Ransomware gangs exploit Microsoft Teams for phishing attacks
Ransomware gangs are increasingly refining their methods, leveraging phishing schemes that combine email bombing with impersonation tactics in Microsoft Teams calls. These attacks often involve deploying Black Basta ransomware to compromise company networks while exploiting employee trust.
In one observed campaign, ransomware gangs sent thousands of spam emails within 45 minutes before initiating a Microsoft Teams call from an account named “Help Desk Manager.” This strategy tricked victims into allowing remote access, enabling the installation of malicious software like the RPivot backdoor. Once installed, the attackers exploited tools such as Remote Desktop Protocol (RDP) to expand their reach and access sensitive systems.
Another campaign, linked to the STAC5777 group, followed a similar approach by sending phishing messages via Microsoft Teams. Victims were convinced to install Microsoft Quick Assist, granting attackers direct control to deploy Black Basta ransomware. This technique also relied on exploiting RDP and network vulnerabilities to achieve their objectives.
To mitigate these threats, organizations are advised to block external communications in Microsoft Teams and disable tools like Quick Assist in critical environments. These proactive measures can help reduce the risk of attacks by ransomware gangs exploiting RDP and other vulnerabilities.
Cloudflare mitigated a record-breaking 5.6 Tbps DDoS attack
Cloudflare successfully mitigated the largest distributed denial-of-service (DDoS) attack recorded to date, which peaked at an unprecedented 5.6 terabits per second. This massive attack, originating from a Mirai-based botnet with 13,000 compromised devices, targeted an internet service provider (ISP) in Eastern Asia on October 29, 2024.
Despite its intensity, the UDP-based assault lasted only 80 seconds and caused no service disruptions, thanks to Cloudflare’s fully automated detection and mitigation systems. This achievement highlights the effectiveness of autonomous DDoS protection in defending against hyper-volumetric attacks.
The incident followed a previous record-breaking DDoS attack in early October 2024, which peaked at 3.8 Tbps. These hyper-volumetric assaults have become more frequent, with attacks exceeding 1 terabit per second showing a staggering 1,885% quarter-over-quarter growth in the last months of 2024.
Cloudflare’s telemetry data revealed that short-duration attacks are increasingly common, with 72% of HTTP DDoS and 91% of network layer DDoS attacks lasting less than 10 minutes. These quick bursts of overwhelming traffic, often occurring during peak periods like holidays, emphasize the need for always-on, automated DDoS protection.
Ransom DDoS attacks also surged, with a 78% increase quarter-over-quarter and a 25% year-over-year growth in Q4 2024. The most frequently targeted regions included China, the Philippines, Taiwan, Hong Kong, and Germany, with industries such as telecommunications, service providers, and marketing being the primary focus.
As DDoS threats continue to evolve, Cloudflare underscores the importance of proactive, in-line defenses to protect against these increasingly sophisticated and short-lived attacks.
Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025
On the opening day of Pwn2Own Automotive 2025, security researchers uncovered and exploited 16 unique zero-day vulnerabilities, earning a total of $382,750 in cash prizes. The competition, held during the Automotive World conference in Tokyo, highlights the vulnerabilities in automotive technologies, including electric vehicle (EV) chargers and in-vehicle infotainment (IVI) systems.
Fuzzware.io emerged as the top contender, hacking the Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 EV chargers using a stack-based buffer overflow and an origin validation error. This effort secured them $50,000 and 10 Master of Pwn points. Following closely, Sina Kheirkhah of Summoning Team earned $91,750 and 9.25 Master of Pwn points after exploiting a hard-coded cryptographic key bug and three zero-days on Ubiquiti and Phoenix Contact CHARX SEC-3150 chargers.
Synacktiv Team demonstrated their expertise by hacking the ChargePoint Home Flex (Model CPH50) EV charger via signal manipulation through the connector, using a bug in the OCPP protocol, earning $57,500. Meanwhile, PHP Hooligans successfully targeted a fully patched Autel charger using a heap-based buffer overflow, collecting $50,000. Viettel Cyber Security also secured $20,000 after achieving code execution on the Kenwood In-Vehicle Infotainment system via an OS command injection zero-day.
Vendors now have 90 days to develop and release patches for the reported vulnerabilities before public disclosure by Trend Micro’s Zero Day Initiative. The competition, which runs from January 22 to January 24, provides researchers with opportunities to test their skills on technologies such as Automotive Grade Linux, Android Automotive OS, and BlackBerry QNX.
Last year’s Pwn2Own events showcased the escalating stakes in automotive cybersecurity. The first Pwn2Own Automotive in January 2024 awarded $1,323,750 for 49 zero-days, including Tesla vulnerabilities. At Pwn2Own Vancouver 2024, researchers earned $1,132,500 by exploiting 29 zero-days, with Synacktiv notably hacking a Tesla Model 3’s ECU in under 30 seconds.
Tesla EV charger hacked twice on second day of Pwn2Own Tokyo
Security researchers successfully hacked Tesla’s Wall Connector electric vehicle charger twice on the second day of the Pwn2Own Automotive 2025 hacking contest. The day also saw the exploitation of 23 additional zero-day vulnerabilities across devices such as WOLFBOX, ChargePoint Home Flex, Autel MaxiCharger, Phoenix Contact CHARX, and EMPORIA EV chargers, as well as in Alpine iLX-507, Kenwood DMX958XR, and Sony XAV-AX8500 In-Vehicle Infotainment (IVI) systems.
PHP Hooligans were the first to compromise the Tesla Wall Connector using a Numeric Range Comparison Without Minimum Check zero-day bug. Later, Synacktiv showcased an innovative attack by hacking the same Tesla charger via its Charging Connector, marking a publicly unprecedented method. Two bug collisions were reported during additional hacking attempts on Tesla’s Wall Connector, involving PCAutomotive and Summoning Team’s Sina Kheirkhah, who leveraged an exploit chain of two already-known bugs.
