Full Report
For the latest discoveries in cyber research for the week of 24th March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Municipalities in four US states experienced cyberattacks that disrupted services for county offices, courts, and schools. Cleveland Municipal Court was hit by Qilin ransomware attack, forcing employees offline and delaying trials, while […] The post 24th March – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
This report synthesizes multiple, distinct security reports and incidents detailed in the provided threat intelligence summary. Since the context provides several independent events, the timeline below aggregates key named incidents.
# Incident Report: Aggregated Cyber Incidents and Vulnerability Exploitation (March 2025 Reporting)
## Executive Summary
This summary covers several significant security incidents reported, including ransomware attacks on US municipalities (e.g., Qilin impacting Cleveland Municipal Court), a multi-million dollar theft from the WEMIX blockchain platform, and data breaches affecting major entities like California Cryobank and Western Alliance Bank. Concurrently, critical vulnerabilities were identified and exploited in software such as Nakivo Backup and Replication, threatening widespread enterprise compromise.
## Incident Details
- **Discovery Date:** Primarily week of March 24, 2025 (for reporting context).
- **Incident Date:** Varied; specific incidents range from October 2024 (Western Alliance Bank) to February 28, 2025 (WEMIX).
- **Affected Organization:** Municipalities across four US states, WEMIX, Oracle (alleged), California Cryobank, Western Alliance Bank, Ascom, PSEA.
- **Sector:** Government/Municipal, Blockchain/Finance, Telecommunications, Banking, Healthcare/Sperm Banking, Education.
- **Geography:** United States, Switzerland.
## Timeline of Events
### Initial Access
- **Date/Time:** October 2024 (Western Alliance Bank data exposure).
- **Vector:** Cyberattack targeting a third-party file transfer software (Western Alliance Bank).
- **Details:** Enabled unauthorized access to sensitive data.
- **Date/Time:** July 2024 (PSEA breach).
- **Vector:** Unspecified initial access method leading to data theft.
- **Details:** Affected over 517,000 members of the Pennsylvania State Education Association.
- **Date/Time:** February 28, 2025 (WEMIX).
- **Vector:** Cyberattack against the blockchain gaming platform.
- **Details:** Allowed theft of 8,654,860 tokens valued at ~$6.1M.
- **Date/Time:** Unspecified, recent (Municipalities/Ascom).
- **Vector:** Ransomware activity (Qilin identified in Cleveland Court; Hellcat claimed Ascom breach).
- **Details:** Disrupted essential government and corporate services.
### Lateral Movement
- **Cleveland Municipal Court:** Qilin ransomware deployment strongly implies internal lateral movement to maximize impact across court and administrative systems.
- **Ascom:** Implied lateral or direct access to the technical ticketing system resulting in data exfiltration.
### Data Exfiltration/Impact
- **California Cryobank:** Exposure of sensitive Personal Identifiable Information (PII) including bank account details, SSNs, driver’s license numbers, and payment card data.
- **Western Alliance Bank:** Exposure of PII and financial data for almost 22K individuals (SSNs, financial account numbers).
- **PSEA:** Theft of PII, including government-issued IDs, SSNs, passport details, and financial information for over 500K members.
- **Ascom:** Exfiltration of 44GB of corporate data, including source code, invoices, and confidential documents.
### Detection & Response
- **Municipalities:** Incidents reported causing service disruptions to county offices, courts, and schools. Response likely included system isolation and engaging with forensics teams.
- **WEMIX:** Attack was confirmed, leading to the immediate identification of lost assets, necessitating communication with token holders.
- **General Vulnerabilities:** CISA issued warnings regarding the exploitation of the CVE-2024-48248 in Nakivo Backup and Replication, indicating active intrusion attempts against organizations using this software.
