March 21, 2025
Cyber Threats on the Rise: Record Crypto Heists, Ransomware Evolution, and State-Sponsored Espionage
Stay Ahead of Cyber Threats with Key Insights on Major Breaches, Ransomware, and Emerging Risks. Learn about the Bybit Heist, Grubhub Breach, New Ransomware Groups, and Apt Activity. Protect Your Business with Expert Analysis and Security Best Practices.
High-Profile Breaches and Emerging Threats
Record-Breaking Crypto Heist (Bybit Exchange): In the largest cryptocurrency theft to date, an unknown attacker stole $1.46 billion in crypto assets from Bybit’s Ethereum cold wallet. The hacker manipulated a digital signing process to redirect funds, an attack so severe that it nearly doubled the previous record for crypto hacks . The FBI has since attributed this breach to North Korean state-sponsored hackers, identifying it as part of the “TraderTraitor” campaign. Despite the enormity of the theft, Bybit’s CEO assured that customer assets remain 1:1 backed and the exchange can cover the loss without disrupting operations.
GrubHub Data Breach via Third-Party: U.S. food delivery company GrubHub disclosed that attackers breached its systems using a compromised third-party service provider account, exposing personal information of customers, drivers, and merchants. The intruders obtained names, email addresses, phone numbers, and partial payment card data for some users, though GrubHub reports that passwords and more sensitive info (full card numbers, SSNs) were not accessed. The breach underscores the risk of supply chain and vendor account compromises – a threat that can impact SMBs that rely on external service providers for support. GrubHub responded by terminating the vendor’s access, hiring forensic experts, and bolstering monitoring for anomalous activity.
Other Notable Breaches: In the UK, Casio’s online store was hacked to inject payment skimmers, stealing customers’ credit card details over a 10-day period in January.
Finastra, a global fintech firm, is notifying clients of a breach where attackers accessed an SFTP server and stole data back in late 2024.
Meanwhile, Hewlett Packard Enterprise (HPE) revealed that a Russian state-backed group hacked an employee email system in 2023, pilfering staff data.
These incidents illustrate the global reach of cyber threats – from e-commerce sites to enterprise IT environments – and the importance of vigilant security practices across the board.
Ransomware Attacks and New Tactics
Ransomware continues to wreak havoc on organizations globally, with threat actors evolving their tactics and target profiles. Recent incidents highlight both new ransomware operations on the rise and the tangible business impacts of these attacks.
New Ransomware Groups: A relatively new ransomware gang dubbed “Sarcoma” has quickly become a significant threat. In February, Sarcoma claimed responsibility for an attack on Unimicron, one of the world’s largest PCB (printed circuit board) manufacturers based in Taiwan. The attackers leaked proof of stolen files and threatened to release 377 GB of data – including databases and documents – if the ransom was not paid within a week. Unimicron confirmed a ransomware incident causing operational disruption at a subsidiary, though it has not publicly confirmed the data theft. Sarcoma’s rapid rise is notable: the group launched its first attacks in late 2024 and was already claiming dozens of victims within months, using phishing and known vulnerabilities to gain entry. Security researchers warn that Sarcoma employs aggressive tactics, including supply-chain attacks (hacking service providers to reach clients) and extensive data exfiltration.
Ongoing Ransomware Operations: Established ransomware operators also remain active: the Black Basta gang, for example, was behind a major attack on UK’s Southern Water in 2024, and the utility disclosed incurring £4.5M (~$5.7M) in incident-related costs.
Meanwhile, the prolific LockBit ransomware (or its variants) continues to surface – a notable incident involved a Siberian dairy plant hit by a LockBit strain, reportedly in retaliation for the company’s support of Russian military efforts.
This hints at the blurring lines between financially motivated ransomware and politically driven attacks. Additionally, a new “NailaoLocker” ransomware was observed (as a payload in attacks on European healthcare organizations in late 2024), showing that even months-old intrusions can reveal new ransomware strains.
Impacts on Critical Services and SMBs:
Ransomware’s impact on victims is often crippling. In the United States, a February attack on the Sault Ste. Marie Tribe of Chippewa Indians in Michigan (an SMB-scale tribal government) knocked critical services offline, including health clinics, government offices, and five casino locations. The tribe had to temporarily close departments, cancel medical appointments, and halt casino operations, severely disrupting the community’s daily life and revenue. This case exemplifies how SMBs and local governments can be gravely affected – the tribe’s size (serving ~44,000 members) and reliance on IT systems for healthcare and business made it a tempting target, even if it’s not a Fortune 500 company. Many such organizations face limited cybersecurity budgets, making them attractive marks for ransomware gangs. The Sault Tribe attack also highlights the real-world consequences of ransomware beyond data encryption – affecting public safety, healthcare, and economic livelihoods.
