But there's plenty in it — including two zero-days — that need immediate attention.

Source: Somphop Krittayaworagul via Shutterstock

Microsoft's February security update contains substantially fewer vulnerabilities for admins to address compared to a month ago, but there's still plenty in it that requires immediate attention.

Topping the list are two zero-day vulnerabilities that attackers are actively exploiting in the wild, two more that are publicly known but not exploited yet, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of other common vulnerabilities and exposures (CVEs) with potentially severe consequences for affected organizations.

**63 CVEs, 2 Zero-Days**

In total, Microsoft released patches for 63 unique CVEs, a far cry from the massive 159 CVEs — including a startling eight zero-days — that the company disclosed in January. Microsoft assessed four of the bugs it disclosed today as being of critical severity. It rated the vast majority of the remaining bugs as important to address but of lesser severity for a variety of factors, including attack complexity and privileges required to exploit the vulnerability.

The two actively exploited zero-day bugs in this month's update are CVE-2025-21418 (CVSS score 7.8), an elevation of privilege vulnerability in Windows Ancillary Function Driver for WinSock, and CVE-2025-21391 (CVSS 7.1), another elevation of privilege issue, this time affecting Windows Storage. Per its usual practice, Microsoft's advisories for both bugs offered no details on the exploitation activity. But security researchers had their own take on why organizations need to address the issues ASAP.

CVE-2025-21418, for instance, only enables a local exploit. That means an attacker or malicious insider must already have access to a target machine, via a phishing attack, malicious document, or other vector, said Kev Breen, senior director, cyber threat research, at Immersive Labs. Even so, such flaws are "valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access," Breen said in an emailed comment. An attacker who successfully exploits the flaw can gain SYSTEM level privileges on the affected system, he said, while recommending that organizations make the vulnerability a top priority to fix.

With CVE-2025-21391, the Windows Storage zero-day, the concern is not about the flaw enabling unauthorized data access; rather, the concern is about how attackers could exploit it to affect data integrity and availability. "Microsoft has outlined that if the attacker successfully exploited this vulnerability, they would only be able to delete targeted files on a system," said Natalie Silva, lead cyber security engineer at Immersive Labs, in an emailed comment. "Microsoft has released patches to mitigate this vulnerability. It's recommended for administrators to apply these immediately."

In a blog, researchers at Action1 described the flaw as resulting from a weakness in how Windows Storage resolves file paths and follows links. Attackers can leverage the weakness to "redirect file operations to critical system files or user data, leading to unauthorized deletion," the security vendor said.

Breen recommended that organizations also treat CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, as a high priority bug that needs immediate attention. When Microsoft originally disclosed the bug in December 2024, it did not have a patch available for it, making the flaw a zero-day threat. "The vulnerability allows a threat actor to steal the NTLM credentials for a victim by sending them a malicious file," Breen said. "The user doesn't have to open or run the executable but simply viewing the file in Explorer could be enough to trigger the vulnerability." Microsoft itself has assessed the vulnerability as something that threat actors are more likely to exploit

The other previously disclosed vulnerability in the February patch update is CVE-2025-21194, a security feature bypass vulnerability in Microsoft Surface.

**Critical Flaws**

The flaws that Microsoft rated as being of critical severity in this latest update are CVE-2025-21379 (CVSS Score 7.1), an RCE in the DHCP client service; CVE-2025-21177 (CVSS Score 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Sales; CVE-2025-21381 (CVSS 7.8), a Microsoft Excel RCE; and CVE-2025-21376 (CVSS 8.1), an RCE in Windows LDAP and the only one in the set that Microsoft identified as more vulnerable to exploitation.

Interestingly, one of the flaws that Microsoft rated as critical (CVE-2025-21177) required affected customers to do nothing, but it is an issue that Microsoft has already addressed on its end. This vulnerability makes use of the newer CAR (customer action required) attribute to identify that there is no customer actions required, says Tyler Reguly, associate director security R&D at Fortra. "While these information updates are nice, they can bloat the number of updates that admins may be worried about dealing with on a Patch Tuesday," Reguly said in an emailed comment. "One can't help but wonder if these updates should be issued outside of Patch Tuesday since they do not require customer action."

