San Mateo, CA, March 17, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Volt Typhoon breached U.S. power utility for months
China-linked APT group Volt Typhoon secretly accessed the operational technology (OT) network of Littleton Electric Light and Water Departments (LELWD), a small Massachusetts utility, from February to November 2023, according to Dragos researchers. Donovan Tindill, director of OT cybersecurity at DeNexus, suggests that targeting U.S. critical infrastructure may be part of China’s geopolitical strategy. While no customer data was compromised, the breach underscores the vulnerability of aging infrastructure. “One of the biggest challenges with cybersecurity in critical infrastructure is the long lifespan of the devices,” warned Tim Mackey, head of software supply chain risk strategy at Black Duck. Older systems, once considered secure, become susceptible to evolving cyber threats. Read more.
LockBit developer extradited to U.S. for cybercrimes
Rostislav Panev, a 51-year-old dual Russian-Israeli national, has been extradited to the U.S. to face charges for his role in the LockBit ransomware gang. Panev allegedly designed and maintained LockBit’s infrastructure, earning $230,000 between June 2022 and February 2024. “Among the work that Panev admitted to having completed for the LockBit group was the development of code to disable antivirus software; to deploy malware to multiple computers connected to a victim network; and to print the LockBit ransom note to all printers connected to a victim network,” the Justice Department said. “Panev also admitted to having written and maintained LockBit malware code and to having provided technical guidance to the LockBit group.” Read more.
New AnubisBackdoor malware evades detection
Threat group Savage Ladybug, also known as FIN7, has developed a new Python-based backdoor called AnubisBackdoor that allows attackers to execute remote commands while evading most antivirus software. The malware is primarily spread through malspam campaigns, tricking victims into opening malicious email attachments or links. “When users interact with these malicious elements, the AnubisBackdoor is installed on their systems, establishing persistence mechanisms and communication channels with command and control servers operated by the attackers.” Researchers say its obfuscation techniques make detection difficult, allowing it to operate unnoticed for extended periods. The malware’s modular design enables attackers to customize its functionality based on their objectives. Read more.
Chinese hackers backdoor Juniper routers for cyber espionage
Chinese threat actors have compromised end-of-life (EoL) Juniper Networks Junos OS MX routers, installing custom backdoors for cyber espionage. “The backdoors are primarily variants of the TinyShell malware, an open-source tool that facilitates data exchange and command execution on Linux systems, and which has been used by multiple threat groups over the years.” Mandiant, which uncovered the attacks, attributes them to the China-linked espionage group UNC3886. “Mandiant uncovered several TINYSHELL-based backdoors operating on Juniper Networks’ Junos OS routers.” UNC3886 is known for using zero-day vulnerabilities to infiltrate virtualization platforms and networking devices. Read more.
Employee faces prison for installing network kill switch
Davis Lu, 55, developed and deployed malicious code in his company’s network that activated a “kill switch” when his name was removed from the employee directory. After his termination, the code triggered disruptions affecting thousands of users globally. “Additionally, on the day he was directed to turn in his company laptop, Lu deleted encrypted data,” the Justice Department said. “His internet search history revealed he had researched methods to escalate privileges, hide processes, and rapidly delete files, indicating an intent to obstruct efforts of his co-workers to resolve the system disruptions.” Lu faces up to 10 years in prison for his actions. Read more.
Microsoft patches seven zero-days in March 2025 update
Microsoft’s March Patch Tuesday includes fixes for more than 50 vulnerabilities, including seven zero-days, six of which are actively exploited. CVE-2025-26633 is a security feature bypass in Microsoft Management Console (CVSS 7.0). CVE-2025-24993 is a remote code execution (RCE) vulnerability in Windows NTFS (CVSS 7.8). CVE-2025-24991 is an information disclosure vulnerability in Windows NTFS (CVSS 5.5). CVE-2025-24985 is an RCE vulnerability in Windows Fast FAT File System Driver (CVSS 7.8). CVE-2025-24984 is an information disclosure bug in Windows NTFS (CVSS 4.6). CVE-2025-24983 is an elevation of privilege (EoP) vulnerability in Windows Win32 Kernel Subsystem (CVSS 7.0). The seventh, CVE-2025-26630, is an RCE vulnerability in Microsoft Access (CVSS 7.8) and has not yet been exploited. Read more.
CISA election security review concerns local officials
The Department of Homeland Security has completed a review of CISA’s election security mission but will not make the findings public. “The assessment that CISA has undertaken is internal and will help inform how the agency moves forward to best support critical infrastructure,” a CISA spokesperson said. “This is an internal document that is not planned to be released publicly.” Experts warn that withholding the findings undermines trust between federal agencies and local election officials. “The thing that’s crazy to me is how could they possibly expect some smaller county in Michigan or Wisconsin or Pennsylvania to be matched up against foreign intelligence services?” said Scott McDonell, county clerk for Dane County, Wis. Read more.
FTC: Americans lost record $12.5 billion to scams in 2024
The U.S. Federal Trade Commission (FTC) reports that Americans lost a record $12.5 billion to fraud in 2024, a 25% increase from 2023. Investment scams accounted for the largest losses at $5.7 billion, with a median loss exceeding $9,000. Imposter scams followed, costing $2.95 billion. Employment scams tripled between 2020 and 2024, with losses rising from $90 million to $501 million. “For the second consecutive year, email was the most common way that consumers reported being contacted by scammers. Phone calls were the second most commonly reported contact method for fraud in 2024, followed by text messages,” the FTC said. “People lost over $3 billion to scams that started online, compared to approximately $1.9 billion lost to more ‘traditional’ contact methods like calls, texts, or emails.” Since most fraud cases go unreported, the real losses are likely much higher. Read more.
U.K. health firm orders journalist to remove cyberattack report
U.K. healthcare company HCRG has obtained a court injunction against U.S.-based website DataBreaches.net, demanding the removal of two articles about a ransomware attack on the organization. The law firm’s notice states that the injunction was issued to “prevent the publication or disclosure of confidential data stolen during a recent ransomware cyberattack.” It warns that noncompliance “may result in imprisonment, a criminal fine or having your assets seized.” DataBreaches.net administrator Dissent Doe refuses to comply, arguing that the site falls outside U.K. jurisdiction and is protected under the U.S. First Amendment. HCRG has not publicly acknowledged the breach, leaving journalists and cybersecurity researchers to uncover the incident’s details. Doe said the injunction “would prevent the public from finding out that the breach was a serious one with likely many people affected” and “could open the door to widespread censorship of journalists in the U.K. or elsewhere.” Read more.
Scammers use fake ransomware extortion letters
The FBI has warned executives about a scam in which criminals send physical letters threatening to leak stolen company data. Stamped “time sensitive read immediately,” the letters claim to be from BianLian, a ransomware gang known for attacking critical U.S. infrastructure. “Several inconsistencies — such as the lack of a contact method for negotiation, absence of proof of data exfiltration, and differences in writing style — suggest this is a fraudulent campaign meant to exploit fear for financial gain,” said Richard Emerson, manager of reactive threat intelligence at Palo Alto Networks’ Unit 42. Healthcare executives are the primary targets, with ransom demands reaching $350,000. The letters contain no details of an actual attack and offer no means of contacting the sender, leaving experts puzzled about the scam’s effectiveness. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
