10.02.25 Threat Report

This week, we highlight significant cybersecurity threats, including a zero-day vulnerability, security flaws in the DeepSeek iOS app, active exploitation of a vulnerability, a large-scale healthcare data breach affecting over a million patients in the U.S., a ransomware attack, and suspected Russian state-sponsored hacking targeting the British Prime Minister’s personal email. 

1. XE Group Exploits VeraCore Zero-Day Vulnerability

A cybercrime group known as XE Group, believed to be of Vietnamese origin, has been exploiting a critical vulnerability in Advantive’s VeraCore software. The group, active since at least 2010, previously engaged in credit card fraud but has since pivoted to information theft, particularly within supply chain networks in the manufacturing and distribution sectors.

Attack Details:

• The vulnerability, CVE-2024-57968, enables unrestricted file uploads.

• Attackers use this weakness to install malicious scripts and gain remote access.

• The exploitation increases the risk of unauthorised access to company networks.

Potential Impact:

• Loss of sensitive corporate and supply chain data.

• Increased exposure to ransomware attacks and other cyber intrusions.

Recommendation:

• Apply security patches from Advantive immediately.

• Regularly audit system activity and file uploads.

• Implement endpoint detection systems to identify malicious activity.

2. Russian Hackers Suspected of Compromising British PM’s Personal Email Account

A newly published book has revealed that Russian state-sponsored hackers may have gained access to the personal email account of UK Prime Minister Keir Starmer while he was serving as the Leader of the Opposition in 2022. This cyber-espionage operation was reportedly part of a broader campaign targeting British officials, journalists, and think tanks.

Following the security breach, Starmer was forced to change his email address and implement two-factor authentication (2FA)—a fundamental security measure that had previously been missing from his account.

Attack Details:

• The attack is attributed to Iron Frontier, a Kremlin-linked hacking group also known as Callisto, Coldriver, Star Blizzard, or Seaborgium.
• Intelligence sources indicate that this group has been engaged in a long-running espionage operation aimed at undermining democratic institutions in the UK and beyond.
• The UK government formally responded by summoning the Russian ambassador in late 2023, following accusations of Moscow-backed cyber campaigns.

Potential Impact:

• Exposure of confidential political communications, potentially containing sensitive discussions or strategic opposition plans.
• Increased risk of state-sponsored disinformation efforts, as seen in previous hacks where stolen data was leaked to manipulate public opinion.
• Broader national security implications, as the breach highlights vulnerabilities within government officials’ personal cybersecurity practices.

Previous Incidents & Context:

The Iron Frontier group has previously been linked to similar cyber intrusions:

• Sir Richard Dearlove, the former head of MI6, was targeted in an attack where private correspondence was leaked online as part of a Russian disinformation campaign.
• The Institute for Statecraft, a UK-based think tank focused on countering Russian propaganda, was also breached, leading to the exposure of internal communications.

While there is no evidence that Starmer’s emails have been published, security officials cannot rule out the possibility that sensitive data was compromised.

Government & Security Response:

• British intelligence agencies (GCHQ & NCSC) have reinforced calls for stronger cybersecurity measures among political leaders.
• The incident highlights the importance of 2FA and encrypted communications for public officials.
• The UK government continues to monitor Russian cyber activities closely, particularly those targeting political, media, and security institutions.

This breach serves as another stark reminder of the growing cyber threats posed by state-sponsored actors. Governments and high-profile figures must adopt stringent cybersecurity measures to protect sensitive information. The UK’s diplomatic and intelligence response to Russian cyber aggression will remain a key area of focus in the coming months.

3. DeepSeek iOS App Transmits Sensitive Data Without Encryption

Recent security assessments have revealed that the DeepSeek iOS application transmits sensitive user and device information over the internet without encryption, exposing users to potential data interception and manipulation. The app also collects extensive user data and communicates with servers associated with ByteDance, the parent company of TikTok.

Technical Details:

• Unencrypted Data Transmission: The app sends certain registration and device data without encryption, making it susceptible to interception by malicious actors.