Meanwhile, the only CVE to earn a severity score of 9.0 in this month's update — (CVE-2025-21198) — is an RCE affecting Microsoft High Performance Compute (HPC) Pack. An attacker cannot exploit the flaw unless they have access to the network used to connect to the high-performance cluster, Reguly said. "This networking requirement should limit the impact of what would otherwise be a more serious vulnerability."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft's February Patch a Lighter Lift Than January's

The vulnerability could allow a threat actor to disable the security feature on a locked device and gain access to user data.

Source: Simon Dack via Alamy Stock Photo

NEWS BRIEF

Apple has released a security update for a vulnerability that the tech giant reports may have been exploited in an "extremely sophisticated attack."

Not only that, but these attacks targeted specific individuals, though Apple has not provided any further information.

The vulnerability, tracked as CVE-2025-24200, could allow for a physical attack to disable USB Restricted Mode on a locked device.

USB Restricted Mode is a feature that makes it more difficult for threat actors to unlock a user's phone. When active, a phone's lightning port will only allow charging after the device has been locked for more than an hour, meaning that if an unauthorized actor attempted to connect a locked iPhone to a device to access its data, they could only do so with the necessary credentials.

The security update to fix this vulnerability is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch third generation and later, iPad Pro 11-inch first generation and later, iPad Air third generation and later, iPad seventh generation and later, and iPad mini fifth generation and later.

Users of any of these devices should install updates as soon as possible and can check if they're updated to the latest software version by going to their settings.

These kinds of vulnerabilities are usually deployed by commercial spyware vendors, such as Pegasus, to target particular individuals, so the average user shouldn't be concerned about being targeted while the details of the attack remain unpublished. However, if they are published, copycat cybercriminals will try to imitate this attack vector, hence the urgency in updating to the latest version.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Releases Urgent Patch for USB Vulnerability

The staffers were tasked with building relationships on the ground across the country in local election jurisdictions, teaching election officials tactics on mitigating cyber threats, cyber hygiene, combating misinformation and foreign influence, and more.

Source: Rob Crandall via Alamy Stock Photo

NEWS BRIEF

The US Cybersecurity and Infrastructure Security Agency (CISA) has placed 17 staffers who worked with local officials to provide training on dealing with election-related cyber threats on leave.

This leave is pending an internal review, which will examine the staffers' work to combat cyber threats from foreign governments, and efforts to influence US elections with disinformation campaigns.

Ten of the employees are regional election security specialists, specifically hired to grow field staff and election security knowledge before the 2024 election. All 17 employees were former state or local election officials who were tasked with building relationships across 8,000 different local election jurisdictions across the country.

The other staffers that have been placed on leave include current and former members of CISA's Election Security and Resilience team, a leave that is also pending review of the agency's work to combat misinformation and disinformation campaigns. 

Some elected state officials have been particularly outspoken about the benefits that CISA's work has provided in securing election offices and mitigating cyber threats, such as Kentucky Secretary of State Michael Adams, who applauded the "boots on the ground" tactics CISA implemented, and the relationships its employees built with county clerks. 

"They're teaching them and helping them check their physical security and their cyber hygiene, and that's been extremely popular," said Adams.

For now, the reviews only heighten questions and concerns over the future of the agency in this second Trump administration, especially considering the lack of a replacement for Jen Easterly as CISA director.

The first Trump administration went head-to-head with CISA when the agency aimed to counter misinformation about the 2020 election, which then-president Trump and his allies deemed as "stolen" without evidence. That included the firing of CISA Director Chris Krebs, who called the 2020 presidential election the most secure election in American history.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

CISA Places Election Security Staffers on Leave

State-led data privacy laws and commitment to enforcement play a major factor in shoring up business data security, an analysis shows.

Source: Oleckii Mach via Alamy Stock Photo

States are increasingly embracing data privacy regulation, and Kentucky, Rhode Island, and Tennessee are leading the charge. That has earned them high marks from security experts and landed them at the top of the list of states with the lowest rates of data breaches.

These three states are effectively protecting data because of a dual approach of drafting smart data privacy legislation, and then enforcing those laws when appropriate, according to Anonta Khan, who is with DesignRush, the firm that conducted the state data privacy study. Conversely, South Dakota (which got the lowest safety score in the survey, 65.14 out of 100) and Alaska (66.50) rank at the bottom.

