Full Report
For the latest discoveries in cyber research for the week of 7th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The second-largest bar association in the US, The State Bar of Texas, has experienced a ransomware attack that resulted in unauthorized access to its network, exposing sensitive member information including full names […] The post 7th April – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Compilation of Recent Security Incidents (Week of April 7, 2025)
## Executive Summary
This compilation summarizes multiple significant security incidents reported during the week of April 7, 2025, involving ransomware attacks, data breaches against major organizations like The State Bar of Texas and Port of Seattle, and active zero-day exploitation. The incidents highlight ongoing risks associated with ransomware groups (INC, Rhysida, RansomHub), supply chain compromise (Spectos), and vulnerability exploitation in both enterprise software (Cisco, Ivanti) and consumer platforms (Apple).
## Incident Details
- **Discovery Date:** Ongoing reporting throughout the week of April 7, 2025.
- **Incident Date:** Varies; specific dates mentioned for some: Chord Specialty Dental (Aug 19 - Sep 25, 2024), Port of Seattle (Fall 2024).
- **Affected Organization:** State Bar of Texas, Port of Seattle, Lower Sioux Indian Community, Royal Mail (via Spectos), Chord Specialty Dental Partners, Europcar Mobility Group, various entities affected by software vulnerabilities (Cisco, Ivanti, Apple).
- **Sector:** Legal Services, Transportation/Port Authority, Tribal Government/Healthcare/Casino, Logistics, Dental Services, Automotive Rental, Software/Tech.
- **Geography:** Primarily US (Texas, Washington, Minnesota), UK/Germany (Royal Mail supply chain).
## Timeline of Events
### Initial Access
- **State Bar of Texas:** Initial access leading to INC ransomware infection (Date TBD).
- **Port of Seattle:** Ransomware attack (Attributed to Rhysida) occurred in Fall 2024.
- **Lower Sioux Indian Community:** Ransomware attack claimed by RansomHub (Date TBD).
- **Royal Mail:** Compromise initiated via Spectos (German logistics supplier).
- **Chord Specialty Dental Partners:** Unauthorized access to employee email accounts between Aug 19 and Sep 25, 2024.
- **Europcar:** Attack breached GitLab repositories.
- **Cisco/Ivanti:** Exploitation of vulnerabilities (CVE-2024-20439/20440 and CVE-2025-22457) occurring in the wild.
- **Zoom/Pypi:** Reports of malicious installers and PyPI package ('disgrasya') facilitating fraud.
### Lateral Movement
- **BlackSuit Incident:** Attackers used loaders (d3f@ckloader, IDAT loader) and malware (SectopRAT, Cobalt Strike, Brute Ratel, QDoor) for lateral movement over nine days before ransomware deployment.
- **UNC5221 (Ivanti):** Exploitation of CVE-2025-22457 allowed RCE, leading to deployment of TRAILBLAZE and BRUSHFIRE malware.
- **PostgreSQL Campaign (Jinx-0126):** Exploited weak credentials to deploy XMRig-C3 fileless cryptominers.
### Data Exfiltration/Impact
- **State Bar of Texas:** Exfiltration of sensitive member information, including full names and legal case documents.
- **Port of Seattle:** Exposed PII of ~90,000 individuals (SSNs, DOBs, medical info, driver’s licenses).
- **Lower Sioux Indian Community:** Widespread disruption to healthcare, government, and casino systems (communications, booking, gaming).
- **Royal Mail:** Exposure of 16,549 files (144GB purported) containing names, addresses, phone numbers, and package details.
- **Chord Specialty Dental:** Theft of highly sensitive PII and PHI (SSNs, bank data, medical records).
- **Europcar:** Theft of source code (Android/iOS apps) and SQL backups containing PII (~50k to 200k client names/emails).
### Detection & Response
- **General:** Detection reported based on external advisories, discovery of leaked data, or system disruption.
- **Response:** Specific actions were generally limited to notification (e.g., Port of Seattle, State Bar of Texas) or protection enforcement (Check Point IPS/Emulation defending against known threat vectors).
