Listen To This Article

Listen to this post

Ready to play

Recent Cyber Threats and Incidents: April 28 - May 1, 2025

Recent Cyber Threats and Incidents: April 28 - May 1, 2025

I. Executive Summary

This report details significant cybersecurity threats, vulnerabilities, data breaches, and scams identified between April 28th and May 1st, 2025. The period was marked by urgent alerts from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) concerning actively exploited vulnerabilities, requiring immediate patching efforts. Notably, CISA added three specific vulnerabilities (CVE-2025-1976, CVE-2025-42599, CVE-2025-3928) to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agency remediation by May 19, 2025.1

Significant data breaches affecting large numbers of individuals were confirmed during this timeframe, including incidents at media conglomerate Urban One (linked to the Cactus ransomware gang) 3, infusion management platform provider Endue Software 4, and HR outsourcing firm VeriSource Services, impacting 4 million individuals.5 These confirmations often lagged the initial intrusions, highlighting delays in detection and reporting.

The ransomware landscape continued its dynamic evolution. New strains like FOG, distributed via novel phishing lures impersonating a government department 6, and ELENOR-corp, a Mimic variant targeting healthcare 7, emerged. Concurrently, established Ransomware-as-a-Service (RaaS) operations like RansomHub faced disruption, leading to affiliate migration and potential consolidation under groups like Qilin and DragonForce. Threat actors also demonstrated ongoing sophistication, with China-linked groups like PurpleHaze conducting reconnaissance against security vendors 9 and financially motivated actors like EncryptHub orchestrating multi-stage attacks involving malware distribution, vulnerability exploitation, and exploit sales.10

These specific incidents align with broader trends highlighted in the Verizon 2025 Data Breach Investigations Report (DBIR), released during this period.11 The DBIR confirmed a significant rise in ransomware prevalence and a doubling of breaches involving third parties globally 13, trends starkly reflected in the breaches confirmed at organizations like Hertz (via Cleo) and VeriSource Services.5 Overall, the period underscored the intense pressure on security teams from concurrent critical vulnerability disclosures, the persistent and adaptive nature of ransomware threats, and the growing systemic risk posed by supply chain and third-party compromises.

II. Urgent CISA Alerts & Actively Exploited Vulnerabilities

The final days of April 2025 saw critical alerts from CISA regarding vulnerabilities under active exploitation, demanding immediate attention from organizations to mitigate significant risks.

A. CISA KEV Catalog Additions (April 28, 2025)

On April 28, 2025, CISA added three vulnerabilities to its KEV catalog, signifying verified active exploitation by malicious actors.1 Under Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities by the specified deadline. While the directive applies formally only to FCEB agencies, CISA strongly urges all organizations to prioritize patching these flaws due to the demonstrated risk.1 The remediation deadline for all three vulnerabilities added on this date is May 19, 2025.2

The added vulnerabilities are detailed below:

CVE ID Vendor Product Vulnerability Type Notes Remediation Due Date
CVE-2025-1976 Broadcom Brocade Fabric OS Code Injection (CWE-94), OS Command Injection (CWE-78) Affects versions 9.1.0 through 9.1.1d6.14 Allows unauthenticated attackers to execute commands.14 May 19, 2025
CVE-2025-42599 Qualitia Active! Mail Stack-Based Buffer Overflow Allows attackers to potentially execute arbitrary code. May 19, 2025
CVE-2025-3928 Commvault Web Server Unspecified Vulnerability Allows remote, authenticated attackers to create/execute webshells.15 Does not require administrative rights.15 Commvault reported its own Azure environment was breached via this flaw.16 May 19, 2025

Data sourced from 1

The inclusion of the Commvault Web Server vulnerability (CVE-2025-3928) is particularly noteworthy. Commvault provides enterprise backup and recovery solutions, making its systems a high-value target for attackers seeking access to critical data or aiming to disrupt operations.15 The fact that exploitation allows authenticated users without administrative privileges to execute webshells presents a significant concern.15 This lowers the barrier for attackers; compromising any standard user account on a vulnerable server—perhaps through phishing or credential reuse—could be sufficient to gain a foothold, deploy further malware, steal data, or launch ransomware. This contrasts sharply with vulnerabilities requiring administrator-level access and underscores the need for robust authentication, access control, and activity monitoring even for non-privileged accounts on critical infrastructure management platforms. CISA recommends applying vendor mitigations or discontinuing use of the product if patches are unavailable.2