"Some states, like Kentucky (the highest rated at 99.32) and Rhode Island (97.14), do a good job protecting data," Khan says. "They have fewer cybercrimes and data leaks. Others, like South Dakota and Alaska, have weak laws and a lot of cyber threats."

However, she stresses, "having strong laws doesn't always mean a state is safe."

It's more nuanced than that.

**Higher Safety Scores Don't Mean Less Cybercrime**

In general, the results of the study suggest that states with less data breach regulation tend to have higher rates of cybercrime overall. That includes Nevada (with a safety score of 77.64), which last year logged 309.7 cyber incidents per 100,000 people, which is more than triple the national average. But there are other contributing factors. Nevada, for instance, has businesses that are attractive targets for hackers, like casinos, Kahn points out.

Related:CISA Places Election Security Staffers on Leave

Going further, California (89.3) has strong privacy laws but high cybercrime rates; that's because hackers are consistently targeting the state's tech sector, Khan explains. Delaware is another state with strong privacy laws that is likewise plagued by high rates of data breaches, being the state where most financial lending services are incorporated.

The takeaway? "This shows that laws need to be enforced well," Khan says.

A similar report from the Electronic Privacy Information Center (EPIC) in late January outlined areas where states should, in its view, take a more aggressive position against companies leaking personal data. And state governments appear to be moving in that direction, with a new wave of reform efforts on the horizon.

**New State-Led Data Privacy Efforts Are Brewing**

Delaware, for example, has kicked off 2025 with its new Data Privacy Protection Act going into effect. Other states, including Iowa, Nebraska, New Hampshire, and New Jersey, are also adding fresh data privacy laws this year and increasing enforcement budgets.

Related:DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for Businesses

States like Texas have also provided a model for aggressive data privacy regulation enforcement. On Jan. 13, Texas Attorney General Ken Paxton filed suit against the Allstate insurance company for what he alleges was an effort to skirt his state's data privacy rules and track citizens' data without consent.

As these new laws come online, Khan and others are optimistic that data privacy practices are improving across the US, thanks to re-upped efforts at the state level. Moving forward, these laws will be tailored to fit emerging technology use cases, Khan adds.

"Artificial Intelligence (AI) is also becoming a bigger issue," Kahn says. "Colorado's Anti-Discrimination in AI Law starts in 2026, and other states are considering similar rules. Meanwhile, lawsuits over website tracking, biometric data, and online privacy will continue in 2025."

Regardless of state of residence, companies should look at this new era of data privacy protection as an opportunity, according to Ojas Rege, senior vice president and general manager of privacy and data governance at OneTrust.

"With 20 distinct US data privacy laws enacted — all with different requirements and obligations — this is a risk most organizations won't want to take," Rege says. "By moving off spreadsheets, bringing in automation, and designating a senior data privacy leader, organizations can proactively comply with the current wave of US state privacy laws. Adopting AI responsibly also requires an effective data privacy program as a starting point and foundation."

Related:XE Group Shifts From Card Skimming to Supply Chain Attacks

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Data Leaks Happen Most Often in These States — Here's Why

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats.

Source: vska via Alamy Stock Photo

COMMENTARY

The Chinese-linked hacking group Salt Typhoon recently was detected lurking in major US telecommunication systems, exposing nearly every American's communications to Chinese intelligence and security services. 

In response, on Dec. 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint statement recommending that American citizens and companies adopt end-to-end encrypted communication tools to avoid exposing sensitive information to China. While this advice is prudent to secure communications, hasty adoption of these technologies could result in regulatory noncompliance for organizations in highly regulated industries. These organizations should carefully examine both their security risk and regulatory obligations as they adopt new security solutions.

**Background: Salt Typhoon**

Salt Typhoon exploited legacy systems throughout the telecommunications industry that were too old to implement modern cybersecurity practices, with some parts dating back to the late 1970s. Commonly accepted baseline cyber protections like multifactor authentication were not implemented. While the scope of this attack is widespread, including voice calls and SMS messages, US intelligence officials noted that communications within encrypted communication applications such as Apple's iMessage, Meta's WhatsApp, and Signal were not exposed.

Salt Typhoon marks one of the most sophisticated attacks on US critical infrastructure in history. US officials have concluded that every major telecommunications provider has been implicated. China remains the most active and persistent cyber threat to the United States, and the Salt Typhoon campaign marks one of the most sophisticated attacks on US critical infrastructure in history. 

**Security vs. Compliance: Adopting End-to-End Encryption Technologies**

US cybersecurity and intelligence officials advised companies and individuals to adopt end-to-end encrypted applications for communications where only the sender and the intended recipients can access the content of the communication. End-to-end encryption works by securing the content of communications using cryptographic keys at both the sender and recipient. The end result is data in transit is secure, rendering the contents of any intercepted or compromised communications indecipherable without the cryptographic key, including by Internet service providers and telecommunications companies — and foreign hackers targeting those entities.

While end-to-end encrypted applications provide obvious advantages for security, many are not designed to comply with the data retention and access requirements imposed upon certain highly regulated industries. 

In the financial services sector, Securities and Exchange Commission (SEC) Rule 17a-4(b)(4) requires that communications received and sent by a member, broker, or dealer that relate to the business of an organization are to be retained for at least three years. Additionally, Section 802 of the Sarbanes-Oxley Act requires accountants who audit or review financial statements to retain records, which include any communications relevant to the audit or review. 

In the healthcare sector, Section 164.312(e) of the Health Insurance Portability and Accessibility Act (HIPAA) requires that covered entities implement technical safeguards to prevent unauthorized access to electronic protected health information (ePHI) that is being transmitted over an electronic communications network. Many encrypted communications applications restrict a covered entity's ability to monitor for or audit unauthorized disclosure of ePHI. Additionally, Section 164.350(j) of HIPAA requires that covered entities retain documentation of any communications containing ePHI for at least six years. 

**Recommendations**

As Salt Typhoon has revealed, unsecured communications of executives and employees across every sector may be targeted by Chinese intelligence services for exploitation. In this new environment, balancing communications security with compliance can be challenging. To appropriately navigate these risks, organizations in every sector should consider three things.

First, organizations should implement end-to-end encryption for all business communications internally and, to the greatest extent practicable, externally. There are numerous mobile and desktop applications currently available that are designed to serve this purpose. For companies in regulated industries, it is important to also consider regulatory retention, monitoring, and auditing requirements when considering these tools. Such organizations should seek to implement solutions that can ensure appropriate encryption standards for messaging, collaboration, and voice and video calls specifically configured to allow for auditing and data preservation. 

Second, organizations should implement policies and procedures to guide the use of encrypted communications. For example, many encrypted communication applications allow users to individually establish time-based purge rules for messages. While valuable for information security, this could render an organization non-compliant with data retention and audit requirements. Where possible, such functions should be disabled for individuals and archiving tools should be in place. Additionally, employees should receive regular training on communications security and regulatory compliance.

Third, a key lesson from Salt Typhoon is that baseline cybersecurity measures still provide meaningful defenses against malicious parties. Cybersecurity measures such as multifactor authentication, use of password managers, encrypting data at rest and in motion, and ensuring that all software and hardware are modern and equipped with the latest updates will give organizations a much stronger cybersecurity posture. 

**Conclusion**

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats. However, in doing so, organizations need to balance the security imperatives with their regulatory obligations. 

**About the Authors**

Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

Michael McLaughlin is the co-leader of Buchanan Ingersoll & Rooney’s Cybersecurity and Data Privacy practice group. Michael advises clients in matters involving cybersecurity, public policy, and government relations. Michael helps clients navigate the complexities of cybersecurity, data privacy and the related regulatory landscape. Michael is the co-author of Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security.

Jillian Cash, Associate, Corporate Section, Buchanan Ingersoll & Rooney

Jillian Cash is an associate Buchanan’s Corporate Section, where she focuses on a variety of corporate, transactional, and cybersecurity matters.

Kellen Carleton, Associate, Corporate Finance and Technology Group, Buchanan Ingersoll & Rooney

Kellen Carleton is an associate in Buchanan’s Corporate Finance and Technology group where he focuses on a variety of corporate, transactional, and cybersecurity matters.

Salt Typhoon's Impact on the US &amp; Beyond

The popular generative AI (GenAI) model allows hallucinations, easily avoidable guardrails, susceptibility to jailbreaking and malware creation requests, and more at critically high rates, researchers find.

Source: Mundissima via Alamy Stock Photo

Organizations might want to think twice before using the Chinese generative AI (GenAI) DeepSeek in business applications, after it failed a barrage of 6,400 security tests that demonstrate a widespread lack of guardrails in the model.

That's according to researchers at AppSOC, who conducted rigorous testing on a version of the DeepSeek-R1 large language model (LLM). Their results showed the model failed in multiple critical areas, including succumbing to jailbreaking, prompt injection, malware generation, supply chain, and toxicity. Failure rates ranged between 19.2% and 98%, they revealed in a recent report.

Two of the highest areas of failure were the ability for users to generate malware and viruses using the model, posing both a significant opportunity for threat actors and a significant threat to enterprise users. The testing convinced DeepSeek to create malware 98.8% of the time (the "failure rate," as the researchers dubbed it) and to generate virus code 86.7% of the time.

Such a lackluster performance against security metrics means that despite all the hype around the open source, much more affordable DeepSeek as the next big thing in GenAI, organizations should not consider the current version of the model for use in the enterprise, says Mali Gorantla, co-founder and chief scientist at AppSOC.

Related:CISA Places Election Security Staffers on Leave

"For most enterprise applications, failure rates about 2% are considered unacceptable," he explains to Dark Reading. "Our recommendation would be to block usage of this model for any business-related AI use."

**DeepSeek's High-Risk Security Testing Results**

Overall, DeepSeek earned an 8.3 out of 10 on the AppSOC testing scale for security risk, 10 being the riskiest, resulting in a rating of "high risk." AppSOC recommended that organizations specifically refrain from using the model for any applications involving personal information, sensitive data, or intellectual property (IP), according to the report.

AppSOC used model scanning and red teaming to assess risk in several critical categories, including: jailbreaking, or "do anything now," prompting that disregards system prompts/guardrails; prompt injection to ask a model to ignore guardrails, leak data, or subvert behavior; malware creation; supply chain issues, in which the model hallucinates and makes unsafe software package recommendations; and toxicity, in which AI-trained prompts result in the model generating toxic output.

The researchers also tested DeepSeek against categories of high risk, including: training data leaks; virus code generation; hallucinations that offer false information or results; and glitches, in which random "glitch" tokens resulted in the model showing unusual behavior.

Related:Data Leaks Happen Most Often in These States — Here's Why

According to Gorantla's assessment, DeepSeek demonstrated a passable score only in the training data leak category, showing a failure rate of 1.4%. In all other categories, the model showed failure rates of 19.2% or more, with median results in the range of a 46% failure rate.

"These are all serious security threats, even with much lower failure rates," Gorantla says. However, the high failure results in the malware and virus categories demonstrate significant risk for an enterprise. "Having an LLM actually generate malware or viruses provides a new avenue for malicious code, directly into enterprise systems," he says.

**DeepSeek Use: Enterprises Proceed With Caution**

AppSOC's results reflect some issues that have already emerged around DeepSeek since its release to much fanfare in January with claims of exceptional performance and efficiency even though it was developed for less than $6 million by a scrappy Chinese startup.

Soon after its release, researchers jailbroke DeepSeek, revealing the instructions that define how it operates. The model also has been controversial in other ways, with claims of IP theft from OpenAI, while attackers looking to benefit from its notoriety already have targeted DeepSeek in malicious campaigns.

Related:XE Group Shifts From Card Skimming to Supply Chain Attacks

If organizations choose to ignore AppSOC's overall advice not to use DeepSeek for business applications, they should take several steps to protect themselves, Gorantla says. These include using a discovery tool to find and audit any models used within an organization.

"Models are often casually downloaded and intended for testing only, but they can easily slip into production systems if there isn't visibility and governance over models," he says.

The next step is to scan all models to test for security weaknesses and vulnerabilities before they go into production, something that should be done on a recurring basis. Organizations also should implement tools that can check the security posture of AI systems on an ongoing basis, including looking for scenarios such as misconfigurations, improper access permissions, and unsanctioned models, Gorantla says.

Finally, these security checks and scans need to be performed during development (and continuously during runtime) to look for changes. Organizations should also monitor user prompts and responses, to avoid data leaks or other security issues, he adds.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for Businesses

Improvements in cyber hygiene and resiliency made it possible for victim organizations to skip paying ransom amounts in 2024.

