This Week in Cyber 21st February 2025

Analyst Insight

This week, a major UK private health and social services provider, HCRG Care Group, was targeted by the Medusa ransomware gang, demanding a $2 million ransom. Ransomware remains the most profitable form of cybercrime, with incidents becoming increasingly frequent. In 2024, ransomware groups collected $813.5 million in ransom payments, despite a 35% decline from the previous year.

Additionally, Microsoft promptly patched several actively exploited vulnerabilities, including critical flaws in Power Pages and Windows Storage. For more details, check the rest of this article.

Two Exploited Microsoft High Severity Vulnerabilities Patched

Both CVE-2025-21355 and CVE-2025-24989 have been patched today by Microsoft. In regards to 21355 Microsoft has said the following; "Missing Authentication for Critical Function in Microsoft Bing allows an unauthorized attacker to execute code over a network,". This statement is found in the appropriate advisory and the patch requires no customer action. The 2nd vulnerability, CVE-2025-24989, is known to affect Power Pages. Power Pages is primarily used for the creation, hosting and management of business websites. This vulnerability allows for an unauthorised attacker to elevate privileges over a network and bypass user registration controls. Microsoft has not made it clear how many people have been affected by the service, who the attackers are, or if a specific interest was being targeted. Microsoft has stated that they've reached out to affected customers and that "If you've not been notified this vulnerability does not affect you."

$2 Million Ransom on UK Health Services Provider

First reported by The Register, the Medusa ransomware gang demands a $2 Million ransom from the UK private heath and social services provider “HCRG Care Group” threatening to leak over 2.3TB of data held by the gang, claiming to contain passport and driving licence scans, staff rotas, a birth certificate, and data from background checks. The gang has given three options: sell the information to a buyer for $2 million (£1.6 million), delete their copy for the same amount, or leak everything online if no one pays by February 27. The gang will also delay the release of the data for $10,000 (£8,000) per day to keep negotiations open.

Lazarus Group Deploying new attack targeting JavaScript.

A previously undocumented JavaScript implant named Marstech1 has been attributed to Lazarus group. Primarily used against developers; it was delivered by means of an open-source repository that hosted on GitHub. The profile associated with this implant, "SuccessFriend", has been active since July 2024. It is no longer accessible on the platform. The malware has 233 confirmed victims across the globe, and exploited developers that were seeking to learn web dev skills and blockchain. The script was designed to target chromium-based browsers and crypto-wallets. It also appears to still be under active development, as an investigation lead by SecurityScoreboard has identified a newer version featuring a different C2 server. 

Snake Keylogger makes use of Autolt Scripting to Evade Detection. 

Fortinet has recently identified a new version of the Snake Keylogger malware that has been sighted targeting users across the globe. Kevin Su has identified that the new variant is often deployed via phishing. By keylogging users on popular browsers; it is able to record credentials and capture the clipboard. This information it exfiltrates to an attack-controlled server, via Simple Mail transfer Protocol and telegram bots, which allows the threat actors to access the stolen data. These latest attacks see the Keylogger use AutoIt scripting language in order to deliver and execute the payload. This causes it to exist as a AutoIt-Compiled binary, something that may bypass traditional detection mechanisms. The Malware will drop a copy of itself in the local appdata and create a visual basic script that causes the malware to be launched alongside system boot. 

OpenSSH Vulnerabilities Undisclosed for Years – Patch Released

Researchers at Qualys disclosed two vulnerabilities this week, CVE-2025-26465 and CVE-2025-26466 affecting the OpenSSH client allowing attackers to perform man-in-the-middle (MITM) attacks and pre-authentication denial-of-service (DoS) attacks. Despite their moderate severity scores (6.8 and 5.9), these vulnerabilities are significant due to OpenSSH's widespread use in encrypted remote connections and secure file transfers across various platforms, including Windows, Linux, and macOS.

The man-in-the-middle vulnerability affects OpenSSH clients when the “VerifyHostKeyDNS” option is enabled. "The attack against the OpenSSH client (CVE-2025-26465) succeeds regardless of whether the VerifyHostKeyDNS option is set to "yes" or "ask" (its default is "no"), requires no user interaction, and does not depend on the existence of an SSHFP resource record (an SSH fingerprint) in DNS" as described in a Qualys report.