Full Report
NTT discloses breach affecting corporate customers. Malvertising campaign hits nearly a million devices. Botnets exploit critical IP camera vulnerability.
Analysis Summary
# Incident Report: Multiple Unrelated Security Incidents
## Executive Summary
This report summarizes four distinct security incidents: the seizure of the Garantex crypto exchange by law enforcement; a data breach at NTT affecting corporate customer order systems; a global malvertising campaign distributing info-stealers; and active exploitation of a critical IP camera vulnerability by botnets. The impacts ranged from financial disruption and regulatory action to widespread customer data compromise and IoT device compromise.
## Incident Details
- **Discovery Date:** Varies per incident (NTT breach discovered in February; IP camera exploitation actively ongoing).
- **Incident Date:** Varies per incident.
- **Affected Organization:** Garantex (Seized), NTT Communications Corporation, Nearly one million devices (Malvertising victims), Edimax IP camera owners.
- **Sector:** Cryptocurrency Exchange, Telecommunications, Various (IoT/Consumers).
- **Geography:** Global (Garantex/Malvertising), Japan (NTT).
## Timeline of Events
### Initial Access
- **Date/Time:** Varies.
- **Vector:** Law enforcement action (Garantex), Gaining access to NTT's Order Information Distribution System (NTT), Malvertising redirection from illegal streaming sites (Malvertising), Exploitation of CVE-2025-13136 (IP Cameras).
- **Details:**
* **Garantex:** Seizure initiated by US Secret Service and international partners.
* **NTT:** Hackers accessed the Order Information Distribution System.
* **Malvertising:** Redirectors on illegal streaming sites led users to GitHub where malware was hosted.
* **IP Cameras:** Exploitation of CVE-2025-13136 (CVSS 9.3, RCE flaw).
### Lateral Movement
- **Malvertising:** Once initial foothold was established via GitHub dropper, additional payloads (Lumma stealer or Doenerium) were downloaded.
### Data Exfiltration/Impact
- **NTT:** Exposure of customer data including names, contract numbers, phone numbers, email addresses, physical addresses, and service usage information.
- **Malvertising:** Information stealers collected system and browser information.
- **IP Cameras:** Botnets (Mirai-based) are actively exploiting the RCE vulnerability.
- **Garantex:** Exchanges domain seized; Tether blocked associated wallets due to EU sanctions.
### Detection & Response
- **NTT:** Breach discovered in February. NTT disclosed the incident.
- **Garantex:** Seized by the US Secret Service via warrant.
- **IP Cameras:** CISA issued an advisory; Akamai researchers identified the flaw and active exploitation.
## Attack Methodology
- **Initial Access:** Law enforcement intervention (Garantex), Hacking corporate systems (NTT), Malvertising/Tech Support Scam leading to GitHub payload delivery (Malvertising), Exploitation of RCE vulnerability CVE-2025-13136 (IP Cameras).
- **Persistence:** Unspecified for NTT/Garantex; Malware dropper established a foothold (Malvertising).
- **Privilege Escalation:** Not explicitly detailed; RCE on IP cameras implies system-level control.
- **Defense Evasion:** Not explicitly detailed.
- **Credential Access:** Information stealers (Lumma/Doenerium) were deployed (Malvertising).
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Inferred via dropper deploying secondary payloads (Malvertising).
- **Collection:** System and browser information gathered (Malvertising).
- **Exfiltration:** Data potentially leaked externally (NTT); Information stolen (Malvertising).
- **Impact:** Regulatory action/seizure (Garantex); Corporate PII exposure (NTT); Widespread device compromise (Malvertising/IP Cameras).
## Impact Assessment
- **Financial:** Not specified, but significant regulatory/legal costs expected for Garantex; potential financial liability for NTT.
- **Data Breach:** Names, contract numbers, phone numbers, emails, addresses, service usage for 18,000 NTT corporate customers. System/browser data stolen via stealer malware.
- **Operational:** Disruption of Garantex operations; potential operational security compromises for 18,000 NTT customers utilizing affected data.
- **Reputational:** Significant impact on NTT's reputation as a major telecom provider.
## Indicators of Compromise
* **Network Indicators:** (Domains associated with Garantex seized; Attackers used GitHub repositories for hosting payloads - *Specific domains/IPs defanged for reporting purposes.*)
- **File Indicators:** Lumma stealer signatures, Doenerium malware signatures.
- **Behavioral Indicators:** Malvertising redirection chains, Execution of dropper from GitHub repository, Botnets exploiting CVE-2025-13136.
## Response Actions
- **Containment:** USSS seized Garantex domains; Tether blocked wallets.
- **Eradication:** Not specified for NTT/Malvertising victims, but implied removal of malicious code.
- **Recovery:** Not specified for NTT, likely involving customer notification and system review.
## Lessons Learned
- **Garantex:** Law enforcement remains active in dismantling ransomware financial infrastructure globally.
- **NTT:** Critical third-party data stored in operational systems (Order Information Distribution System) represents a high-value target and requires stringent separation/security controls.
- **Malvertising:** Reliance on ad networks linking to compromised or malicious external repositories (like GitHub) remains a viable avenue for mass compromise.
- **IP Cameras:** Unpatched critical vulnerabilities (CVSS 9.3 RCE) in widely deployed IoT devices are swiftly weaponized by established botnets.
## Recommendations
- **NTT/Data Handlers:** Review and segment systems holding customer contract and personally identifiable information (PII). Implement continuous monitoring on order/distribution systems.
- **General Security:** Proactive patching and segmentation for all Internet-facing devices, especially IoT/ICS hardware (e.g., IP Cameras). Monitor for CVE-2025-13136 remediation status.
- **General Security:** Enhance web filtering and endpoint detection to block access to known malicious repositories (GitHub pages hosting malware droppers) and suspicious redirect chains originating from illegal streaming sites.