The total volume of ransom payments decreased year-over-year by approximately 35%, due to law enforcement activities and more victims refusing to pay, according to blockchain analytics company Chainalysis.

In 2024, ransomware attackers collected approximately $813.55 million in payments, a significant drop from the $1.25 billion collected in 2023 and $1.07 billion collected in 2021, Chainalysis said in its 2025 Crypto Crime Report. Payments were slightly up by approximately 2% in the first half of the year, leading the company to estimate that 2024 would surpass 2023's totals. While the number of ransomware events increased in the second half of 2024, on-chain payments declined, suggesting that even though more victims were targeted, fewer actually paid the ransom. In some cases, those who paid managed to successfully negotiate the ransom amount to a much smaller amount.

Victims organizations have wrestled with the pay-or-not-pay dilemma for years. On one hand, paying may be the only answer is there is no other way to recover the data or if the downtime waiting to recover the data is too long. On the other hand, paying rewards criminal activity, funds future activities, and may encourage more attacks against the victim. Improved cyber hygiene and overall resiliency is helping organizations make the decision to not pay, according to Christian Geyer, founder and CEO of Actfore. Better incident response capabilities, digital forensics, and data mining services are helping victims identify the breached data faster.

"Organizations have increasingly implemented comprehensive data backup solutions, so the business can rapidly recover their systems through a wipe and restore process," Geyer said. 

Another reason is that law enforcement actions are making an impact on the ransomware ecosystem. Several ransomware groups that were prolific in 2023 and the first half of 2024 were not as active in the second half of the year. LockBit is one such case. The United Kingdom's National Crime Agency, the U.S. Federal Bureau of Investigation, and law enforcement entities in Canada, Japan, and Australia, collaborated in Operation Cronos to seize data and websites associated with LockBit in February 2024. That disruption seemed particularly effective, as payments to the criminals behind LockBit decreased by 79% in the second half of 2024. Similarly, ALPHV/BlackCat going dark in March 2024 after collecting $22 million from Change Healthcare left “a void” in the second half of 2024, Chainalysis said.

When a large group leaves the cybercrime ecosystem — either after a law enforcement disruption or voluntarily shutting down operations — there usually is a slight dip in activity and then another group ramps up activities to fill that vacuum. That doesn't seem to have happened in 2024, Lizzie Cookson, a senior director of incident response at Coveware, told Chainalysis. "We saw a rise in lone actors, but we did not see any group(s) swiftly absorb their market share…The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on the small- to mid-size markets, which in turn are associated with more modest ransom demands."

Ransomware Groups Made Less Money in 2024

The likely Vietnam-based threat actor has been using two zero-days in VeraCore's warehouse management software in some of its latest cyberattacks.

Source: HakanGider via Shutterstock

A cybercrime group long associated with credit card theft has expanded into targeted information stealing from supply chain organizations in the manufacturing and distribution sectors.

In some of these new attacks the threat actor, whom several vendors track as the XE Group and link to Vietnam, has exploited two zero-day vulnerabilities in VeraCore's warehouse management platform to install Web shells for executing a variety of malicious actions.

**Zero-Day Exploits in VeraCore**

In a joint report this week, researchers from Intezer and Solis described the activity they observed recently as a sign of the heightened threat the group presents to organizations.

"XE Group's evolution from credit card skimming operations to exploiting zero-day vulnerabilities underscores their adaptability and growing sophistication," the researchers wrote. "By targeting supply chains in the manufacturing and distribution sectors, XE Group not only maximizes the impact of their operations but also demonstrates an acute understanding of systemic vulnerabilities."

XE Group is a likely Vietnamese threat actor that multiple vendors, including Malwarebytes, Volexity, and Menlo security have tracked for years. The group first surfaced in 2013, and through at least late 2024 was known primarily for leveraging Web vulnerabilities to deploy malware for skimming credit card numbers and associated data from e-commerce sites.

In June 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) identified XE Group as one of several threat actors exploiting vulnerabilities in Progress Telerik software running on government IIS servers and executing remote commands on them. One of the vulnerabilities that CISA identified in its report (CVE-2017-9248) was the same one that Malwarebytes first observed XE Group exploiting back in 2020 in card skimmer attacks targeting ASP.Net sites. That campaign, as Intezer and Solis noted in their report, was notable for its focus on ASP.Net sites, which were rarely targeted at the time. In 2023, Menlo Security reported seeing XE Group deploying multiple strategies, including supply chain attacks to deploy card skimmers on websites, and also setting up fake sites for stealing personal information and selling it in underground forums.

