February 2025: Major Cyber Attacks, Ransomware Attacks & Data Breaches

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

February 09, 2025

Lee Enterprises

Cyber attack disrupts Lee newspapers' operations across the US 

Unknown

Lee Enterprises, one of the largest newspaper groups in the United States, said a cyberattack that hit its systems caused an outage and impacted its operations. The incident impacted the company's operations, including distribution of products, billing, collections, and vendor payments. Distribution of print publications across the portfolio of products experienced delays, and online operations were partially limited.

Lee Enterprises Ransomware Attack 

February 12, 2025

Unimicron

Sarcoma ransomware claims breach at giant PCB maker Unimicron

Sarcoma ransomware

A relatively new ransomware operation named ‘Sarcoma’ has claimed responsibility for an attack against the Unimicron printed circuit boards (PCB) maker in Taiwan. The cybercriminals have published samples of files allegedly stolen from the company’s systems during the attack and have threatened to leak everything if a ransom is not paid. In a new listing added to Sarcoma’s leak site, the threat actors claimed to be holding 377 GB of SQL files and documents exfiltrated from the Taiwanese company.

Source: BleepingComputer

February 12, 2025

Sault Tribe in Michigan

Ransomware attack disrupting Michigan's Sault Tribe operations

Unknown

A recent ransomware attack on the Sault Tribe in Michigan has knocked many of its most critical services offline. In a statement, Sault Tribe Chairman Austin Lowes said the incident began on Sunday( Feb-09) morning and impacted “multiple computer and phone systems across tribal administration, including the casinos, health centers and various businesses.”

Source: The Record

February 26, 2025

Southern Water

Southern Water says Black Basta ransomware attack cost £4.5M in expenses

Black Basta`

United Kingdom water supplier Southern Water has disclosed that it incurred costs of £4.5 million ($5.7M) due to a cyber attack it suffered in February 2024.

Source: BleepingComputer

February 26, 2025

Semyonishna plant

Siberia's largest dairy plant reportedly disrupted with LockBit variant

LockBit ransomware strain

The largest dairy processing plant in southern Siberia has been hit by a ransomware attack. Local media reports suggest that the breach could be connected to the plant's support for Russian troops in Ukraine. During the attack on the Semyonishna plant, which occurred earlier in December, the unidentified hacker group encrypted the company’s systems with a LockBit ransomware strain, the regional office of Russia’s security service (FSB) said in a comment.

Source: The Record

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

February 02, 2025

Casio UK

Casio UK online store hacked to steal customer credit cards

Unknown

Casio UK's e-shop at casio.co.uk was hacked to include malicious scripts that stole credit card and customer information between January 14 and 24, 2025 as any customers who made purchases between those dates may have had their personal details and credit card data stolen by hackers.

Source: BleepingComputer

February 03, 2025

GrubHub

GrubHub data breach impacts customers, drivers, and merchants

Unknown

​Food delivery company GrubHub disclosed a data breach impacting the personal information of an undisclosed number of customers, merchants, and drivers after attackers breached its systems using a service provider account.

Source: BleepingComputer

February 05, 2025

UK engineering firm IMI

British engineering firm IMI discloses breach, shares no details

Unknown

British-based engineering firm IMI plc has disclosed a security breach after unknown attackers hacked into the company's systems.

Source: BleepingComputer

February 07, 2025

Hospital Sisters Health System

US health system notifies 882,000 patients of August 2023 breach

Unknown

Hospital Sisters Health System notified over 882,000 patients that an August 2023 cyberattack led to a data breach that exposed their personal and health information.

Source: BleepingComputer

February 07, 2025

HPE

HPE notifies employees of data breach after Russian Office 365 hack

IntelBroker

Hewlett Packard Enterprise (HPE) has notified employees whose data was stolen from the company's Office 365 email environment by Russian state-sponsored hackers in a May 2023 cyberattack.

Source: BleepingComputer

February 14, 2025

PPL Electric Utilities

Pennsylvania utility says MOVEit breach at vendor exposed some customer data

Cl0p ransomware

A Pennsylvania utility company says that basic customer data stolen from one of its vendors in 2023 was recently exposed online, but the incident did not affect its core systems as PPL Electric Utilities said in an emailed statement that the vendor notified it in June 2023 of a breach through a widespread bug in the MOVEit file transfer software, which affected hundreds of organisations and exposed the data of tens of millions of people.

PPL Electric Utilities Cyber Attack  

February 16, 2025

Finastra

Fintech giant Finastra notifies victims of October data breach

"Abyss0" a name on the BreachForums

Financial technology giant Finastra is notifying victims of a data breach after their personal information was stolen by unknown attackers who first breached its systems in October 2024. Finastra said its investigation revealed that an unauthorised third party accessed a Secure File Transfer Platform (SFTP) at various times between October 31, 2024 and November 8, 2024. Findings from the investigation indicate that on October 31, 2024, the unauthorised third party obtained certain files from the SFTP. The breach is believed to be linked to a (now-deleted) post made by a threat actor known as "abyss0" on the BreachForums online cybercrime community claiming to sell 400GB of data allegedly stolen from Finastra's network.

Finastra Data Breach Updates 

February 19, 2025

Australian IVF giant Genea

Australian IVF giant Genea confirms hackers ‘accessed data’ during cyber attack

Termite ransomware

Genea has disclosed a cybersecurity incident that disrupted patient services and led to the access of potentially sensitive information.

Australian IVF Giant Data Breach 

February 21, 2025

CarMoney

Ukrainian hackers claim breach of Russian loan company linked to Putin’s ex-wife

Cyber Alliance

The pro-Ukraine hacking group, Cyber Alliance, has claimed responsibility for a cyberattack on CarMoney, a Russian microfinance company linked to the former wife of President Vladimir Putin. The hackers claim they obtained information on a large number of borrowers, including members of Russian military units and intelligence officers.

Source: The Record

February 24, 2025

Orange Group

Orange Group confirms breach after hacker leaks company documents

Rey (HellCat ransomware)

A hacker claims to have stolen thousands of internal documents with user records and employee data after breaching the systems of Orange Group. The threat actor published on a hacker forum details about the stolen data after trying to extort the company unsuccessfully.

Source: BleepingComputer 

February 24, 2025

DISA USA

US drug testing firm DISA says data breach impacts 3.3 million people

Unknown

DISA Global Solutions, a leading US background screening and drug and alcohol testing firm, has suffered a data breach impacting 3.3 million people.

Source: BleepingComputer

Date

Victim

Summary

Threat Actor

Business Impact

Source Link 

February 12, 2025

Decentralized money lender zkLend

zkLend loses $9.5M in crypto heist, asks hacker to return 90%

Unknown

Decentralized money lender zkLend suffered a breach where threat actors exploited a smart contract flaw to steal 3,600 Ethereum, worth $9.5 million at the time. According to the EthSecurity Telegram channel, the threat actors exploited a rounding error bug in zkLend's smart contract mint() function. zkLend has now issued a message to the hacker stating that if they return 90% of the stolen Ethereum, which is 3,300 ETH, they can keep the other 10% and will not face any liability for the attack.

Source: BleepingComputer

February 13, 2025

Zacks Investment

Hacker leaks account data of 12 million Zacks Investment users

Jurak (a BreachForums member name)

Zacks Investment Research (Zacks) last year reportedly suffered another data breach that exposed sensitive information related to roughly 12 million accounts. In late January, a threat actor published data samples on a hacker forum, claiming a breach at Zacks in June 2024 that exposed data of millions of customers. The published data, available to forum members in exchange for a small cryptocurrency amount, contains full names, usernames, email addresses, physical addresses, and phone numbers.

