28th April – Threat Intelligence Report - Check Point Research

28TH APRIL – THREAT INTELLIGENCE REPORT April 28, 2025 For the latest discoveries in cyber research for the week of 28th April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES British retailer Marks & Spencer (M&S) experienced a cyber-attack that caused disruptions to its online order system and in-store contactless payments. The company suspended online orders temporarily, refunded some customers, and reported the incident to the Information Commissioner’s Office (ICO). Yale New Haven Health (YNHHS), the largest healthcare provider in Connecticut, reported a massive data breach affecting approximately 5 million individuals. The breach stemmed from vulnerabilities in the systems of a third-party vendor, Perry Johnson & Associates (PJ&A), exposing names, addresses, birth dates, Social Security numbers, medical data, and insurance information. Blue Shield of California disclosed a data breach affecting 4.7 million members, after a protected health information was shared with Google Ads platforms due to a misconfiguration. Exposed data included insurance details, medical claims, personal data and search queries. The issue occurred between April 2021 and January 2024 and was discovered in February 2025. Baltimore City Public Schools (BCPS) suffered a cyber-attack affecting 25,000 current and former staff and students, causing disruptions to systems and access to educational resources. The Cloak Ransomware group has claimed responsibility for the attack, posting some of the allegedly stolen data on the Dark Web. South African telecommunications giant MTN confirmed a cybersecurity incident resulting in unauthorized access to personal information of some customers. The company also stated that its critical infrastructure and customer services remain unaffected. Investigations into the extent of the breach are ongoing. A cyberattack targeted Aigües Ter Llobregat (ATLL), a water supplier for Barcelona and surrounding areas. Though ATLL said the attack did not impact water service, threat actors accessed internal systems and files, and the company warned these may include financial and personal details of customers. Onsite Mammography, a healthcare service provider in Massachusetts, reported a data breach after an unauthorized third party gained access to its systems after gaining access to an employee’s email account. Compromised information of over 357,000 patients includes names, contact details, medical records, and Social Security numbers. The City of Abilene, Texas, disclosed a cybersecurity incident which impacted several internal systems. While services were temporarily disrupted, city officials stated that emergency services and public safety operations remained operational. Officials have yet to confirm if data was compromised. VULNERABILITIES AND PATCHES Researchers reported active exploitation of a zero-day vulnerability in SAP NetWeaver. The flaw, CVE-2025-31324, has received a 10.0 CVSS score and allows unrestricted file upload. In an active campaign, threat actors have exploited the vulnerability to deliver webshells, eventually installing the Brute Ratel framework on victims’ networks. Check Point IPS provides protection against this threat (SAP NetWeaver Remote Code Execution (CVE-2025-31324)) Two zero-day vulnerabilities seen massively abused in the wild —CVE-2025-32432 in Craft CMS and CVE-2024-58136 in the Yii framework— have been patched. By chaining these flaws, attackers uploaded a PHP file manager, facilitating data theft and the installation of backdoors. Administrators are advised to update their systems and rotate security credentials.​ Check Point IPS provides protection against this threat (Craft CMS Remote Code Execution) THREAT INTELLIGENCE REPORTS Check Point Research reported a 126% year-over-year increase in ransomware attacks during Q1 2025, with 2,289 victims listed by 74 ransomware groups. Cl0p led the activity by exploiting zero-day vulnerabilities in Cleo file transfer products, mainly targeting North American consumer goods companies. Researchers also observed some groups fabricating victim claims to inflate their visibility. Check Point uncovered global phishing campaigns exploiting the death of Pope Francis, where attackers impersonated charities to solicit fraudulent donations. These scams tricked victims into providing personal and financial information via fake websites. Researchers warned users to remain cautious of emotionally charged lures tied to major world events. Researchers report that since March 2025, Russian-linked threat actors UTA0352 and UTA0355 have been targeting individuals and organizations connected to Ukraine and human rights groups. Attackers initiate contact via Signal or WhatsApp, impersonating European officials, and persuade victims to provide Microsoft-generated authorization codes, granting unauthorized access to their Microsoft 365 accounts by abusing Microsoft OAuth 2.0 authentication workflows. Researchers have reported on a new campaign by China-linked APT group Billbug (AKA Lotus Blossom). The campaign targeted multiple entities in an unnamed Southeast Asian country, including a government ministry and a telecom operator. The group has developed and employed new tools for credential theft from the Chrome browsers of compromised victims. Researchers have discovered that blockchain platform XRP Ledger’s official NPM package (xrpl.js) was compromised and infected with a backdoor that steals cryptocurrency credentials. The threat actors tried to obfuscate the changes in various package updates. The package has more than 140,000 weekly downloads, and the malicious versions were online for a period of 16 hours. GO UP BACK TO ALL POSTS POPULAR POSTS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH “The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS SECURITY REPORT THREAT RESEARCH 2024’s Cyber Battleground Unveiled: Escalating Ransomware Epidemic, the Evolution of Cyber Warfare Tactics and strategic use of AI in defense – Insights from Check Point’s Latest Security Report GLOBAL CYBER ATTACK REPORTS 8th May – Threat Intelligence Report BLOGS AND PUBLICATIONS CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT GLOBAL CYBER ATTACK REPORTS December 15, 2021 STEALTHLOADER MALWARE LEVERAGING LOG4SHELL CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH February 17, 2020 “THE TURKISH RAT” EVOLVED ADWIND IN A MASSIVE ONGOING PHISHING CAMPAIGN CHECK POINT RESEARCH PUBLICATIONS GLOBAL CYBER ATTACK REPORTS THREAT RESEARCH January 22, 2020 THE 2020 CYBER SECURITY REPORT 123 This website uses cookies in order to optimize your user experience as well as for advertising and analytics.  For further information, please read our Privacy Policy and ourCookie Notice. 404 Not Found nginx When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All Manage Consent Preferences Functional Cookies Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. Strictly Necessary Cookies Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Performance Cookies Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. Targeting Cookies Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Performance Cookies Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices