Daily News Update

Daily News Update: Saturday, March 15, 2025 (Australia/Melbourne)

Opalsec

Opalsec

5 min read
Daily News Update: Saturday, March 15, 2025 (Australia/Melbourne)

Black Basta Credential Stuffing Tool Uncovered

The Black Basta ransomware operation has developed an automated brute-forcing framework called 'BRUTED' to compromise edge networking devices such as firewalls and VPNs.

EclecticIQ researcher Arda Büyükkaya discovered the tool after examining leaked internal chat logs.

BRUTED is designed to conduct large-scale credential-stuffing and brute-force attacks on VPN and remote-access products, including SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler, Microsoft RDWeb, and WatchGuard SSL VPN.

Bleeping Computer | "Ransomware gang creates tool to automate VPN brute-force attacks"

LockBit offshoot, SuperBlack, targets Fortinet Vulnerabilities

Ransomware

A new ransomware group, tracked as Mora_001, is exploiting Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472) to infiltrate networks and deploy a new ransomware variant called SuperBlack. The group is suspected to have links to LockBit, potentially being an affiliate or associate group.

After gaining access, attackers escalate privileges, create backdoor accounts, and move laterally to high-value systems. The ransomware payload is based on LockBit 3.0, with modifications such as a custom data exfiltration module.

Forescout's senior manager of threat hunting, Sai Molige, noted that the ransom note retained a qTox ID used by LockBit, suggesting a connection.

The Register | "New kids on the ransomware block channel Lockbit to raid Fortinet firewalls"

No Target Too Small - Health Services Offline in Micronesia

Micronesia Island

The Department of Health Services for the state of Yap in Micronesia suffered a ransomware attack on March 11, forcing the entire network offline. Officials are working with private IT contractors and government agencies to restore services and assess the extent of the breach.

Email communication and digital health systems are shut down, causing service disruptions for the island's 12,000 residents.
The Record | "Ransomware attack takes down health system network in Micronesia"

LockBit Developer Extradited to the US

Rostislav Panev, a dual Russian-Israeli national suspected of being a key developer for the LockBit ransomware operation, has been extradited to the United States. He is accused of developing LockBit's ransomware encryptors and the StealBit data theft tool.

Between June 2022 and February 2024, Panev allegedly earned $230,000 in cryptocurrency for his work. The U.S. Department of Justice (DoJ) stated that Panev's work helped LockBit become "the most active and destructive ransomware group in the world," impacting over 2,500 entities across 120 countries.

Dmitry Yuryevich Khoroshev ("LockBitSupp"), the leader of LockBit, is currently wanted with a $10M reward.

U.S. Attorney John Giordano stated, "Rostislav Panev’s extradition to the District of New Jersey makes it clear: if you are a member of the LockBit ransomware conspiracy, the United States will find you and bring you to justice."

Bleeping Computer | "Suspected LockBit ransomware dev extradited to United States"

The Record | "Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court"

"High" Cyber Espionage Threat to EU Telcos

European Night

Denmark’s cybersecurity agency has issued a threat assessment warning of increased state-sponsored cyber espionage targeting the telecommunications sector in Europe.

The agency raised the threat level to “high,” citing “several attempts at cyber espionage against the European telecommunications sector in the past few years” due to “increased interest in the telecommunications sector in Europe by state hackers.”

The assessment echoes concerns about the Chinese spying campaign tracked as Salt Typhoon, although the Danish authorities did not explicitly mention it. The agency warns that foreign states aim to gain access to large amounts of customer data to monitor communications and travel activities.

The Record | "Europe's telecoms sector under increased threat from cyber spies, warns Denmark"

Uplifting Cybersecurity for US Water Utilities

Water Pipes

A bipartisan Senate bill, the Cybersecurity for Rural Water Systems Act, has been reintroduced to bolster cybersecurity defenses for small water and wastewater utilities.

Sens. Catherine Cortez Masto and Mike Rounds are sponsoring the bill, which would update and expand the Department of Agriculture’s Circuit Rider Program to provide cybersecurity-related technical assistance.

According to a press release, only 20% of water and wastewater systems across the country have basic cyber protections. The bill aims to modernize and expand the Circuit Rider Program to address this gap.

CyberScoop | "Water utilities would get cybersecurity boost under bipartisan Senate bill"

Apple Fights; Google Falters, on Encryption and Government Access

Encryption

Google has refused to deny receiving a secret legal order, a Technical Capability Notice (TCN), from the UK government, raising concerns that Westminster may be demanding a mechanism to access encrypted messages. This follows reports of a similar TCN issued to Apple, which Apple is reportedly contesting.

A bipartisan group of members of Congress has complained about the secrecy surrounding these orders, arguing that it impedes congressional oversight.

Experts, including those from Britain's intelligence community, have called for greater transparency regarding government attempts to access encrypted messaging platforms.

The Record | "Google refuses to deny it received encryption order from UK government"

Cryptography Keys

Speaking of Apple - US politicians and privacy advocates are calling for a public hearing regarding the alleged encryption-busting order issued to Apple by the UK government.

The order, a Technical Capability Notice (TCN) under the Investigatory Powers Act (IPA), reportedly instructs Apple to introduce a capability to decrypt specific users' iCloud data.

Apple is believed to be appealing the TCN, but the hearing is being held behind closed doors.

Senators Ron Wyden and Alex Padilla, along with Representatives Andy Biggs, Warren Davidson, and Zoe Lofgren, have jointly opposed the private nature of the hearing, arguing that secrecy is "pointless" given the wide reporting on the order.

The Register | "Apple's alleged UK encryption battle sparks political and privacy backlash"

BGP DoS Vulnerability Patched in Cisco IOS XR

Cisco has patched a high-severity denial of service (DoS) vulnerability (CVE-2025-20115) in IOS XR that allows attackers to crash the Border Gateway Protocol (BGP) process on routers with a single BGP update message.

The vulnerability affects Cisco IOS XR devices if BGP confederation is configured. Successful exploitation leads to memory corruption via buffer overflow, causing a BGP process restart.

The vulnerability is due to a memory corruption that occurs when a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers).

Bleeping Computer | "Cisco IOS XR vulnerability lets attackers crash BGP on routers"

California to Investigate Data Broker Practices

Mobile Apps

California's Attorney General Rob Bonta has announced a wide-ranging investigation into the collection, processing, and use of consumer location data by advertising networks, mobile app providers, and data brokers.

The investigation will focus on potential violations of the California Consumer Privacy Act (CCPA), which gives consumers rights to request or delete collected data, opt out of data sales, and limit the use of personal information.

The attorney general's office will examine how mobile app providers collect and resell data to third-party brokers.

CyberScoop | "California’s legal push on geolocation data collection must take aim at the right targets, privacy experts say"

Read more