What Solis and Intezer have observed now is a continued expansion of the threat actor's activities, exploitation techniques, and malware since then. The group's newer attack tactics include injecting malicious JavaScript into webpages, exploiting vulnerabilities in widely deployed products, and using custom ASPX Web shells to maintain access to compromised system.

**XE Group's Long-Term Cyberattack Objectives**

In several of the recent attacks, the threat actor has used the two VeraCore zero-days (CVE-2024-57968, an upload validation vulnerability with a CVSS severity score of 9.9; and CVE-2025-25181, a SQL injection flaw with a 5.8 severity score) to deploy multiple Web shells on compromised systems.

"In at least one instance, Solis and Intezer researchers discovered the threat actor had exploited one of the VeraCore vulnerabilities as far back as January 2020 and had maintained persistent access to the victim's compromised environment since then," according to the joint report. "In 2024, the group reactivated a webshell initially deployed \[in January 2020\], highlighting their ability to remain undetected and reengage targets. Their ability to maintain persistent access to systems … years after initial deployment, highlights the group’s commitment to long-term objectives."

The XE Group's recent shift in tactics and targeting are consistent with a broader focus among threat actors on the software supply chain. Though SolarWinds remains perhaps the best known example, there have been several other significant attacks on widely used software products and services. Examples include attacks on Progress Software's MOVEit file transfer tool, a breach at Okta that affected all of its customers, and a breach at Accellion that allowed attackers to deploy ransomware on some of the company's customers.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

XE Group Shifts From Card Skimming to Supply Chain Attacks

After claiming responsibility for the ransomware attack in 2024, the "Embargo" ransomware group posted 1.15 terabytes of stolen data to its public Tor site.

Source: Mint Images Limited via Alamy Stock Photo

NEWS BRIEF

In Bainbridge, Ga., the small Memorial Hospital and Manor is notifying 120,000 individuals that their personal information was stolen in a ransomware attack.

The ransomware attack was first disclosed in November, but at the time, it said that though its systems were down, and staff would have to revert to pen and paper to record patient information, its operations remained uninterrupted. 

Memorial retained cybersecurity experts and launched a forensic investigation to determine the scope of the breach and what was compromised. Though it still hasn't provided information on what kind of ransomware infected its systems, the Embargo ransomware group claimed responsibility for the attack, alleging that it stole 1.15 terabytes of data from the hospital's systems — information that is now available for public viewing on its Tor leak site.

In a filing with the Maine Attorney General's Office, Memorial wrote that notification letters were mailed out to affected Maine residents on Feb. 7, offering a year of complimentary identity protection services, credit monitoring, a $1 million identity fraud loss reimbursement policy, and identity theft recovery services through IDX. 

Some of the personal information Memorial notes in its letter that may have been impacted include names, Social Security numbers, dates of birth, health insurance information, medical treatment, and medical history. 

"Please note that Memorial has no current evidence to suggest misuse or attempted misuse of personal information involved," Memorial wrote, though now that this information is readily available on a public site, it may not be long before threat actors use it to their advantage.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

120K Victims Compromised in Memorial Hospital Ransomware Attack

PRESS RELEASE

WASHINGTON – Eric Council, 25, of Athens, Alabama, entered a guilty plea today to one count of conspiracy to commit aggravated identity theft in United States District Court for the District of Columbia. Council was arrested on October 17, 2024, in connection with his role in a conspiracy to hack into the X account of the U.S. Securities and Exchange Commission (SEC) and publish fraudulent posts in the name of the then-SEC Chairman. 

The plea was announced by U.S. Attorney Edward R. Martin, Jr., Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division, SEC Inspector General Deborah Jeffrey and FBI Special Agent in Charge Sean Ryan of the Washington Field Office, Criminal and Cyber Division.

Council’s plea was entered before U.S. District Court Judge Amy Berman Jackson in the District of Columbia. He faces a maximum sentence of five years in prison, a $250,000 fine, and up to three years of supervised release. His sentencing is scheduled for May 16, 2025.