B. CISA ICS/OT Advisories & Other Critical Vulnerabilities

Beyond the KEV additions, CISA also highlighted risks in Industrial Control Systems (ICS) and Operational Technology (OT) environments. An alert bulletin summarized ICS advisories published between April 21-27, covering vulnerabilities in products from vendors including ABB, ALBEDO Telecom, Johnson Controls, Nice Linear, Schneider Electric, Siemens, Vestel, and notably, Planet Technology.17

The alert for Planet Technology (ICSA-25-114-06) detailed five critical vulnerabilities (CVSS v4 base scores of 9.3) affecting its network management systems (UNI-NMS-Lite, NMS-500, NMS-1000V) and industrial switches (WGS-804HPT-V2, WGS-4215-8T2S).18 These products are frequently deployed in critical manufacturing and industrial settings globally.19 The vulnerabilities, discovered by security researcher Kev Breen 19, include OS command injection, use of hard-coded credentials, and, critically, missing authentication for functions that allow attackers to create new administrator accounts without needing existing credentials.18 Exploitation could grant attackers complete control over devices and potentially entire managed networks.18

CVE ID Affected Products (Versions) Description CVSS v4 Score
CVE-2025-46271 UNI-NMS-Lite (≤1.0b211018) Allows unauthenticated attacker to read/manipulate device data 9.3
CVE-2025-46272 WGS-804HPT-V2 (≤2.305b250121), WGS-4215-8T2S (≤1.305b241115) Allows unauthenticated attacker to execute OS commands on host system 9.3
CVE-2025-46273 UNI-NMS-Lite (≤1.0b211018) Enables attacker to gain admin privileges to all UNI-NMS managed devices (Hard-coded credentials) 9.3
CVE-2025-46274 UNI-NMS-Lite (≤1.0b211018) Allows attacker to read, manipulate, and create database entries (Hard-coded credentials) 9.3
CVE-2025-46275 WGS-804HPT-V2 (≤2.305b250121), WGS-4215-8T2S (≤1.305b241115) Enables attacker to create admin account without existing credentials (Missing Authentication) 9.3

Data sourced from 18

Furthermore, reports emerged around April 28th detailing the active exploitation of a critical zero-day vulnerability (CVE-2025-31324, CVSS score 10.0) in SAP NetWeaver.20 This flaw permits unrestricted file uploads, enabling attackers to deploy webshells and subsequently install sophisticated post-exploitation frameworks like Brute Ratel.20

The near-simultaneous emergence of these distinct threats – actively exploited vulnerabilities added to the KEV list demanding action by May 19th 1, critical flaws flagged in sensitive ICS/OT environments requiring careful remediation planning 17, and a newly discovered, maximum-severity zero-day under active attack in a core enterprise system like SAP NetWeaver 20 creates a challenging situation for security teams. Organizations are forced to address multiple high-priority issues concurrently across different technology stacks (IT, OT, enterprise applications). This scenario strains resources, complicates prioritization, and significantly increases organizational risk if any area is neglected. It underscores the necessity for highly efficient, risk-based vulnerability management programs capable of handling rapid, concurrent threat disclosures.

III. Notable New Malware & Ransomware Activity

The reporting period witnessed the identification of several new malware families and ransomware strains, alongside significant shifts within the ransomware-as-a-service (RaaS) ecosystem, indicating continued evolution and adaptation by threat actors.

A. New Malware Strains

Several distinct malware tools were identified or saw new activity reported:

  • WP-antymalwary-bot: This malware masquerades as a WordPress security plugin, using filenames such as WP-antymalwary-bot.php, addons.php, or wpconsole.php. It provides attackers with backdoor administrative access, hides itself from the WordPress dashboard, allows remote code execution, and injects malicious JavaScript, often for displaying ads. It also includes functionality to report back to a command-and-control (C&C) server and can reinfect cleaned sites, potentially via a modified wp-cron.php file. While first found in late January 2025, new variants were detected in the wild more recently.16
  • Hannibal Stealer: Identified as a rebranded version of the previously known Sharp and TX information stealers. It targets a wide range of credentials, including those stored in web browsers, cryptocurrency wallets, FTP clients, and VPN applications, as well as Discord tokens and Steam session data. Its presentation suggests a move towards commercialization, possibly offered via a subscription model on dark web forums.6
  • ANEL Backdoor (New Version): The Earth Kasha APT group (linked to APT10) was observed using an updated version of the ANEL backdoor in a recent spear-phishing campaign targeting entities in Taiwan and Japan.6 Delivered via a malicious Excel file, the malware uses SharpHide for persistence and employs a second-stage backdoor (NOOPDOOR) that utilizes DNS over HTTPS for C&C communication, enhancing stealth.6
  • LAGTOY Malware: This custom malware is employed by an Initial Access Broker (IAB) tracked as "ToyMaker".6 LAGTOY establishes reverse shells and executes commands on compromised systems, allowing ToyMaker to gain initial network access and then sell that access to ransomware operators.6
  • WizardNet Backdoor: A modular backdoor utilized by a China-linked group known as "TheWizards". It is delivered using a tool called "Spellbinder," which performs Adversary-in-the-Middle (AitM) attacks by exploiting IPv6 SLAAC configurations to intercept and redirect traffic, particularly targeting software update mechanisms for applications like Sogou Pinyin and Tencent QQ.6 The group has been active since at least 2022, primarily targeting organizations in Asia.6

B. New Ransomware Strains & Tactics

The ransomware landscape saw the emergence of new families and novel extortion methods:

  • FOG Ransomware: This ransomware is being distributed through phishing emails that notably impersonate the "Department of Government Efficiency (DOGE)" or individuals associated with it. It encrypts files, appends a .flocked extension, and drops a ransom note named readme.txt. The payload includes auxiliary scripts designed for data collection and privilege escalation, and the ransom note contains a Monero wallet address. Operators claimed around 100 victims across various sectors since January 2025.6
  • ELENOR-corp Ransomware: Identified as a new variant of the Mimic ransomware family. It is actively targeting healthcare organizations.7 A key feature is its use of a Python executable to harvest credentials by stealing clipboard content. Researchers note that this variant employs enhanced anti-forensic techniques, process tampering methods, and sophisticated encryption strategies compared to earlier Mimic versions.7
  • Anubis Ransomware: This group, which emerged in February 20257, is employing novel extortion tactics beyond simple encryption and data theft threats. They utilize a "data ransom" model, threatening victims with the publication of detailed "investigative articles" based on the stolen data, naming victims on social media, and notifying regulatory bodies or the victim's customers about the breach. This approach aims to increase pressure by adding reputational damage and potential compliance penalties to the consequences of not paying. Anubis is reportedly testing new business models to attract affiliates.21
  • Spectra Ransomware: Identified as a new strain based on the Chaos ransomware family.22 It appends a random four-character extension to encrypted files and leaves a ransom note titled SPECTRARANSOMWARE.txt.22 The note claims infiltration and encryption of critical data, including financial records, customer information, and intellectual property.22 Technical analysis revealed anti-debugging capabilities and the use of Windows Management Instrumentation (WMI) calls.22

C. Ransomware Ecosystem Dynamics

Significant turbulence was observed within the RaaS ecosystem:

  • RansomHub Disruption: The RansomHub RaaS platform, which had rapidly gained prominence possibly using code from the defunct Knight/Cyclops operation and attracting affiliates with favorable terms 7, reportedly went offline around April 1, 2025.7 This caused significant "affiliate unrest".7
  • Affiliate Migration & Claims: Following the RansomHub downtime, some affiliates were suspected of migrating to the Qilin RaaS group, which saw a doubling in victim disclosures on its leak site since February. Concurrently, the rival DragonForce RaaS group claimed on the RAMP forum that RansomHub had moved its operations to their infrastructure, forming a new "DragonForce Ransomware Cartel".7 Other reports suggest the BlackLock RaaS group is also collaborating with DragonForce, and the RansomBay operation is now running on DragonForce systems. This turmoil suggests a potential shutdown, rebranding, or consolidation within the RaaS market.7
  • General Trends: The ransomware threat persists but shows signs of fragmentation into smaller, more agile groups that frequently rebrand to evade law enforcement and maintain operations. There's also a noted shift towards stealthier operations and, in some cases like Hunters International, a prioritization of data exfiltration and extortion over file encryption.10

The confluence of these developments paints a picture of a highly active and adaptive ransomware ecosystem. Attackers are not merely refining encryption techniques but are actively experimenting with novel extortion strategies (like Anubis's regulatory threats 7), specialized targeting (like ELENOR-corp's focus on healthcare 7), creative social engineering lures (like FOG's fake government department 6), and navigating a volatile RaaS market (evidenced by the RansomHub disruption 7). This strategic diversity—encompassing shifts in targeting, extortion methods, operational structures, and affiliate relationships—means defenders face a multifaceted, constantly evolving threat rather than a single, predictable adversary type. Adapting defenses to counter these varied approaches is crucial.

