03.03.25 Threat Report

This week's report includes an actively exploited vulnerability in Palo Alto Networks firewalls, a phishing attack leveraging Google and PayPal infrastructure, and a devastating ransomware attack on a UK healthcare provider.

1. Palo Alto Networks Firewall Vulnerability Exploited

Palo Alto Networks has issued a critical security alert about the active exploitation of a newly identified vulnerability (CVE-2025-0111) in its firewall management web interface. This flaw allows authenticated users with network access to access system files readable by the "nobody" user, significantly risking data exposure. Security experts caution that cybercriminals are exploiting this vulnerability in conjunction with two previously disclosed flaws—an authentication bypass (CVE-2025-0108) and a privilege escalation issue (CVE-2024-9474)—to achieve complete system compromise. Organisations with exposed firewall management interfaces on the internet or misconfigured access controls are at an increased risk.

Recommendations:

• Apply Palo Alto Networks’ security patches immediately.

• Restrict firewall management access to trusted internal IP addresses.

• Follow best practices for securing management interfaces to prevent unauthorised access.

2. Hackers Exploit Google and PayPal Infrastructure to Steal User Data

A sophisticated phishing campaign has been identified, exploiting Google’s advertising platform and PayPal’s merchant tools to deceive users into revealing sensitive information. Cybercriminals are deploying fraudulent Google Search ads that imitate PayPal’s branding, leading users to malicious payment pages hosted within PayPal’s own domain.

These deceptive pages take advantage of PayPal’s no-code checkout system by embedding fake customer support numbers, tricking users into contacting threat actors. Mobile users are especially at risk due to screen limitations that hide browser address bars, complicating the detection of phishing attempts.

In response, PayPal has temporarily disabled custom text fields in its no-code checkout pages and is employing natural language processing to identify fraudulent support numbers. Meanwhile, Google is enhancing its AI-driven fraud detection to curb further misuse of its ad platform.

Recommendations:

• Monitor PayPal transactions for suspicious activity, such as embedded phone numbers.

• Implement strict URL validation to detect unauthorised payment page manipulations.

• Avoid calling support numbers embedded in online payment forms.

• Use browser security extensions that block deceptive ads.

Despite Google's recent ad policy updates, phishing campaigns exploiting YouTube and Gmail indicate that this tactic is poised to proliferate across various platforms. It is crucial for organisations to stay vigilant and informed about the evolving landscape of social engineering techniques.

3. UK Healthcare Provider HCRG Care Group Suffers Ransomware Attack

The Medusa ransomware group has launched a significant cyberattack on the UK-based HCRG Care Group, compromising 2.275 terabytes of highly sensitive data. This breach includes patient health records, NHS numbers, birth certificates, and financial details, placing thousands at risk of fraud and identity theft.

Medusa is demanding a $2 million ransom, with a threat to release the data if payment is not made by February 28. Currently, HCRG has not publicly disclosed whether it plans to engage in negotiations.

Key Takeaways:

• This breach highlights the increasing targeting of healthcare providers by ransomware gangs.

• Medusa has previously attacked UK organisations, leveraging data exfiltration rather than encryption.

• Experts advise that even if a ransom is paid, there is no guarantee that stolen data won’t be sold or leaked.

Recommendations:

• Strengthen endpoint detection and response capabilities to detect ransomware threats.

• Implement regular cybersecurity audits and data encryption measures.

• Train staff on phishing awareness and ransomware mitigation strategies.

• Develop a robust incident response plan to manage potential breaches efficiently.

Cybercriminals are increasingly focusing on healthcare organisations due to the high value of patient data. This incident reinforces the need for proactive cybersecurity investments to protect sensitive information and maintain public trust.

Stay Informed and Secure

Stay informed and secure with Periculo’s Weekly Threat Feed, offering insights into emerging cyber threats. Our updates deliver essential information on the latest vulnerabilities, attacks, and security trends, empowering you to safeguard your business and make well-informed decisions.

Sign up today to receive expert threat intelligence directly to your inbox and maintain a proactive stance against potential risks.