## Attack Methodology
| Category | Method(s) Used |
| :--- | :--- |
| **Initial Access** | Ransomware deployment (INC, Rhysida, RansomHub), Exploitation of public-facing SQL servers (weak credentials), Supply Chain compromise (Spectos), Email account compromise (Chord), Exploitation of Ivanti VPN (UNC5221), Zero-day exploitation (Cisco CSLU API), Malicious installers (Fake Zoom). |
| **Persistence** | Implied by BlackSuit/Cobalt Strike activity, and deployment of malware families after Ivanti RCE. |
| **Privilege Escalation** | CVE-2024-20439 (Static admin credential in CSLU), CVE-2025-24085 (Use-after-free in Apple Core Media). |
| **Defense Evasion** | Weaponization of PDFs using obfuscation (redirects, QR codes) to bypass static analysis. Fileless execution for cryptomining. |
| **Credential Access** | CVE-2024-20440 (Exposing API credentials via debug logs), Exploiting weak/guessable credentials for PostgreSQL. |
| **Discovery** | Implied actions by Cobalt Strike/Brute Ratel post-infiltration. |
| **Lateral Movement** | Loaders (d3f@ckloader, IDAT loader), SectopRAT, Cobalt Strike, Brute Ratel, QDoor (BlackSuit chain). |
| **Collection** | Gathering of legal documents, PII, SSNs, medical data, source code, and SQL backups. |
| **Exfiltration** | Data exposed for sale on dark web forums (GHNA group). |
| **Impact** | Ransomware encryption (leading to system outages), Data theft and extortion. |
## Impact Assessment
- **Financial:** Not quantified, but significant remediation/notification costs expected for all breached entities. Europcar data reportedly offered for sale.
- **Data Breach:** Extensive PII and sensitive data compromised, including SSNs, medical records, legal records, source code, and banking information, affecting hundreds of thousands of individuals across multiple organizations.
- **Operational:** Severe disruption reported for Lower Sioux Indian Community (healthcare, casino operations). Potential risks to development pipelines (Europcar source code).
- **Reputational:** High negative impact due to the exposure of sensitive PII and involvement of high-profile organizations (State Bar, Port Authority).
## Indicators of Compromise
*(Note: Since this is a summary of multiple reports, specific IoCs beyond the CVEs affecting vendor products are not detailed or are defanged)*
- **Network indicators:** *See CVE references below.*
- **File indicators:** TRAILBLAZE malware, BRUSHFIRE malware, XMRig-C3 cryptominer.
- **Behavioral indicators:** Use of malicious PyPI package 'disgrasya' targeting WooCommerce; Fileless cryptomining activity post-exploitation.
## Response Actions
- **Containment:** Not explicitly detailed for most incidents, but assumed to involve immediate blocking of known malicious IPs/domains associated with ransomware infrastructure.
- **Eradication:** In the BlackSuit incident, eradication involved removing loaders and malware after nine days. For CVE exploitation, patching/mitigation is required.
- **Recovery:** Organizations like the Lower Sioux Indian Community experienced service outages requiring restoration of healthcare, government, and casino systems.
## Lessons Learned
1. **Supply Chain Risk is Critical:** The Royal Mail incident underscores the severe risk posed by third-party vendors (Spectos) in the logistics chain.
2. **High-Severity Vulnerabilities are Exploited Immediately:** Critical flaws in Cisco (CVE-2024-20439/440) and Ivanti (CVE-2025-22457) were already being exploited in the wild, emphasizing rapid patch deployment for high-CVSS vulnerabilities.
3. **Data Staging and Persistence:** The BlackSuit attack demonstrated a prolonged campaign (nine days) utilizing multiple sophisticated loaders before final ransomware deployment, indicating deep reconnaissance.
4. **Non-Traditional Attack Surfaces:** Attacks targeting legitimate sources like PyPI packages ('disgrasya') and weaponized PDFs show threat actors constantly evolving methods to bypass traditional gateway defenses.
## Recommendations
1. **Prioritize Patching:** Implement a rigorous process to immediately apply patches for vulnerabilities rated CVSS 9.0+ or those confirmed as being exploited (e.g., Ivanti CVE-2025-22457).
2. **Vendor Risk Management:** Increase scrutiny and segmentation around third-party vendors with access to core systems or data (e.g., logistics suppliers like Spectos).
3. **Email Gateways:** Enhance email security focusing on advanced static/dynamic analysis for PDF attachments, given that 22% of malicious payloads hide in these documents.
4. **Hardening:** Review and enforce credential hygiene, especially on public-facing services like PostgreSQL databases, to prevent dictionary/guessable credential brute-forcing.
5. **Endpoint Monitoring:** Implement advanced EDR solutions capable of detecting fileless malware and sophisticated post-exploitation frameworks like Cobalt Strike and Brute Ratel.