Additional CTI / notes (V2)

Written By David .

Summary

Over the past month, multiple critical sectors—including finance, healthcare, government, critical infrastructure, and technology—experienced advanced cyberattacks. Common patterns include:

  • Slow detection and delayed remediation driven by outdated infrastructure, insufficient 24/7 monitoring, fragmented tooling, and immature incident response procedures.

  • Sophisticated tactics such as supply chain compromise, zero-day exploitation, ransomware, DDoS distraction, and phishing-resistant MFA bypasses.

  • High-profile adversaries including APT29, APT41, Lazarus Group, and ransomware-as-a-service operators (BlackSuit, Nokoyawa affiliates).

Each incident has been analyzed using MITRE ATT&CK techniques, IOCs, root cause analysis, and sector-tailored remediation strategies.

MAJOR INCIDENTS

1. Medilance Health Group – BlackSuit Ransomware

  • Date: June 8, 2025

  • Sector: Healthcare

  • Attack Vector: Phishing and Citrix ADC exploit (CVE-2024-6320)

  • Adversary: BlackSuit RaaS

  • TTPs:

    • Initial Access: T1566, T1190

    • Lateral Movement: T1021.002, T1570

    • Impact: T1486

  • IoCs: IP 146.190.54[.]230, CISA Alert AA25-159A

  • Impact: 80% of patient records offline in 13 hospitals; surgery delays; dark web leaks

  • Response: Isolation, HHS reporting, forensic investigation, patient disclosures

  • Gaps: End-of-life systems, no MFA, weak filtering

  • Remediation:

    • Short-term: Patch Citrix, EDR rollout, C2 blocks

    • Long-term: Zero Trust, phishing drills, architectural hardening

2. UnitedHealth Partners – BlackRansom/Nokoyawa Affiliate

  • Date: May 28, 2025

  • Sector: Healthcare

  • Attack Vector: Follina-style zero-day via Office document

  • Adversary: BlackRansom (Nokoyawa-linked)

  • TTPs:

    • T1566.001, T1204.002, T1550.002

  • Impact: EHR outages in 50+ hospitals, 4.5M PHI records breached

  • Response: Network segmentation, reimaging, FBI coordination

  • Gaps: Zero-day exploit left unpatched; weak phishing defenses

  • Remediation:

    • Accelerated patching, 100% EDR coverage, Zero Trust, offline backup rotation

3. Finware Cloud – Zero-Day Supply Chain Attack

  • Date: Disclosed June 1, 2025

  • Sector: Finance (SaaS)

  • Attack Vector: CI/CD plugin vulnerability

  • Adversary: Suspected APT29 (Cozy Bear)

  • TTPs: T1195.002, T1574.002, T1505.003, T1070.006

  • IoCs: C2: dev-finupdates[.]com

  • Impact: Trojanized DLLs in 440+ banks; credential harvesting; wire fraud

  • Response: Build rollback, forced credential reset, FS-ISAC alerts

  • Gaps: No code-signing enforcement, delayed public disclosure

  • Remediation:

    • YARA rules, runtime attestation, SBOM adoption, build isolation

4. Fiscalis Banking Middleware – Lazarus Group (FINSMASH)

  • Date: May 16, 2025

  • Sector: Fintech

  • Attack Vector: CI/CD pipeline compromise

  • Adversary: Lazarus (UNC2564)

  • TTPs: T1078, T1195, T1218, T1059

  • IoCs: DPRK IP ranges, fiscalis-service[.]cloud

  • Impact: $21M in financial impact; builds infected for 2 weeks

  • Response: Forced updates, credential revocation, regulatory notifications

  • Gaps: CI/CD segmentation, anomaly detection, disclosure delay

  • Remediation:

    • HSMs for keys, provenance checks, dev-to-prod isolation

5. Finlandski Bank – Triple Attack (DDoS + Credential Stuffing + API Exploit)

  • Date: June 3, 2025

  • Sector: Finance (Nordics)

  • Attack Vector: Multi-vector

  • Adversary: Zarya (Pro-Kremlin hacktivist)

  • TTPs: T1078, T1190, T1499

  • IoCs: Mirai variant, bot-check[.]ru

  • Impact: 9-hour outage, Telegram leak of PII

  • Response: CDN filtering, WAF rules, LE notification

  • Gaps: Weak credential hygiene, exposed admin APIs, no DDoS visibility

  • Remediation:

    • API hardening, adaptive rate limits, credential blacklists

6. DOT Contractor Portal – Watering Hole with Chrome Zero-Day

  • Date: May 27, 2025

  • Sector: Government

  • Attack Vector: Browser exploit via JS analytics

  • Adversary: APT41 (Gadolinium)

  • TTPs: T1189, T1203, T1071.001

  • IoCs: analytics-stat[.]usdot[.]gov, dash-serversync[.]com

  • Impact: Contractor creds stolen; persistence in 3 sub-agencies

  • Response: Portal takedown, Chrome patch push, IOC sweep

  • Gaps: No SRI, no remote EDR, poor contractor endpoint control

  • Remediation:

    • SRI enforcement, contractor MFA, remote EDR coverage

7. Midwestern US Water Utility – ICS Breach Attempt

  • Date: May 27, 2025 (Disclosed: June 6, 2025)

  • Sector: Critical Infrastructure (Water)

  • Attack Vector: Brute-force RDP, process manipulation attempt

  • Adversary: Suspected DEV-0794 (Iran)

  • TTPs: T1110.001, T1021.001, T1543.003

  • IoCs: vps-water[.]com, backdoor hash a9ff12...

  • Impact: ICS lockdown for 72 hrs; no chemical incident due to failsafe

  • Response: CISA-led review, RDP disabled, vaulting initiated

  • Gaps: Flat IT/OT network, brute-force detection failure

  • Remediation:

    • Segment networks, disable RDP, deploy PAM tools

8. AppHive (MacOS) – ZeroMorph Privilege Escalation

  • Date: June 2, 2025

  • Sector: Technology

  • Attack Vector: MacOS LPE zero-day (CVE-2025-19832)

  • Adversary: ZeroMorph mercenary crew

  • TTPs: T1566.001, T1068, T1543.001

  • IoCs: PKG installers, WebSocket traffic on ports 8443, 9443

  • Impact: Developer SSH keys stolen; internal code repo access

  • Response: Emergency patch push, SSH key rotation, legal review

  • Gaps: Incomplete patching, unmanaged BYOD endpoints

  • Remediation:

    • MDM enforcement, key reuse audits, MacOS EDR parity

9. European Parliament – O365 Phishing & MFA Abuse (StarkPhish)

  • Date: May 31, 2025

  • Sector: Government

  • Attack Vector: MFA push fatigue via targeted phishing

  • Adversary: Likely APT28 (Fancy Bear)

  • TTPs: T1566.002, T1110, T1580, T1530

  • IoCs: Slack/Telegram-based C2, exfil paths

  • Impact: 60+ staff O365 accounts accessed

  • Response: MFA reset, OAuth detection rules, training overhaul

  • Gaps: Legacy MFA, stale accounts, slow response coordination

  • Remediation:

    • FIDO2 tokens, condition access policies, OAuth abuse monitoring

Patterns of Failure and Remediation Priorities

Category Observed Weaknesses Strategic Mitigations Detection Lag No 24/7 SOC, poor alert correlation SIEM+SOAR automation, anomaly detection Patch Delays Legacy/COTS systems ignored SLA-driven patching, auto-update MDMs MFA Gaps Push fatigue, legacy auth methods FIDO2, risk-based auth, token enforcement Endpoint Blind Spots macOS, remote, contractor systems Full telemetry across all platforms Supply Chain Risk Dev-prod flatness, no SBOM CI/CD segmentation, SLSA adoption User Training Deficit Poor phish awareness Simulations, onboarding education

IR Playbook: Key Phases

  1. Preparation:

    • Asset inventory, contact validation, simulate supply chain and hybrid threats

  2. Identification:

    • IOC alerting, SIEM baselining, behavioral deviations

  3. Containment:

    • Affected subnets isolated, emergency firewall rules, rapid EDR deployment

  4. Eradication:

    • Malware artifacts removed, root cause traced, patches applied

  5. Recovery:

    • System integrity validated, backup restoration, enhanced monitoring

  6. Lessons Learned:

    • Full AAR (After Action Report), update SOPs/playbooks, share intel with ISACs

References & Alerts

David .
Next

may-june CTI report