IV. Significant Data Breaches Confirmed (April 28–May 1)

Several significant data breaches affecting numerous individuals were confirmed or disclosed within the reporting period. Notably, many of these confirmations relate to incidents that occurred earlier in the year, highlighting the common delay between compromise, detection, investigation, and public notification.

A. Urban One

  • Confirmation Date: April 28, 2025.3
  • Incident Details: The Maryland-based media conglomerate confirmed a breach stemming from a "sophisticated social engineering campaign" that began on February 13, 2025. The intrusion was discovered on March 15, and a forensic investigation confirmed data exfiltration by March 30.3
  • Impact: Stolen data included employee information such as names, addresses, Social Security numbers (SSNs), direct deposit details, and W-2 information.3 At least 355 individuals in Texas were affected, and the company is offering two years of credit monitoring services.3
  • Attribution: The Cactus ransomware gang claimed responsibility for the attack on March 12, prior to the company's confirmation. Cactus emerged in 2023 and has been linked to attacks on major organizations like Americold and Schneider Electric.3

B. Endue Software

  • Confirmation Date: April 29, 2025.4
  • Incident Details: The provider of infusion management platforms identified unauthorized access to its systems on February 17, 2025. Investigation confirmed an attacker briefly accessed systems on February 16 and copied files containing patient data.4
  • Impact: The breach affected Endue Software and its healthcare provider clients (e.g., Rheumatology Associates of Baltimore). Exposed patient data included full names, addresses, dates of birth, SSNs, and medical record numbers.4 Endue reported the incident to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as affecting 118,028 individuals, though the total number could be higher as clients may report separately.4

C. VeriSource Services

  • Disclosure Date: April 28, 2025.5
  • Incident Details: The HR outsourcing services provider disclosed a cyberattack that occurred in February 2024. Unusual activity was detected on February 28, 2024, with the investigation concluding on April 17, 2025, and notifications commencing April 23, 2025.5
  • Impact: The breach affected a staggering 4 million individuals, primarily employees and dependents of VeriSource's client companies.5 Exposed data included names, addresses, dates of birth, gender, and SSNs (varying by individual).5 The company is offering 12 months of free credit monitoring.5

D. Other Related Incidents & Fallout

  • Oracle Cloud Legacy Leak Fallout: CISA issued a warning related to a previously reported Oracle security incident.24 Although Oracle maintained its primary Cloud Infrastructure (OCI) was not breached, attackers accessed and published usernames and potentially other credentials (passwords, tokens, keys) from obsolete legacy servers.24 A threat actor, "rose87168," offered data allegedly from Oracle SSO/LDAP systems (purportedly 6 million records affecting 140,000 tenants) for sale on cybercriminal forums.10 CISA emphasized the significant risk posed by such compromised credentials for enabling privilege escalation, business email compromise (BEC), and other malicious activities.24 At least three Oracle customers confirmed their information was present in the leaked dataset.24
  • Recently Reported Attacks (Context): Around the April 28th timeframe, several other attacks gained public attention, though the incidents may have occurred earlier. These included disruptions at British retailer Marks & Spencer (M&S) following a cyberattack 20, an attack on Baltimore City Public Schools affecting 25,000 individuals with the Cloak Ransomware group claiming responsibility 20, confirmation of unauthorized access to customer personal information at South African telecom MTN 20, and an attack impacting internal systems at Aigües Ter Llobregat, a water supplier for Barcelona.20
  • Third-Party Risk Emphasis: A recurring theme across recent breach disclosures is the role of third-party vendors. The VeriSource breach impacted clients using its outsourced services. Similarly, breaches reported earlier in April at Yale New Haven Health (linked to vendor Perry Johnson & Associates) 5, Hertz Corporation (linked to file transfer vendor Cleo Communications) 5, and WK Kellogg Co (also linked to Cleo) 5 underscore the significant risks inherent in the supply chain. This aligns with findings from the Verizon DBIR highlighting increased third-party involvement in breaches.11

The significant delay observed between the time of intrusion (often February 2025 or earlier) and the public confirmation or disclosure (late April 2025) for major breaches like those at Urban One, Endue Software, and VeriSource Services presents a challenge for real-time threat intelligence and risk assessment. This lag, often necessitated by detection delays, complex forensic investigations, legal reviews, and notification procedures, means that reports focusing on a narrow confirmation window capture the consequences of potentially much older compromises. Data may have been exfiltrated and misused long before the affected organization or the public became fully aware. This reality underscores the critical importance of proactive measures like threat hunting, rapid detection capabilities, and swift incident response, rather than relying solely on public breach notifications for understanding current risks.