Source: BleepingComputer

February 13, 2025

Cisco routers

Chinese hackers breach more US telecoms via unpatched Cisco routers

Salt Typhoon

China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices. Between December 2024 and January 2025, Salt Typhoon targeted over 1,000 Cisco network devices, more than half from the U.S., South America, and India. Using internet scanning data, Insikt Group identified more than 12,000 Cisco network devices with their web UIs exposed to the internet.

Source: BleepingComputer

February 14, 2025

Microsoft 365 accounts

Microsoft: Hackers steal emails in device code phishing attacks

Storm-237

An active campaign from a threat actor potentially linked to Russia targeted Microsoft 365 accounts of individuals at organisations of interest using device code phishing. The targets are in the government, NGO, IT services and technology, defence, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East. 

Source: BleepingComputer

February 18, 2025

Venture capital giant Insight Partners

Venture capital giant Insight Partners hit by cyber attack

Unknown

New York-based venture capital and private equity firm Insight Partners disclosed that its systems were breached in January following a social engineering attack.

Source: BleepingComputer

February 18, 2025

The National Assembly of Ecuador

Ecuador's legislature says hackers attempted to access confidential information

Unknown

Ecuador's legislature, the National Assembly, reported that it suffered two cyber attacks aimed at disrupting its systems and accessing sensitive data.

Source: The Record 

February 21, 2025

Cryptocurrency exchange Bybit

Hacker steals record $1.46 billion from Bybit ETH cold wallet

Lazarus (Allegedly)

Bybit revealed that an unknown attacker stole over $1.46 billion worth of cryptocurrency from one of its ETH cold wallets. North Korea's Lazarus hacking group was allegedly found behind the theft of over $1.5 billion from cryptocurrency exchange Bybit. 

Source: BleepingComputer

February 26, 2025

Cleveland Municipal Court

‘Cyber incident’ shuts down Cleveland Municipal Court for third straight day

Unknown

Cleveland Municipal Court was closed for the third straight day this week due to a cybersecurity incident.

Source: The Record 

February 26, 2025

Anne Arundel County

Anne Arundel County government still recovering from cyber incident

Unknown

The Anne Arundel County government suffered a cyber incident that has impacted public service and government buildings, county officials said. The county said the incident came from an outside source as cyber specialists said full-service restoration could take days.

Anne Arundel County Cyber Attack 

February 26, 2025

Ukrainian government

Ukrainian government, Belarusian opposition targeted in new espionage campaign

GhostWriter

A suspected Belarusian state-backed hacking group is behind a cyber espionage campaign targeting opposition activists in the country, as well as Ukrainian military and government entities. The operation, which researchers from cybersecurity firm SentinelOne linked to the long-running GhostWriter hacking group, has been in development since mid-2024 and is likely ongoing.

Source: The Record

New Ransomware

Summary

BadPilot campaign

A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organisations and governments in a multi-year campaign dubbed 'BadPilot.'

FinalDraft malware

A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country.

FrigidStealer malware

The FakeUpdate malware campaigns are increasingly becoming muddled, with two additional cybercrime groups tracked as TA2726 and TA2727, running campaigns that push a new macOS infostealer malware called FrigidStealer.

New XCSSET strain

Researchers have discovered a new variant of malware targeting macOS systems to steal cryptocurrency and data without being detected. 

NailaoLocker malware

A previously undocumented ransomware payload named NailaoLocker has been spotted in attacks targeting European healthcare organisations between June and October 2024.

Auto-Color malware

A previously undocumented Linux backdoor dubbed 'Auto-Color' was observed in attacks between November and December 2024, targeting universities and government organisations in North America and Asia.

New variant of the Vo1d malware

A new variant of the Vo1d malware botnet has grown to 1,590,299 infected Android TV devices across 226 countries, recruiting devices as part of anonymous proxy server networks.

Date

New Flaws/Fixes

Summary

February 03, 2025

CVE-2024-53104

A zero-day kernel vulnerability that has been exploited in the wild, is a privilege escalation security flaw in the Android Kernel's USB Video Class driver that allows authenticated local threat actors to elevate privileges in low-complexity attacks.

