OpenBrief

← Back to All

Category: 🚨 Intrusions
AI-Powered Threat Intel Briefings ·

Top Stories

PathWiper Malware Targets Ukraine's Critical Infrastructure for Disruption
PathWiper, a new data wiper malware, is being deployed against critical infrastructure in Ukraine, attributed to a Russia-linked APT. It overwrites essential NTFS files, rendering systems inoperable without financial demands. +

Key points:

  • PathWiper is a new strain of wiper malware identified by Cisco Talos.
  • The malware targets critical infrastructure in Ukraine, indicating advanced tactics.
  • PathWiper shares similarities with HermeticWiper, previously used in the Russia-Ukraine conflict.
  • The malware corrupts master boot records and NTFS artifacts, employing sophisticated enumeration methods.
  • Wiper attacks have surged since the onset of the Ukraine conflict, with multiple strains identified.
Sources: Bleeping Computer (1 articles)
Bleeping Computer
Qilin Ransomware Exploits Critical Fortinet Vulnerabilities for Attacks
The Qilin ransomware group is exploiting critical Fortinet vulnerabilities, including CVE-2024-21762 and CVE-2024-55591, to conduct attacks. These flaws allow for authentication bypass and remote code execution, impacting numerous organizations, particularly in Spanish-speaking regions. +

Key points:

  • Qilin ransomware, also known as Phantom Mantis, has exploited Fortinet vulnerabilities since May 2025.
  • The vulnerabilities allow attackers to bypass authentication and execute malicious code remotely.
  • CVE-2024-21762 and CVE-2024-55591 are among the flaws being actively exploited.
  • The campaign has targeted over 310 victims, including high-profile organizations.
  • CISA has warned federal agencies to secure their Fortinet devices against these vulnerabilities.
Sources: Bleeping Computer (1 articles)
Bleeping Computer
Optima Tax Relief Faces Ransomware Attack, Data Compromised
Optima Tax Relief has been targeted by the Chaos ransomware gang, resulting in the theft and leak of 69 GB of sensitive data. This incident marks a double-extortion attack, with both data theft and server encryption reported. +

Key points:

  • Optima Tax Relief suffered a ransomware attack by the Chaos group, leading to data leaks.
  • The stolen data includes sensitive personal information such as Social Security numbers and addresses.
  • This incident is classified as a double-extortion attack, involving both data theft and server encryption.
  • Chaos ransomware is a newer operation that began in March 2025, claiming multiple victims.
  • The attack highlights the risks associated with tax-related data and identity theft.
Sources: Bleeping Computer (1 articles)
Bleeping Computer
FBI Warns of BADBOX 2.0 Android Malware Infecting Millions of Devices
The FBI has reported that BADBOX 2.0 malware has infected over 1 million consumer devices, turning them into residential proxies for cybercriminal activities. The botnet primarily affects Chinese Android-based IoT devices and continues to grow despite previous disruptions. +

Key points:

  • BadBox 2.0 targets various IoT devices, including streaming devices and digital projectors.
  • The malware can be pre-installed or delivered via dubious software updates.
  • The botnet masks criminal activity by using residential proxies.
  • Users are advised to disconnect suspicious devices and update firmware.
  • Signs of compromise include unusual app marketplaces and requests to disable security features.
Sources: Bleeping Computer (1 articles)
Bleeping Computer
Kettering Health Confirms Interlock Ransomware Attack Resulting in Data Theft
Kettering Health has confirmed a ransomware attack by the Interlock group, which breached its network and stole sensitive data. The healthcare provider is working to restore affected systems and has implemented enhanced security measures. +

Key points:

  • Interlock ransomware group breached Kettering Health's network, stealing 941 GB of sensitive data.
  • The attack disrupted access to electronic health records and forced staff to revert to manual processes.
  • Kettering Health has secured its systems and is restoring communication channels with patients.
  • Interlock has been linked to multiple attacks on healthcare organizations and uses advanced tactics for network access.
  • The group recently claimed responsibility for a breach at DaVita, leaking 1.5 terabytes of data.
Sources: Bleeping Computer (1 articles)
Bleeping Computer

Other Updates

CISA and FBI Release Updated Advisory on Play Ransomware Tactics
Updated advisory on Play ransomware outlines new tactics and IOCs for improved threat detection. +

Key points:

  • Play ransomware, also known as Playcrypt, has targeted numerous businesses and critical infrastructure since June 2022.
  • The advisory includes updated tactics, techniques, and procedures used by the Play ransomware group.
  • Approximately 900 entities have been identified as victims of Play ransomware as of May 2025.
  • The advisory provides indicators of compromise (IOCs) to assist organizations in threat detection.
  • Recommended mitigations are included to help organizations protect against these threats.
Sources: CISA Cybersecurity Advisories (1 articles)
CISA Cybersecurity Advisories
Vishing Campaign Targets Salesforce Customers to Exfiltrate Data
UNC6040 exploits Salesforce integration to steal data via fake IT support calls and extortion. +

Key points:

  • Criminals impersonated IT support to trick victims into providing access to Salesforce.
  • The attackers used an eight-digit connection code to link their Data Loader to victim accounts.
  • UNC6040 also hosted a phishing panel targeting Okta users to steal credentials.
  • Salesforce has issued guidance on protecting against such voice phishing attacks.
  • Extortion attempts occurred months after initial data breaches, indicating possible collaboration with other threat actors.
Sources: CSO Online (1 articles)
CSO Online
Massive Data Breach Exposes 4 Billion Chinese User Records
A colossal breach has exposed sensitive data of 4 billion Chinese users, highlighting severe security vulnerabilities. +

Key points:

  • The exposed database contained WeChat IDs, bank details, Alipay data, and home addresses.
  • Researchers identified 16 distinct collections, including over 805 million WeChat records and 630 million bank records.
  • The meticulous organization of the data suggests it was intended for surveillance and profiling of Chinese citizens.
  • The breach poses risks for large-scale phishing, fraud, and state-sponsored intelligence activities.
  • Attribution remains unclear as the database was quickly taken offline after discovery.
Sources: CSO Online (1 articles)
CSO Online
Kaspersky Reports Over 629 Million Cyber Attacks Blocked in Q1 2025
Kaspersky's Q1 2025 report highlights a surge in ransomware and significant law enforcement actions against cybercriminals. +

Key points:

  • Kaspersky blocked over 629 million attacks, with 88 million unique malicious links detected.
  • Law enforcement arrested four members of the Phobos ransomware gang, linked to over $16 million in extortion.
  • New vulnerabilities in Paragon Partition Manager were exploited by ransomware gangs for SYSTEM privileges.
  • The Akira ransomware used a webcam vulnerability to bypass EDR and encrypt files on networks.
  • RansomHub, Akira, and Clop were the most prolific ransomware groups during the quarter.
Sources: Securelist (1 articles)
Securelist
Rapid7 Reports Key Incident Response Trends for Q1 2025
Stolen credentials without MFA remain the top initial access vector in Rapid7's Q1 2025 incident response findings. +

Key points:

  • 56% of incidents involved valid accounts with no MFA, emphasizing the need for stronger authentication measures.
  • CVE-2024-55591, affecting Fortinet devices, was exploited to gain unauthorized access to firewall dashboards.
  • Exposed RMM tools accounted for 6% of incidents, with vulnerabilities leading to ransomware deployment.
  • SEO poisoning continues to pose risks, particularly through malicious sponsored search results.
Sources: Rapid7 Research Blog (1 articles)
Rapid7 Research Blog
Iran-Linked BladedFeline Targets Iraqi and Kurdish Officials with Advanced Malware
BladedFeline, an Iran-aligned group, targets Iraqi and Kurdish officials using sophisticated malware. +

Key points:

  • BladedFeline has been active since 2017, focusing on Kurdish and Iraqi government entities.
  • The group employs various backdoors, including Whisper and Spearal, for persistent access.
  • Malicious tools like PrimeCache and Hawking Listener have been identified in their operations.
  • ESET attributes BladedFeline as a sub-cluster of the Iranian OilRig group.
  • The group is suspected of exploiting vulnerabilities in internet-facing applications for initial access.
Sources: The Hacker News (1 articles)
The Hacker News
Chaos RAT Malware Targets Windows and Linux via Deceptive Downloads
Chaos RAT malware exploits fake downloads to target Windows and Linux systems for remote access. +

Key points:

  • Chaos RAT, an open-source RAT, is designed for cross-platform use on Windows and Linux.
  • The malware is distributed via phishing emails that trick users into downloading a fake network utility.
  • Recent versions include vulnerabilities (CVE-2024-30850, CVE-2024-31839) that could allow arbitrary code execution.
  • Chaos RAT has been linked to cryptocurrency mining campaigns and reconnaissance activities.
  • The malware's use of open-source tools complicates attribution efforts for threat actors.
Sources: The Hacker News (1 articles)
The Hacker News
PathWiper Malware Targets Ukrainian Critical Infrastructure in 2025 Attack
PathWiper malware disrupts Ukrainian infrastructure, leveraging administrative tools for execution. +

Key points:

  • PathWiper malware was deployed via a legitimate endpoint administration framework, indicating prior access by attackers.
  • The malware targets critical storage artifacts, including the Master Boot Record and NTFS structures, overwriting them with random data.
  • PathWiper shares similarities with HermeticWiper, previously linked to attacks during the Russia-Ukraine conflict.
  • The ongoing evolution of wiper malware poses a persistent threat to Ukrainian critical infrastructure.
  • Another campaign by Silent Werewolf targets Russian and Moldovan companies using phishing tactics to deploy malware.
Sources: The Hacker News (1 articles)
The Hacker News
Kettering Health Confirms Ransomware Attack by Interlock Group, Restores Systems
Kettering Health faced a ransomware attack by Interlock, disrupting services and prompting system restoration efforts. +

Key points:

  • Kettering Health experienced a ransomware attack starting May 20, leading to system outages and canceled procedures.
  • The Interlock group claimed responsibility, alleging data theft including financial records.
  • Kettering Health has secured affected systems and implemented enhanced security protocols.
  • The organization is working to restore full communication capabilities and has relaunched parts of its electronic health record system.
  • Other healthcare systems have also reported cyber incidents in recent weeks.
Sources: The Record by Recorded Future (1 articles)
The Record by Recorded Future
Bitter APT Expands Geographic Targeting and Enhances Malware Tactics
Bitter APT is broadening its attack scope while employing advanced malware techniques for espionage. +

Key points:

  • Bitter APT, also known as TA397, has shifted its focus from South Asia to include targets in Turkey and China.
  • The group utilizes spear-phishing tactics, often impersonating government entities to deliver malware.
  • Notable malware families used include WmRAT, MiyaRAT, KugelBlitz, and BDarkRAT, showcasing diverse capabilities.
  • Bitter's operations align with Indian Standard Time, indicating a structured approach to espionage.
  • The group is believed to operate on behalf of Indian intelligence, targeting government and defense sectors.
Sources: The Hacker News (1 articles)
The Hacker News

Read More by Category

All 💣 Exploits 🚨 Intrusions 🎯 Campaigns ☁️ Cloud 🤖 AI 🪙 Blockchain 🏛️ Policy

Additional Signals