• Disabled App Transport Security (ATS): DeepSeek globally disables ATS, an iOS security feature designed to enforce secure connections. This allows the app to transmit data over unencrypted channels.

• Weak Encryption Practices: Where encryption is applied, the app uses outdated algorithms like 3DES with hard-coded keys, which can be easily compromised.

• Data Transmission to ByteDance Servers: User data is sent to servers managed by Volcengine, a cloud platform owned by ByteDance, raising concerns about data privacy and potential access by the Chinese government.

Potential Impact:

• Data Interception: Unencrypted transmission allows attackers to intercept and manipulate user data, leading to privacy breaches and potential identity theft.

• Privacy Violations: The extensive data collection and transmission to ByteDance servers may lead to unauthorised access and misuse of personal information.

• Regulatory Scrutiny: Due to these security concerns, several countries and organizations have banned or are considering banning the use of DeepSeek on government devices.

Recommendations:

• Immediate Uninstallation: Users are advised to uninstall the DeepSeek app from their devices to prevent potential data breaches.

• Enhanced Security Measures: Organizations should implement advanced data security controls and monitor for any unauthorised data transmissions.

• Policy Enforcement: Government agencies and enterprises should consider restricting the use of applications that do not adhere to security best practices.

These findings underscore the critical importance of robust security measures in mobile applications, especially those handling sensitive user data.

4. U.S. Community Health Center Hacked – 1 Million Patients’ Data Exposed

Community Health Center, Inc. (CHC), a federally qualified health center based in Connecticut, has disclosed a significant data breach following a cyberattack on its systems. The breach potentially exposed the personal and health information of over one million individuals, including CHC patients and those who received COVID-19 tests or vaccinations at CHC facilities.

CHC has notified affected individuals through letters and launched a dedicated website to provide assistance. According to a regulatory filing with the Maine Attorney General’s Office, the breach impacted 1,060,936 individuals.

Attack Details:

The breach was first detected on 2nd January 2025 when CHC’s IT team identified unusual activity within its network. Cybersecurity specialists were immediately engaged to investigate and secure the system.

Investigations revealed that an unauthorised actor had accessed and exfiltrated sensitive data but did not encrypt, delete, or alter any information. CHC has confirmed that the attacker’s access was cut off within hours and that the organisation’s daily operations were not disrupted. CHC asserts that no ongoing threat remains.

Compromised Data:

The type of personal and medical information exposed in the breach varies based on the individual’s relationship with CHC:

• CHC Patients: The breach may have included names, dates of birth, addresses, phone numbers, email addresses, diagnoses, treatment details, test results, Social Security Numbers (SSNs), and health insurance information.

• COVID-19 Test or Vaccine Recipients: Individuals who received COVID-19-related services at a CHC clinic but were not regular patients may have had names, dates of birth, phone numbers, email addresses, gender, race, ethnicity, and insurance details exposed. In some cases, test results, vaccine details (e.g., type, dosage, and administration date), and Social Security Numbers were also compromised.

Response:

CHC has taken immediate steps to bolster its cybersecurity defences, including deploying advanced network monitoring tools and reinforcing system protections. The organisation has assured the public that, at this time, there is no evidence of misuse of the stolen data.

To support affected individuals, CHC is offering free identity theft protection services for all patients and COVID-19 service recipients whose exposed. The protection services include:

• 24 months of credit and CyberScan monitoring
• A $1 million insurance reimbursement policy
• Identity recovery assistance in the event of fraud

Individuals who were affected but did not have their SSNs compromised are advised to take additional precautions, including monitoring their financial and healthcare accounts.

This breach highlights the persistent risks facing healthcare organisations and the critical need for robust cybersecurity measures. The exposure of highly sensitive personal and medical data makes it essential for affected individuals to take proactive steps in securing their identities. As cyber threats against healthcare providers continue to rise, strong data protection policies and timely breach response efforts remain paramount.