February 06, 2025

CVE-2024-21413

CISA warned U.S. federal agencies on Thursday to secure their systems against ongoing attacks targeting a critical Microsoft Outlook remote code execution (RCE) vulnerability. 

February 07, 2025

CVE-2025-0994

Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access. 

February 10, 2025

CVE-2025-24200

Apple has released emergency security updates to patch a zero-day vulnerability that the company says was exploited in targeted and "extremely sophisticated" attacks. 

February 10, 2025

CVE-2024-52875

Over twelve thousand GFI KerioControl firewall instances are exposed to a critical remote code execution vulnerability tracked as.

February 13, 2025

CVE-2025-1094

​Rapid7's vulnerability research team says attackers exploited a PostgreSQL security flaw as a zero-day to breach the network of privileged access management company BeyondTrust in December. 

February 14, 2025

CVE-2024-53704

Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code. 

February 14, 2025

CVE-2025-0108

Hackers are launching attacks against Palo Alto Networks PAN-OS firewalls by exploiting a recently fixed vulnerability (CVE-2025-0108) that allows bypassing authentication.

February 18, 2025

CVE-2025-26465, CVE-2025-26466

OpenSSH has released security updates addressing two vulnerabilities, a man-in-the-middle (MitM) and a denial of service flaw, with one of the flaws introduced over a decade ago. 

February 19, 2025

CVE-2025-0111, CVE-2025-0108 and CVE-2024-9474

Palo Alto Networks warned that a file read vulnerability (CVE-2025-0111) is now being chained in attacks with two other flaws (CVE-2025-0108 with CVE-2024-9474) to breach PAN-OS firewalls in active attacks.

February 21, 2025

CVE-2025-23209

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns that a Craft CMS remote code execution flaw is being exploited in attacks. 

News Type

Summary

Report

Threat actors are taking advantage of the rise in popularity of DeepSeek to promote two malicious infostealer packages on the Python Package Index (PyPI), where they impersonated developer tools for the AI platform. The packages were named "deepseeek" and "deepseekai" after the Chinese artificial intelligence startup, developer of the R1 large-language model that recently saw a meteoric surge in popularity.

Report

An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired, triggering a widespread outage that brought down multiple services for nearly an hour. The outage occurred when an employee responded to an abuse report about a phishing URL in Cloudflare's R2 platform. However, instead of blocking the specific endpoint, the employee mistakenly turned off the entire R2 Gateway service.

Report

The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.

Report

A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall.

Report

Google has fixed two vulnerabilities that, when chained together, could expose the email addresses of YouTube accounts, causing a massive privacy breach for those using the site anonymously.

Report

A China-based threat actor, tracked as Emperor Dragonfly and commonly associated with cybercriminal endeavours, has been observed using in a ransomware attack a toolset previously attributed to espionage actors. The hackers deployed the RA World ransomware against an Asian software and services company and demanded an initial ransom payment of $2 million.

Report

A name confusion attack allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name. Dubbed "whoAMI," the attack was crafted by DataDog researchers, who demonstrated that it's possible for attackers to gain code execution within AWS accounts by exploiting how software projects retrieve AMI IDs.

Report

A free-to-play game named PirateFi in the Steam store has been distributing the Vidar infostealing malware to unsuspecting users.

Report

Social media platform X (formerly Twitter) is now blocking links to "Signal.me," a URL used by the Signal encrypted messaging to share your account info with another person.

Report

Microsoft announced the deprecation of the Location History feature from Windows, which lets applications like the Cortana virtual assistant to fetch location history of the device.

Report

JPMorgan Chase Bank (Chase) will soon start blocking Zelle payments to social media contacts to combat a significant rise in online scams utilising the service for fraud.

Report

The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.

Report

A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.