## Attack Methodology
| Category | Method Observed Across Incidents |
| :--- | :--- |
| **Initial Access** | Ransomware deployment (Qilin, Hellcat), Exploitation of third-party software (Western Alliance Bank's file transfer software), Direct platform exploitation (WEMIX). |
| **Persistence** | Not explicitly detailed for most incidents, but typical for ransomware (Qilin). |
| **Privilege Escalation** | Implied by RansomHub's 'Betruger' backdoor functions, which include privilege escalation capabilities. |
| **Defense Evasion** | RansomHub affiliates using custom 'Betruger' backdoor to reduce reliance on multiple disparate tools, minimizing detection surface. |
| **Credential Access** | Alleged Oracle Cloud breach mentioned the exposure of *encrypted* SSO passwords and JKS files. |
| **Discovery** | RansomHub affiliates utilize functional components like network scanning within their custom malware. |
| **Lateral Movement** | Implied pathway for ransomware operators to deploy payloads across municipal networks. |
| **Collection** | Gathering PII/financial data (Cryobank, Western Alliance, PSEA); Collecting corporate intellectual property (Ascom source code). |
| **Exfiltration** | Data exfiltration occurred in Ascom (44GB), and theft of digital assets (WEMIX tokens). |
| **Impact** | Service disruption (Municipalities), Financial loss (WEMIX), Data exposure (Banks/Sperm Bank). |
## Impact Assessment
- **Financial:** $6.1 million token theft (WEMIX). Untracked financial costs from municipal service disruption and regulatory fines for data breaches (Cryobank, Banks).
- **Data Breach:** Extensive PII and sensitive financial records exposed, including SSNs, driver's licenses, and bank details (Cryobank, Western Alliance, PSEA). Corporate IP exposed (Ascom).
- **Operational:** Trials delayed, county offices/schools services disrupted (Municipalities). Core banking functions potentially impacted (Western Alliance).
- **Reputational:** Significant reputational damage to WEMIX, California Cryobank, and affected municipal entities.
## Indicators of Compromise
*(Note: Indicators are defanged based on the summary context.)*
- **Network Indicators:** Active exploitation attempts observed against Nakivo Backup and Replication related to CVE-2024-48248 (Arbitrary File Read).
- **File Indicators:** Custom backdoor 'Betruger' exhibiting capabilities for credential dumping and network scanning.
- **Behavioral Indicators:** Ransomware activity associated with Qilin and Hellcat campaigns impacting critical infrastructure.
## Response Actions
- **Containment:** Municipalities likely isolated affected networks to stop ransomware spread. WEMIX required action regarding the stolen tokens.
- **Eradication:** Not detailed, but presumed involves deploying security patches for known vulnerabilities (e.g., Veeam CVE-2025-23120, Nakivo CVE-2024-48248).
- **Recovery:** Restoring services in affected county courts and schools.
## Lessons Learned
- **Third-Party Risk is Critical:** The Western Alliance Bank breach originated from a third-party file transfer software vendor, highlighting the necessity of rigorous vendor security assessments.
- **RaaS Specialization Enhances Threat:** New RaaS operations (VanHelsingRaaS) and custom tooling (Betruger backdoor) indicate threat actors are streamlining operations to be faster and potentially more evasive.
- **Vulnerability Patching Lag:** Active in-the-wild exploitation of vulnerabilities like the Nakivo path traversal highlights that timely patching of internet-facing backup solutions remains a major organizational failure point.
## Recommendations
- **Implement Strong Endpoint Detection:** Utilize advanced endpoint protection (like Check Point Harmony Endpoint) capable of detecting new, evasive malware families (e.g., Betruger) and ransomware variants (Qilin, VanHelsing).
- **Prioritize Critical Asset Patching:** Immediately address known critical vulnerabilities in infrastructure software, particularly backup solutions (Nakivo, Veeam) and BMCs (AMI MegaRAC).
- **Enhance Third-Party Oversight:** Establish stricter controls and monitoring over data access granted to third-party vendors handling PII and sensitive corporate data.