft).
- **Recovery:** Restoring ticketing services (Ukrzaliznytsia); Addressing system disruption (KLIA).
## Lessons Learned
- **Social Engineering Efficacy:** Phishing remains a highly effective vector for gaining initial access, as demonstrated by the Numotion breach.
- **Infrastructure Sensitivity:** Critical national infrastructure (Aviation systems, railways) remains a prime target for disruptive attacks, often coupled with ransomware demands.
- **Supply Chain Risk:** Vulnerabilities in widely used specialized software (Veeam, Ivanti Connect Secure) create system-wide security risks.
- **Transparency in Crisis:** Attacks targeting ideological motives (NYU) leverage public exposure as a primary tactic.
## Recommendations
- **Enhanced Email Security:** Implement robust multi-factor authentication and advanced protection against phishing campaigns (especially for employee accounts that facilitate large-scale breaches like Numotion).
- **Patch Management Priority:** Immediately apply security patches for newly disclosed critical vulnerabilities, especially those allowing RCE on internet-facing or core infrastructure systems (e.g., Veeam, Ivanti).
- **Zero Trust on Legacy Data:** Re-evaluate how sensitive historical data (admissions records dating back decades) is stored and secured, minimizing public-facing exposure routes.
- **Cryptocurrency Security:** Implement stricter testing protocols for smart contracts and isolated lending environments to prevent direct asset theft via vulnerability exploitation.