5. Globe Life Ransomware Attack – 850,000+ Users' Personal & Health Data Exposed

Globe Life Inc., a prominent insurance provider, has experienced a significant cybersecurity breach, with attackers claiming to have accessed sensitive personal and health information of over 850,000 individuals. The incident, which did not involve traditional ransomware, appears to be an extortion attempt, posing substantial risks to the company's reputation and the security of its customers.

Details of the Breach:

• Targeted Data Repository: The attack focused on a data repository associated with Globe Life's subsidiary, American Income Life Insurance Company (AILIC).

• Compromised Information: The breached data includes personally identifiable information (PII) such as names, email addresses, phone numbers, postal addresses, Social Security Numbers (SSNs), and policy-related health data.

• Exclusion of Financial Data: No financial information, such as credit card or bank details, is believed to have been exposed.

• Extortion Tactics: Attackers have reportedly provided samples of the stolen data to short sellers and attorneys, allegedly to pressure the company into compliance with their demands.

Technical Insights:

Unlike traditional ransomware attacks that encrypt data to disrupt operations, this incident involved data exfiltration, aligning with the "double extortion" tactic. In such attacks, cybercriminals steal data and demand a ransom for non-disclosure rather than causing operational disruption.

The attackers employed advanced methods, including:

• Reconnaissance: Probing to identify vulnerable systems.

• Data Exfiltration via Encrypted Command Channels: Utilising Command and Control (C2) tools to obfuscate data transfer, potentially employing protocols like HTTPS or DNS tunnelling .

• Anonymous Threat Communication: Using untraceable means to issue demands without revealing their identity.

These sophisticated tactics underscore the evolving strategies of cybercriminals, who are increasingly focusing on leveraging stolen data for extortion rather than merely disrupting systems.

Upon discovering the breach, Globe Life promptly activated its Incident Response Plan (IRP), which included:

• Engaging External Experts: Mobilising cybersecurity specialists and legal counsel to manage the incident.

• Conducting Forensic Analysis: Investigating to identify the attack vector and prevent further harm.

• Notifying Affected Individuals: Providing information and assistance, including offering identity protection services like credit monitoring to those impacted.

• Cooperating with Authorities: Ensuring compliance with state-level data breach notification standards and regulatory requirements under laws such as the Health Insurance Portability and Accountability Act (HIPAA).

As of now, Globe Life has stated that its core business operations remain unaffected, and the company does not anticipate the incident to have a material financial impact.

Recommendations:

This incident serves as a stark reminder of the critical need for proactive cybersecurity measures. Organisations are advised to:

• Invest in Advanced Security Solutions: Implement robust cybersecurity technologies to detect and prevent data breaches.

• Conduct Continuous Monitoring: Regularly monitor systems for unusual activities to identify potential threats promptly.

• Develop Incident Response Plans: Establish and regularly update incident response strategies to swiftly address security breaches.

For customers, it is advisable to remain vigilant by:

• Monitoring Financial Accounts: Regularly checking for unauthorised transactions.

• Updating Passwords: Changing passwords to strong, unique combinations.

As the investigation progresses, staying informed through official company communications and reputable news sources is recommended.

6. Google Tracking New Cryptojacking Threat

Google has identified a financially motivated hacking group, TRIPLESTRENGTH, which is increasingly targeting cloud environments for cryptojacking and ransomware operations.

Attack Details:

• The group gains access through stolen credentials, often obtained via malware.

• They set up large-scale cryptocurrency mining operations using compromised cloud resources.

• They have also been found distributing ransomware, including Phobos, RCRU64, and LokiLocker.

Potential Impact:

• Massive cloud computing resource abuse, leading to financial losses for organisations.

• Increased risk of ransomware infections on affected systems.

Recommendation:

• Implement multi-factor authentication (MFA) across all cloud accounts.

• Configure alerts for unusual account activity and unexpected billing changes.

• Deploy proactive geographical access restrictions to mitigate unauthorised access.

These incidents highlight the persistent and evolving nature of cyber threats. Organisations must remain vigilant by promptly applying security patches, conducting regular system audits, and maintaining strong cybersecurity practices to minimise risks.