Report

Russian threat actors have been launching phishing campaigns that exploit the legitimate “Linked Devices” feature in the Signal messaging app to gain unauthorised access to accounts of interest.

Report

The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyber attacks on U.S. telecommunication providers.

Report

Health Net Federal Services (HNFS) and its parent company, Centene Corporation, have agreed to pay $11,253,400 to settle allegations that HNFS falsely certified compliance with cybersecurity requirements under its Defense Health Agency (DHA) TRICARE contract.

Report

Apple will no longer offer iCloud end-to-end encryption in the United Kingdom after the government requested a backdoor to access Apple customers' encrypted cloud data.

Report

Threat actors are exploiting major Counter-Strike 2 (CS2) competitions, like IEM Katowice 2025 and PGL Cluj-Napoca 2025, to defraud gamers and steal their Steam accounts and cryptocurrency.

Report

The eyewear retailer Warby Parker was hit with a $1.5 million fine by the Department of Health and Human Services following a credential stuffing attack in 2018 that compromised the personal information of nearly 200,000 people.

Report

An Android malware app called SpyLend has been downloaded over 100,000 times from Google Play, where it masqueraded as a financial tool but became a predatory loan app for those in India. The app falls under a group of malicious Android applications called "SpyLoan," which pretend to be legitimate financial tools or loan services but instead steal data from devices for use in predatory lending.

Warning

Cybercrime continues to expand and evolve and has become a national security-level threat that is enabling more attacks by state-backed groups, Google warned in a new report.

Report

As an undercover journalist covering Italian politics, Francesco Cancellato is used to reporting on scandals. But he never thought he would be part of the story. Late last month, WhatsApp announced that 90 people had been targeted with Paragon Solutions’ spyware via their accounts on the messaging platform. Cancellato, the editor-in-chief of the Italian newspaper Fanpage, is one of four victims to come forward so far. All four have been critical of the Italian government.

Warning

Law enforcement agencies risk losing the trust of the societies they protect unless those societies understand why new powers are needed to tackle surging levels of cybercrime, Europol’s chief warned.

Report

The Department of Government Efficiency (DOGE) may already have access to sensitive tax and medical data stored at the IRS and Social Security Administration (SSA), which jointly retain disability diagnoses, child adoption information, exceptionally detailed financial data and individuals’ immigration status, experts said.

Report

Russian state-backed hackers are increasingly targeting Signal messenger accounts - including those used by Ukrainian military personnel and government officials - in an effort to access sensitive information that could aid Moscow’s war effort, researchers warned.

Record

The Black Basta ransomware group has become the latest criminal enterprise to be hit by a release of internal chat logs, potentially revealing identifying details about the individuals behind the scheme and their operations.

Record

A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said.

Report

OpenAI said it blocked several North Korean hacking groups from using its ChatGPT platform to research future targets and find ways to hack into their networks.

Warning

Russia's National Coordination Center for Computer Incidents (NKTsKI) warned organizations in the country's credit and financial sector about a breach at LANIT, a major Russian IT service and software provider.

Report

A recent social engineering campaign targeted job seekers in the Web3 space with fake job interviews through a malicious "GrassCall" meeting app that installs information-stealing malware to steal cryptocurrency wallets.

Report

Cybercriminals are exploiting major e-sports tournaments to target players of the popular video game Counter-Strike 2 (CS2), researchers have found.

Report

A threat actor tracked as 'EncryptHub,' aka Larva-208,  has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks.

Report

​The Have I Been Pwned data breach notification service has added over 284 million accounts stolen by information stealer malware and found on a Telegram channel.

Report

Four foreign and two U.S. developers unlawfully accessed generative AI services, reconfigured them to allow the creation of harmful content such as celebrity deepfakes and then resold access to the tools, Microsoft said in a legal filing.

Report

Privacy-focused email provider Tuta (previously Tutanota) and the VPN Trust Initiative (VTI) are raising concerns over proposed laws in France set to backdoor encrypted messaging systems and restrict internet access.