V. Emerging Scams, Phishing & Threat Actor Updates

Alongside major vulnerabilities and breaches, the period saw continued activity involving phishing, business email compromise (BEC), and operations by specific threat actor groups.

A. Scams & Phishing Campaigns

  • TA2900 BEC Campaign: A newly identified BEC actor, tracked as TA2900, was observed impersonating landlords in targeted attacks against renters in France and Canada. The campaign utilized compromised university email accounts to send messages and employed tactics like swapping International Bank Account Numbers (IBANs) within email threads to redirect payments to attacker-controlled accounts.6
  • OAuth Abuse for M365 Hijacking: Russian-linked threat groups (UTAO352, UTAO355) were reported abusing OAuth 2.0 authorization workflows to hijack Microsoft 365 accounts.25 This involved tricking users, particularly those in Ukraine-related organizations, via platforms like WhatsApp or Signal into sharing authorization codes or multi-factor authentication (MFA) details under false pretenses. Attackers leveraged interfaces like Visual Studio Code's OAuth mechanism to gain persistent access.25 (Reported April 25).
  • DPRK Crypto Phishing: North Korean state-sponsored groups (including UNC1069, UNC4899, UNC5342, UNC3782) continued targeting the Web3 and cryptocurrency sectors, employing social engineering, fake job offers, and deepfake personas.25 One group, UNC3782, reportedly stole $137 million in a single day through a phishing attack, highlighting the scale and success of these campaigns aimed at funding state programs.25 (Reported April 25).
  • SMS Phishing Context: While reported slightly earlier (April 17), large-scale SMS phishing campaigns dubbed PointyPhish and TollShark, powered by the Darcula Phishing-as-a-Service (PhaaS) platform, were noted as a recent threat, using thousands of domains to trick users with fake reward or toll payment messages to steal financial information.26

B. Threat Actor Activity & Espionage

Specific threat groups were observed conducting campaigns or reconnaissance:

  • PurpleHaze (China-linked APT): Security firm SentinelOne reported on April 29th that it had detected attempted reconnaissance activities by a China-nexus threat cluster it tracks as PurpleHaze.9 The reconnaissance targeted SentinelOne's own infrastructure and some of its high-value clients, suggesting preparation for future targeted cyberespionage operations. This activity was linked back to a 2024 intrusion at an organization that previously provided hardware logistics services for SentinelOne.9
  • EncryptHub Operations: This financially motivated threat actor, active since at least June 2024, was detailed in a report released April 29th.10 EncryptHub distributes infostealers like Rhadamanthys and StealC, as well as the XMRig cryptojacker, often using trojanized versions of popular applications delivered via a third-party Pay-Per-Install (PPI) service.10 The actor utilizes Telegram for C&C, operates a proprietary C&C panel called EncryptRAT, exploits known vulnerabilities in Fortinet and Palo Alto Networks devices, and sells exploits (including CVE-2025-26633, CVE-2025-24061, CVE-2025-24071) on underground forums. Notably, the actor makes extensive use of ChatGPT to assist in creating malware, phishing sites, and managing infrastructure.10
  • Billbug / Lotus Blossom (China-linked APT): A recent campaign by this group was reported around April 28th, targeting government and telecommunications entities in an unnamed Southeast Asian country.20 The campaign featured new custom tools designed specifically to steal credentials from Chrome browsers on compromised systems.20
  • TheWizards (China-linked Group): As mentioned previously, this group was reported on April 30th using the Spellbinder AitM tool and WizardNet backdoor, exploiting IPv6 SLAAC configurations.6

C. Supply Chain & Code Compromise

  • xrpl.js Backdoor: A significant supply chain incident involved the official NPM (Node Package Manager) package for the XRP Ledger blockchain platform, xrpl.js.20 Researchers discovered the package had been compromised and infected with a backdoor designed to steal cryptocurrency credentials. The malicious versions remained available for approximately 16 hours, impacting a package with over 140,000 weekly downloads.20 (Reported April 28).