According to court documents, from at least January 2024, Council conspired with others to carry out Subscriber Identity Model (SIM) attacks, commonly referred to as “SIM swaps,” in exchange for money. 

A SIM card is a chip that stores information identifying and authenticating a cell phone subscriber and connects a physical cell phone to a mobile carrier’s cellular and data network. A SIM swap attack is a form of sophisticated fraud where criminal actors fraudulently induce a mobile carrier to reassign a mobile phone number from a victim’s SIM card to a SIM card and telephone controlled by a criminal actor attempting to access valuable information associated with the victim’s telephone. Members of SIM swapping groups conduct SIM swaps for the purpose of defeating multifactor authentication and/or two-step verification security features for internet connected accounts, such as social media and virtual currency accounts. 

After convincing a mobile carrier to reassign a phone number to a new SIM card in the criminal actor’s control, members of the conspiracy generate password reset security authentication codes for online accounts and those codes are in turn sent to the telephone in the control of the criminal actor. Members of SIM swap groups share the security reset codes with one another to unlawfully access a victim’s internet connected accounts and complete the fraud. 

On or about January 9, 2024, Council, and others, executed a SIM swap of the mobile phone account associated with the @SECgov X account, the official account of the SEC. The purpose of this SIM swap was to gain unauthorized access to this government account in order to make fraudulent posts. 

Before January 9, a member of the conspiracy had identified the authorized user for the phone number linked to the official @SECgov X account. Council received instruction from a co-conspirator to perform the SIM swap on this phone line, along with information to make the needed fake ID, that is, an image of an ID card template with the authorized user’s name on it but Council’s face, and information purporting to be the user’s date of birth and social security number. 

Council used his portable ID card printer to create a physical ID which he used to impersonate the victim at an AT&T store in Huntsville, Alabama. Council provided false information to the AT&T store employee to explain why he needed a replacement SIM card. Council obtained the SIM card linked to the victim’s phone line and walked to a nearby Apple store where he purchased a new iPhone to use in the crime.  He inserted the SIM card to activate the phone, received the @SECGov X password reset codes on this new phone linked to the victim’s SIM card and used his personal cell phone to take a photo of the @SECgov X account reset code to share with his co-conspirators. After passing along the password reset codes, Council drove to Birmingham, Alabama and immediately returned the iPhone for cash.   

A member of the conspiracy used the reset code to gain access to the @SECGov X account and issue a fraudulent post in the name of the then-SEC Chairman, falsely announcing SEC approval of Bitcoin (BTC) Exchange Traded Funds (ETFs). The price of BTC increased by more than $1,000 following the post. Shortly after this unauthorized post, the SEC regained control over their X account and confirmed that the announcement was unauthorized and the result of a security breach, which caused the value of BTC decreased by more than $2,000.

Council also admitted to attempting to perform additional SIM swaps in June 2024 in Alabama. In June 2024, the FBI executed a search warrant at an Athens, Alabama, apartment where he resided. Agents recovered a fake identification card and a portable ID card printer. They also recovered a laptop computer.  

Pursuant to the search warrant, agents searched the laptop and discovered templates for additional fake identification cards stored on the laptop along with internet searches for

“SECGOV hack,” “telegram sim swap,” “how can I know for sure if I am being investigated by the FBI,” “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them,” “what are some signs that the FBI is after you,” “Verizon store list,” “federal identity theft statute,” and “how long does it take to delete telegram account.” 

Council admitted to receiving approximately $50,000 from members of the conspiracy to perform SIM swap during the previous six months.   

This case is being investigated by the FBI Washington Field Office Criminal and Cyber Division, the SEC-Office of Inspector General, the U.S. Attorney’s Office for the District of Columbia, and the Computer Crime and Intellectual Property Section (CCIPS) and Fraud Section’s Market Integrity and Major Frauds Unit of the Justice Department’s Criminal Division. Significant assistance was provided by the FBI’s Birmingham Field Office.

The prosecution is being handled by Assistant United States Attorney Kevin Rosenberg, CCIPS Trial Attorney Ashley Pungello, and Fraud Section Trial Attorney Lauren Archer. Valuable assistance was provided by Assistant United States Attorney John Hundscheid from the Northern District of Alabama.

For more information on SIM swapping, go to: https://www.ic3.gov/PSA/2024/PSA240411

Source

DARKReading