According to Pwn2Own Tokyo 2025 contest rules, all targeted devices had the latest security updates and operating system versions installed. Trend Micro’s Zero Day Initiative (ZDI) awarded $335,500 in cash prizes on the second day for the discovery of 23 zero-day vulnerabilities. Sina Kheirkhah currently leads the competition for the Master of Pwn title.
On the first day of the competition, security researchers exploited 16 unique zero-day vulnerabilities, earning $382,750 in cash rewards. Following Pwn2Own rules, vendors will have 90 days to release patches for the reported vulnerabilities before ZDI discloses them publicly.
The Pwn2Own Automotive 2025 contest, held during the Automotive World conference in Tokyo from January 22 to January 24, focuses on automotive technologies. Researchers are targeting car operating systems such as Automotive Grade Linux, Android Automotive OS, and BlackBerry QNX, as well as EV chargers and IVI systems.
During the first edition of Pwn2Own Automotive in 2024, researchers earned $1,323,750 for exploiting 49 zero-day bugs, including two hacks on Tesla systems. This year’s competition continues to highlight the importance of advancing cybersecurity in automotive technologies.
CISA: Hackers still exploiting older Ivanti bugs to breach networks
CISA and the FBI have issued a warning that attackers continue to exploit security flaws in Ivanti Cloud Service Appliances (CSA), despite patches being released since September 2024. Among the vulnerabilities being leveraged are CVE-2024-8963, an admin authentication bypass, and CVE-2024-8190, a critical remote code execution bug. Two additional flaws, CVE-2024-9379, an SQL injection vulnerability, and CVE-2024-9380, another remote code execution vulnerability, were addressed in October 2024. All four have been previously exploited in zero-day attacks.
Threat actors are chaining these vulnerabilities to gain initial access, execute remote code execution, harvest credentials, and implant webshells on compromised networks. CISA revealed that two primary exploit chains are being used: one combining CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380, and the other using CVE-2024-8963 and CVE-2024-9379. In one confirmed case, attackers used these exploits to achieve remote code execution and laterally move to additional servers.
CISA and the FBI strongly recommend upgrading all Ivanti CSA appliances to the latest supported version to prevent further attacks. Organizations are advised to check for malicious activity by analyzing indicators of compromise (IOCs) and logs for signs of remote code execution attempts and other exploits. Sensitive data and credentials stored in Ivanti appliances should be treated as compromised.
This wave of exploits comes as Ivanti increases its efforts to enhance internal scanning, responsible disclosure processes, and patching speed. Other Ivanti vulnerabilities were also exploited last year, including zero-day remote code execution attacks on VPN appliances and ZTA gateways.
Since early 2025, Ivanti Connect Secure VPN appliances have been targeted by a China-nexus espionage group known as UNC5221. This group has used zero-day remote code execution vulnerabilities to deploy malware like Dryhook and Phasejam on compromised devices. With over 40,000 companies worldwide relying on Ivanti products for IT asset and system management, addressing these vulnerabilities is critical for ensuring network security.
UnitedHealth now says 190 million impacted by 2024 data breach
UnitedHealth has disclosed that 190 million Americans had their personal and healthcare data stolen in the Change Healthcare ransomware attack, making it the largest healthcare data breach in U.S. history. This figure, nearly double the previously reported 100 million, highlights the massive scale of the incident. The breach involved sensitive data, including health insurance information, medical records, billing details, phone numbers, addresses, and, in some cases, Social Security Numbers and government ID numbers.
The attack was orchestrated by the BlackCat ransomware gang, also known as ALPHV, who exploited stolen credentials to breach Change Healthcare’s Citrix remote access service, which lacked multi-factor authentication. After gaining access, the attackers stole 6 TB of data and encrypted critical systems, disrupting healthcare services across the U.S. Patients faced difficulties in filing claims, obtaining prescription discounts, and accessing critical services during the fallout.
In response, UnitedHealth confirmed it paid a ransom, reportedly $22 million, to BlackCat ransomware operators for a decryptor and to prevent public data exposure. However, the situation deteriorated when the BlackCat ransomware affiliate behind the attack claimed they were scammed by their operators, who kept the entire ransom. Despite promises, the stolen data was not deleted and was subsequently shared with the RansomHub ransomware group, which began leaking portions of the data to demand additional payments.
RansomHub ransomware further complicated the situation, pressuring UnitedHealth with threats of releasing more stolen information. Although UnitedHealth did not confirm specifics, the sudden disappearance of the Change Healthcare entry from RansomHub’s data leak site indicated a second ransom payment might have been made. These repeated demands emphasized the persistent risks posed by BlackCat ransomware and its affiliates, as well as the emerging threat from RansomHub ransomware.
The financial toll on UnitedHealth has been significant, with losses from the attack estimated at $872 million by April 2024 and escalating to $2.45 billion by Q3 2024. This incident underscores the critical need for robust cybersecurity measures, such as enabling multi-factor authentication, to mitigate risks posed by ransomware groups like BlackCat ransomware and RansomHub ransomware.
Conclusion
In conclusion, the evolving threat landscape, marked by ransomware exploits, zero-day vulnerabilities, and sophisticated phishing campaigns, highlights the need for organizations to adopt proactive cybersecurity measures to protect their networks and sensitive data.
We provide industry-leading solutions to combat ransomware and enhance your organization’s cybersecurity posture. Our Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services ensure rapid response and resolution. Additionally, we offer a Cyber Defense Academy, Cybersecurity Risk Assessment, and an Incident Response Retainer to strengthen your defenses against emerging threats.
Reach out to us today to safeguard your organization and effectively respond to cyber threats.