The activities observed during this period demonstrate that threat actors are employing increasingly sophisticated and diverse strategies. They combine technical exploitation of vulnerabilities (OAuth flaws 25, IPv6 misconfigurations 6, software vulnerabilities 10) with highly targeted social engineering (BEC targeting specific roles like renters 6, fake job offers for crypto professionals 25, unique lures like the FOG ransomware's fake department 6) and attacks targeting the software supply chain (NPM package compromise 20, exploitation of third-party vendor vulnerabilities leading to breaches 5). Actors like EncryptHub showcase a blended approach, engaging in malware distribution, vulnerability exploitation, and exploit brokering simultaneously.10 This multi-faceted landscape indicates that attackers are not reliant on single techniques but leverage a broad toolkit tailored to their objectives. Consequently, effective defense requires a layered security strategy addressing technical controls, user awareness training, and rigorous supply chain risk management.

VI. Broader Threat Landscape Insights (Verizon 2025 DBIR)

The release of the Verizon 2025 Data Breach Investigations Report (DBIR) around April 28th provided valuable macro-level context for the specific threats and incidents observed during this period.11 The DBIR, a widely respected annual analysis of security incidents, highlighted several trends that resonate strongly with the events detailed in this report.

  • System Intrusions Surge (APAC): The DBIR revealed a dramatic increase in system intrusions as the cause of breaches in the Asia-Pacific (APAC) region, rising to 80% from 38% the previous year.11 Malware was involved in 83% of APAC breaches (up from 58%), frequently distributed via email.11 This finding lends weight to the significance of the specific malware campaigns observed impacting the region, such as those involving the ANEL backdoor 6 and the WizardNet backdoor targeting Asian users.6
  • Ransomware Prevalence: Globally, the DBIR found ransomware was present in 44% of analyzed breaches, marking a notable increase from the previous year.13 In the APAC region specifically, ransomware accounted for 51% of breaches.11 The report also noted that ransomware disproportionately affects Small and Medium-sized Businesses (SMBs).11 This aligns closely with the observed emergence of new ransomware strains (FOG, ELENOR-corp), novel tactics (Anubis), and RaaS volatility (RansomHub, DragonForce) during the reporting window.7 It is worth noting a potential nuance: while Verizon reported an increase in ransomware presence in breaches, IBM's X-Force report indicated ransomware constituted 28% of malware cases (the largest share) but observed an overall decline in ransomware incidents, possibly due to factors like increased reluctance to pay ransoms and law enforcement takedowns.27
  • Third-Party / Supply Chain Risk: A major finding in the 2025 DBIR was that breaches involving third parties doubled globally compared to the previous year, accounting for 30% of total breaches.12 This increase was partly driven by the exploitation of vulnerabilities in third-party systems.13 This statistical trend strongly reinforces the significance of the specific third-party related breaches confirmed during this period, such as those impacting VeriSource Services, Hertz (via Cleo), Yale New Haven Health (via PJ&A), and WK Kellogg Co (via Cleo).5
  • Human Element & Credentials: The DBIR continued to highlight the human element in breaches, overlapping with social engineering and credential abuse.11 This complements findings from IBM X-Force indicating identity-based attacks using valid accounts remain high (30% of intrusions) 27, fueled by an 84% weekly year-over-year increase in infostealers delivered via phishing.27 Picus Labs also reported a threefold surge in credential theft over the past year.26 These statistics provide context for the observed BEC campaigns (TA2900 6), OAuth abuse targeting credentials 25, APT groups deploying credential theft tools (Billbug 20), and the emergence of stealers like Hannibal.6
  • Vulnerability Exploitation: The DBIR noted an increase in attackers exploiting vulnerabilities for initial access.13 It also highlighted poor remediation rates for perimeter device vulnerabilities, with only 6% fully remediated in the past year and nearly half (47%) remaining unresolved.13 This finding directly aligns with CISA's addition of actively exploited vulnerabilities to the KEV catalog and the ongoing exploitation of flaws like the SAP NetWeaver zero-day.1

The timing of the Verizon DBIR release alongside the specific incidents observed between April 28th and May 1st serves a powerful validation. The micro-level threats detailed in this report – specific ransomware attacks, breaches stemming from third-party vendors, active exploitation of vulnerabilities – are not isolated occurrences but rather concrete examples of the broader, statistically significant trends identified by Verizon. The doubling of third-party breaches reported in the DBIR, for instance, gives significant weight to the cluster of such breaches confirmed during this short window, indicating this is a major, ongoing systemic risk requiring strategic attention, not just tactical responses to individual incidents. The synchronicity between the DBIR findings and the real-world events underscores the urgency of addressing these key threat vectors: third-party risk, ransomware resilience, and vulnerability management.