Ransomware’s impact on victims is often crippling. In the United States, a February attack on the Sault Ste. Marie Tribe of Chippewa Indians in Michigan (an SMB-scale tribal government) knocked critical services offline, including health clinics, government offices, and five casino locations. The tribe had to temporarily close departments, cancel medical appointments, and halt casino operations, severely disrupting the community’s daily life and revenue. This case exemplifies how SMBs and local governments can be gravely affected – the tribe’s size (serving ~44,000 members) and reliance on IT systems for healthcare and business made it a tempting target, even if it’s not a Fortune 500 company. Many such organizations face limited cybersecurity budgets, making them attractive marks for ransomware gangs. The Sault Tribe attack also highlights the real-world consequences of ransomware beyond data encryption – affecting public safety, healthcare, and economic livelihoods.
Evolving Tactics – Double Extortion and More:
Nearly all modern ransomware incidents now involve data theft (double extortion), where attackers exfiltrate sensitive information to pressure victims into paying. The Sarcoma attack on Unimicron is a textbook example: stolen data was used as leverage by threatening publication. Some groups have gone further to triple extortion – adding threats of DDoS attacks or directly harassing victims’ clients if the ransom isn’t paid. We also see ransomware groups tailoring their exploits: for instance, Sarcoma has leveraged n-day vulnerabilities and even infiltrated service providers to “island hop” into downstream victims. These advanced tactics underscore that ransomware actors are not just encrypting files at random; they often conduct network reconnaissance, steal credentials, and sometimes maintain persistence to strike again.
Nearly all modern ransomware incidents now involve data theft (double extortion), where attackers exfiltrate sensitive information to pressure victims into paying. The Sarcoma attack on Unimicron is a textbook example: stolen data was used as leverage by threatening publication. Some groups have gone further to triple extortion – adding threats of DDoS attacks or directly harassing victims’ clients if the ransom isn’t paid. We also see ransomware groups tailoring their exploits: for instance, Sarcoma has leveraged n-day vulnerabilities and even infiltrated service providers to “island hop” into downstream victims. These advanced tactics underscore that ransomware actors are not just encrypting files at random; they often conduct network reconnaissance, steal credentials, and sometimes maintain persistence to strike again.
Ransomware remains one of the top threats to businesses worldwide. New groups like Sarcoma can emerge rapidly, so organizations should not assume lesser-known names are low risk. SMBs, in particular, must recognize they are not “too small” to target – attackers often perceive smaller entities (municipal bodies, regional businesses, etc.) as softer targets. Defenses such as robust data backup strategies, network segmentation, regular patching of known vulnerabilities, and user training to resist phishing are essential. Additionally, having an incident response plan (including communication and recovery) is critical, as evidenced by the costly and disruptive outcomes in recent cases.
State-Sponsored APT Activity & Cyber Espionage
Nation-state threat actors (APT groups) continue to orchestrate sophisticated cyber-espionage campaigns and exploit zero-day vulnerabilities. Recent developments reveal a mix of new exploit techniques and long-running operations by APT groups from North Korea, Russia, China, Iran, and others:
Widely Exploited Windows Zero-Day (LNK vulnerability): One of the most alarming reports this week is that at least 11 state-sponsored groups have been actively exploiting an unpatched Windows vulnerability that abuses shortcut (.lnk) files. This flaw (Trend Micro ZDI-CAN-25373) allows a malicious .lnk file to execute hidden commands when viewed in Windows, enabling stealthy installation of malware. Remarkably, the vulnerability has been under active attack since 2017 and remains unpatched by Microsoft as of this report. Threat actors from North Korea, Iran, Russia, China, and others are leveraging this bug to deliver spyware and steal data from targets in government, finance, telecom, military, and energy sectors. Notable malware delivered via these .lnk exploits include the Lumma infostealer and Remcos RAT, among other payloads. Microsoft has stated the issue did not meet the bar for an emergency fix (per their severity guidelines) and indicated it may be addressed in a future update – a stance that has drawn criticism from security experts, given the ongoing espionage activity. In the meantime, defenders are urged to mitigate: scan for malicious .lnk files, increase user caution around shortcuts, and ensure endpoint protection is alert to this behavior.
The widespread abuse of this .lnk zero-day underscores how global and far-reaching APT campaigns can be. Trend Micro’s analysis shows malicious shortcut files tied to this exploit have been observed across North America, Europe, Asia, South America, Africa, and
Australia.