VII. Conclusion & Recommendations

The period between April 28th and May 1st, 2025, presented a concentrated view of the current dynamic and challenging cybersecurity landscape. Key themes included the critical need for rapid vulnerability remediation driven by CISA KEV alerts and zero-day exploitation; the confirmation of large-scale data breaches, often with significant reporting delays; the continued evolution of ransomware with new strains, tactics, and RaaS market shifts; persistent and targeted threat actor campaigns employing diverse methods; and the overarching context, confirmed by the Verizon 2025 DBIR, of rising third-party risk and ransomware prevalence.

Based on these observations, the following recommendations are crucial for enhancing organizational security posture:

  1. Prioritize KEV and Critical Vulnerability Patching: Organizations must immediately assess exposure to and remediate CVE-2025-1976, CVE-2025-42599, and CVE-2025-3928 by the CISA deadline of May 19, 2025. Systems running SAP NetWeaver should be urgently reviewed for exposure to the actively exploited zero-day CVE-2025-31324. Implement and refine a robust, risk-based vulnerability management program capable of handling concurrent critical patching demands across IT and OT environments, prioritizing actively exploited flaws.
  2. Enhance Third-Party Risk Management (TPRM): Given the doubling of third-party breaches reported by Verizon and exemplified by recent incidents (VeriSource, Hertz/Cleo, Yale/PJ&A), organizations must rigorously re-evaluate the security posture of critical vendors. This includes cloud service providers, HR/payroll processors, data processing partners, and file transfer services. Scrutinize contractual security clauses, audit rights, and incident notification requirements. Implement controls to limit the potential impact of a compromise at a third party.
  3. Bolster Ransomware Defenses: Prepare for diverse extortion tactics that go beyond file encryption, such as threats of data leakage, public naming, and regulatory reporting (as seen with Anubis). Ensure robust, frequently tested backup strategies, including offline and immutable copies. Monitor threat intelligence for Tactics, Techniques, and Procedures (TTPs) associated with emerging and active ransomware groups (e.g., FOG, ELENOR-corp, Anubis, Qilin, DragonForce, Cactus). Implement network segmentation to impede lateral movement following an initial compromise.
  4. Combat Phishing & Business Email Compromise (BEC): Continuously update user awareness training to address sophisticated lures, including OAuth consent phishing, impersonation of specific roles (landlords), and fake government entities. Implement strong technical controls such as advanced email filtering, DMARC enforcement, and mandatory MFA for all critical internal and external accounts. Monitor for anomalous internal account behavior, unusual login patterns, and suspicious financial transaction requests.
  5. Monitor Threat Actor Activity: Leverage threat intelligence feeds and reports to stay informed about the TTPs of APT groups targeting relevant sectors or regions (e.g., PurpleHaze, Billbug, Earth Kasha) and financially motivated actors (e.g., EncryptHub, TA2900). Use this intelligence to proactively configure security controls, tune detection rules, and guide threat hunting activities.
  6. Secure WordPress & Web Applications: Implement regular security scanning for web applications, particularly WordPress sites, to detect malware like WP-antymalwary-bot. Vet security plugins carefully before installation. Enforce strong access controls, maintain regular update schedules for themes, plugins, and core software, and monitor for unauthorized code injection or configuration changes.
  7. Review Cloud & Legacy System Security: Address the risks associated with unsupported or poorly configured legacy systems, as highlighted by the Oracle incident fallout. Ensure proper security configurations for cloud services, including monitoring for misconfigurations like the one leading to the Blue Shield of California data exposure. Implement strong credential management practices, including regular password rotation and privileged access management, across all environments.

Works Cited
  1. CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA, accessed May 1, 2025, https://www.cisa.gov/news-events/alerts/2025/04/28/cisa-adds-three-known-exploited-vulnerabilities-catalog
  2. Known Exploited Vulnerabilities Catalog | CISA, accessed May 1, 2025, https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  3. Media firm Urban One confirms data breach after cybercriminals ..., accessed May 1, 2025, https://therecord.media/urban-one-data-breach-african-amercian-media
  4. Endue Software Confirms Data Breach Affecting Multiple Providers, accessed May 1, 2025, https://www.hipaajournal.com/endue-software-confirms-data-breach-affecting-multiple-providers/
  5. Top Data Breaches in April 2025 | Strobes - Strobes Security, accessed May 1, 2025, https://strobes.co/blog/data-breaches-in-april-2025/
  6. Cyware Daily Threat Intelligence, April 30, 2025 - Apr 30, 2025 ..., accessed May 1, 2025, https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-april-30-2025
  7. RansomHub Went Dark April 1; Affiliates Fled to Qilin, DragonForce ..., accessed May 1, 2025, https://thehackernews.com/2025/04/ransomhub-went-dark-april-1-affiliates.html
  8. Cyware Daily Threat Intelligence, April 21, 2025, accessed May 1, 2025, https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-april-21-2025
  9. Security News - The Latest News for Cybersecurity - Security Links, accessed May 1, 2025, https://security-links.hdks.org/security-news/
  10. Threat intelligence briefing April 2025: Encrypthub & Media Land, accessed May 1, 2025, https://outpost24.com/blog/threat-context-monthly-april-2025-encrypthub-encryptrat-media-land/?hsFormKey=23e49176cb3ac36fb7c69413fc75b7f4
  11. Verizon's 2025 Data Breach Investigations Report: System ..., accessed May 1, 2025, https://cybersecurityasia.net/verizons-2025-data-breach-report/
  12. Scam of the day – April 28, 2025 – New Data Breach Report Shows Data Breaches Getting Worse | Scamicide, accessed May 1, 2025, https://scamicide.com/2025/04/27/scam-of-the-day-april-28-2025-new-data-breach-report-shows-how-great-is-the-threat/
  13. 2025 Data Breach Investigations Report | Verizon, accessed May 1, 2025, https://www.verizon.com/business/resources/reports/dbir/
  14. Critical Vulnerabilities and Top CVEs of April 2025 - Strobes Security, accessed May 1, 2025, https://strobes.co/blog/vulnerabilities-and-top-cves-of-april-2025/
  15. CISA Issues Warning on Commvault Web Server Flaw Exploited in the Wild - GBHackers, accessed May 1, 2025, https://gbhackers.com/cisa-issues-warning-on-commvault-web-server-flaw/
  16. The Hacker News | #1 Trusted Source for Cybersecurity News, accessed May 1, 2025, https://thehackernews.com/
  17. [Control systems] CISA ICS security advisories (AV25–238), accessed May 1, 2025, https://www.cyber.gc.ca/en/alerts-advisories/control-systems-cisa-ics-security-advisories-av25-238
  18. CISA Alerts Users to Security Flaws in Planet Technology Network ..., accessed May 1, 2025, https://gbhackers.com/cisa-alerts-users-to-security-flaws/
  19. CISA Issues Warning Over Planet Technology Network Product Flaws - Cyber Press, accessed May 1, 2025, https://cyberpress.org/planet-technology-network-product-flaws/
  20. 28th April – Threat Intelligence Report - Check Point Research, accessed May 1, 2025, https://research.checkpoint.com/2025/28th-april-threat-intelligence-report/
  21. Ransomware groups test new business models to hit more victims, increase profits, accessed May 1, 2025, https://therecord.media/ransomware-groups-test-new-business-models-dragonforce-anubis
  22. Weekly Intelligence Report - 04 Apr 2025 – CYFIRMA, accessed May 1, 2025, https://www.cyfirma.com/news/weekly-intelligence-report-04-apr-2025/
  23. Cybersecurity Alerts | ACS - Associated Computer Systems, accessed May 1, 2025, https://www.acsltd.com/resources/cybersecurity-alerts/
  24. CISA warns of potential data breaches caused by legacy Oracle Cloud leak, accessed May 1, 2025, https://therecord.media/cisa-warns-of-potential-data-breaches-tied-to-oracle-issue
  25. Top 5 Cybersecurity News Stories April 25, 2025 – DIESEC, accessed May 1, 2025, https://diesec.com/2025/04/top-5-cybersecurity-news-stories-april-25-2025/
  26. Latest Cybersecurity news - Bleeping Computer, accessed May 1, 2025, https://www.bleepingcomputer.com/tag/cybersecurity/
  27. IBM X-Force 2025 Threat Intelligence Index, accessed May 1, 2025, https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/2025-threat-intelligence-index

Comments

Post a Comment

Sign Up For Our Free Newsletter & Vip List