Australia.
Over 45% of observed attacks were attributed to North Korean actors, with significant activity also from Iranian, Russian, and Chinese groups. High-profile APTs like Kimsuky (North Korea), Mustang Panda (China), Bitter (South Asia), and even financially-motivated Evil Corp (Russia) are among those abusing the vulnerability.The diversity of actors and victims reveals how a single unpatched flaw can become a common tool for espionage across ideologies – from stealing military intel to conducting financial theft. For SMBs, this might seem like a nation-state issue, but if your organization falls into a supply chain or industry of interest, you could become collateral damage. Moreover, some cybercriminal groups (non-state) are also exploiting it, meaning even businesses without geopolitical significance might be targeted for financial gain.
Russian “BadPilot” Campaign – APT44/Sandworm: Microsoft investigators have exposed a multi-year campaign dubbed “BadPilot” by a subgroup of the infamous Russian Sandworm APT (also tracked as APT44 / Seashell Blizzard). This subgroup specializes in initial access operations: breaching networks in critical sectors and establishing backdoors, which are then handed off to other teams for exploitation and possibly destructive attacks. Active since at least 2021, BadPilot has targeted organizations in energy, oil & gas, telecommunications, shipping, arms manufacturing, and critical infrastructure across roughly 50 countries (including Ukraine, the U.S., and U.K.). Their playbook involves exploiting public-facing vulnerabilities to break in, then maintaining persistence so that Russian operators can later conduct espionage or sabotage (including observed wiper attacks to destroy data). Notably, BadPilot’s activity ramped up around Russia’s 2022 invasion of Ukraine, focusing on entities supporting Ukraine’s operations. This campaign illustrates the patient, coordinated approach of state-backed hackers – one team lays the groundwork (often quietly persisting for months), enabling follow-on forces to carry out high-impact actions at will. For defenders, the lesson is to monitor for initial footholds (e.g. unusual admin accounts, scheduled tasks, web shell activity) that might indicate an APT staging access for later use. Swift eradication of such footholds can blunt a future attack.
New Espionage Malware “FinalDraft”: Security researchers at Elastic uncovered a stealthy malware toolset in an espionage campaign against a South American government ministry, showcasing APT creativity in avoiding detection. The malware, called FinalDraft, uses an unconventional Command-and-Control (C2) channel via Microsoft Outlook: it hijacks the victim’s Outlook email drafts folder to exchange commands and data with the attackers. By abusing the legitimate Outlook/Exchange service (through the Microsoft Graph API), FinalDraft’s communications blend into normal email traffic, making it very hard for network defenders to spot. The attack chain begins with a custom loader (“PathLoader”) that plants the FinalDraft backdoor and post-exploitation tools on the target machine. Once running, FinalDraft obtains an OAuth token for the victim’s Office 365 account and uses it to continuously sync with a hidden mailbox – receiving attacker instructions concealed as draft messages and exfiltrating data by saving drafts in return. No actual emails are sent, so traditional email security solutions see nothing amiss. This novel technique exemplifies the lengths APT actors will go for covert persistence. It’s a reminder that even trusted cloud services can be bent to an attacker’s purpose. Defenders should consider monitoring for unusual usage patterns of APIs (like Graph), and ensure cloud audit logs are collected – such abuse might only be discernible by anomalies in logins or token usage rather than network traffic.
Other APT & Cyberespionage Notes: North Korea’s state-backed hackers remain extremely active on multiple fronts – beyond the headline-grabbing crypto heist mentioned earlier, Pyongyang-linked groups (e.g. Lazarus) continue targeting financial institutions and cryptocurrency platforms, as well as traditional espionage targets. Iran’s government-affiliated hackers are reportedly among those exploiting the Windows shortcut flaw, and Iranian APTs have shown interest in infrastructure and dissident surveillance. Chinese espionage groups have been linked to numerous campaigns: for example, a recent report linked FinalDraft’s toolset to a Chinese APT , and other Chinese units have exploited networking equipment vulnerabilities for spying on telcos and ISPs. Finally, Russian actors (apart from Sandworm) such as APT28 were implicated in cloud service breaches (like the one affecting HPE’s email system) – indicating that even well-secured enterprises can fall victim to token theft or credential compromise in their SaaS environments.
Critical Vulnerabilities & Patches (March 2025)
Staying ahead of vulnerabilities is a never-ending challenge for security teams. March 2025 has already seen a surge in patches for actively exploited flaws and warnings of new weaknesses affecting both enterprise and SMB products. Below is a roundup of important vulnerabilities and vendor advisories:
Microsoft’s Patch Tuesday – 6 Zero-Days Fixed: Microsoft’s March 2025 security update was unusually large, addressing 57 vulnerabilities including 6 zero-days under active attack. This is the second-highest number of in-the-wild zero-day fixes ever released by Microsoft in one go. Notably, three zero-day bugs in the Windows NTFS file system were patched (two info leaks and one remote code execution). The most severe, CVE-2025-24993, is a heap overflow that could let an attacker with basic access run code with elevated privileges. Microsoft also patched CVE-2025-24985, an RCE in the legacy FAT file system driver that can be triggered remotely via a malicious USB or network drive. Another critical issue, CVE-2025-26633, is a security feature bypass in the Microsoft Management Console – it could allow attackers to craft malicious configuration files that evade certain security checks. These vulnerabilities, if chained together, could enable a sophisticated attacker to escalate from a simple foothold to full system compromise. Takeaway: Apply the March patches immediately, prioritizing client systems and servers, as threat actors will likely reverse-engineer these fixes to target unpatched machines. The high volume of patched zero-days suggests attackers were actively exploiting Windows components that many organizations (and SMBs) rely on daily.
Zero-Days in Common Software: Outside of Microsoft, other critical zero-day patches were released recently. Apple issued emergency updates in February to fix a WebKit/Safari vulnerability (CVE-2025-24200) that was being exploited in “extremely sophisticated” targeted attacks. This underscores that macOS and iOS devices – often used by executives – are also in attackers’ crosshairs. Meanwhile, the Android ecosystem saw a kernel privilege escalation bug (CVE-2024-53104) patched after it was found exploited in the wild. Security teams should ensure mobile device management (MDM) solutions prompt updates on employee devices, as mobile zero-days are valuable for espionage.
SMB-Focused Threat: Vulnerable Firewalls and VPNs: Small and mid-sized businesses often rely on affordable firewall/VPN appliances, which have recently been under attack. One headline issue is a critical RCE in GFI Kerio Control firewalls (CVE-2024-52875) – over 12,000 firewall instances were found exposed online and vulnerable. Exploiting this bug could let attackers completely hijack an SMB’s network gateway, leading to data theft or ransomware deployment. Similarly, SonicWall warned that attackers began targeting an authentication bypass flaw (CVE-2024-53704) in SonicWall appliances just days after a PoC exploit was published. And it’s not just smaller vendors: Palo Alto Networks alerted customers that hackers are chaining multiple bugs (CVE-2025-0111 with others) to breach PAN-OS firewall devices, bypassing auth and reading sensitive files. These network device vulnerabilities are a huge concern – many SMBs depend on these all-in-one security boxes, which if compromised, give attackers a foothold at the network perimeter. Recommendation: Immediately apply patches or mitigation for any network appliances in use. If a device is end-of-life and no patches are provided, consider isolating or replacing it. Monitor vendor advisories (from companies like Fortinet, Cisco, SonicWall, Palo Alto, etc.) as attackers watch them closely and often exploit new bugs within hours or days of disclosure.
Notable Exploits and Advisories:
- BeyondTrust Zero-Day Breach: Vulnerability researchers revealed that a now-patched
PostgreSQL flaw (CVE-2025-1094) was exploited as a zero-day to breach BeyondTrust, a Privileged Access Management vendor, back in December. This supply chain breach is a reminder that attackers target security vendors too; organizations using BeyondTrust should review if any downstream impact occurred and apply all updates. - MOVEit Aftermath – Cl0p’s Long Tail: The Cl0p ransomware gang’s massive exploitation of the MOVEit Transfer zero-day in 2023 continues to spur breach disclosures. In February, a U.S. utility (PPL Electric) confirmed that a vendor’s MOVEit compromise exposed some customer data. It’s a caution that the impact of a zero-day can reverberate long after initial news – SMBs who used affected third-party services may still discover they were affected months later, necessitating customer notifications and damage control.
- OpenSSH Vulnerabilities: OpenSSH, critical for secure server administration, released fixes for a decade-old man-in-the-middle flaw and a new DoS flaw (CVE-2025-26465/26466). While no active exploitation is noted, administrators should update SSH on servers to preempt any threat – especially since many automated attacks scan for SSH.
- Content Management Systems: CISA warned that a popular website platform Craft CMS has a remote code execution hole (CVE-2025-23209) that is being actively exploited. Many SMBs and mid-market companies run their websites on CMS frameworks, which are attractive targets for web skimmers or defacements if not promptly patched. Ensure your web teams address these updates and consider WAF protections.