An interesting side note in my use of Microsoft Edge to write this post. six times in 20 minutes it closed for no reason. It's a bit eerie, but I do believe monitoring of some kind is happening. No matter, we are in that age of a new world where privacy is of the past.
Political Correctness to another level. AI looks to control our output when put our pens to Keyboards.
Byline: Ekrem Selcuk Celik, Cybersecurity Researcher at Black Kite
Welcome to the January 2025 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.
The Black Kite Research & Intelligence Team (BRITE) tracked 546 ransomware incidents in January 2025, marking a sharp increase compared to January 2024, which saw approximately 300 cases. This significant rise indicates that ransomware activity is escalating at an alarming pace. Among these incidents, 274 were recorded in the United States, 32 in Canada, 23 in the United Kingdom, and 18 in France.
Manufacturing was the most targeted sector, followed by technical services. Closing out December with 535 cases, ransomware groups have historically shown a tendency to slow down at the beginning of the year. However, this year is proving to be an exception.
The Clop ransomware group took the lead in January 2025 by a significant margin with 115 publicly disclosed victims. As usual, RansomHub remained among the top-ranking groups with 42 victims. One of the most notable groups this month was Lynx, which saw a major surge with 42 victims in January. They were followed by the Akira group, which recorded 38 victims.
Nearly all of the 115 Clop attacks were linked to the CLEO vulnerability, continuing the momentum from Clop’s December disclosures. Initially, only 50 victims were expected, but as the group continues to release names in alphabetical order, the final number could reach 500.
Among these 115 victims, the United States was the most affected, with 79 cases, followed by Canada with 12 and the Netherlands with 4.
In terms of industry impact among these attacks, the manufacturing sector suffered the highest number of attacks, with 34 victims. It was followed by the transportation sector with 18 victims, the information technology sector with 17, and the technical services sector with 14.
Two years ago, during the MoveIT disclosures, Clop was at the center of global media attention. Now, despite its high ransomware activity, the group seems to be struggling to capture the same level of interest. They kept postponing victim disclosures, which was unusual for them, and then starting sharing victims in a different way to seek attention. Whether this signals Clop’s waning influence or a shift in public perception remains to be seen, but one thing is certain: the group appears increasingly frustrated by the lack of attention.
FunkSec continued its aggressive expansion in January, making headlines with its unconventional tactics:
Key takeaways from their recent interview:
FunkSec’s erratic yet calculated moves make them one of the most unpredictable actors in the ransomware ecosystem. Their expansion beyond traditional ransomware operations suggests a broader ambition that could redefine the threat landscape.
A new leak site emerged in January claiming to be affiliated with Babuk, publishing 60 alleged victims. While this sparked speculation that the notorious ransomware group had returned, our analysis revealed that most of the disclosed victims had already been published by FunkSec, RansomHub, and LockBit.
Shortly after the site gained traction, access was restricted, leaving its authenticity in question. Whether this marks the actual return of Babuk or merely an opportunistic attempt to capitalize on the name remains unclear.
Ransomware groups continue to surface at an increasing rate, and the rise of Ransomware-as-a-Service (RaaS) is undoubtedly fueling this trend. However, despite this growth, these groups seem to do little more than mimic each other. Many simply replicate existing leak sites, making it increasingly difficult to track them as they blur into one another.
In previous years, such copycat behavior was less common, but now it’s becoming the norm. This shift strongly suggests that experienced cybercriminals are being replaced by younger, less-skilled actors. As a result, while the number of ransomware groups grows, innovation within the ecosystem seems to be stagnating.
While ransomware attacks surged in 2024, total ransom payments dropped by 35%, amounting to $813.55 million. Companies are increasingly adopting robust cybersecurity measures, improving backup strategies, and benefiting from law enforcement crackdowns on cybercriminals.
Notably, the international operation “Operation Cronos” disrupted LockBit’s infrastructure, demonstrating the growing impact of coordinated cybercrime enforcement. However, despite these advancements, ransomware groups are evolving their tactics, becoming more aggressive in their extortion methods.
In response, the UK government is considering stricter regulations, including:
Authorities believe these measures will curb ransomware groups’ financial streams and act as a deterrent. If enacted, these regulations could reshape how organizations respond to ransomware threats.
January 2025 set a record-breaking pace for ransomware incidents.
For cybersecurity teams, 2025 is already shaping up to be one of the most challenging years yet. Black Kite’s Ransomware Susceptibility Index® (RSITM) offers a proactive approach by assessing the likelihood of a ransomware attack throughout the third-party ecosystem. By leveraging RSI, risk managers can identify high-risk vendors before an attack strikes, prioritize remediation efforts, and ultimately safeguard their organizations against the escalating threat.
Stay tuned for more monthly Ransomware Reviews on our blog and LinkedIn Newsletter.
Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.
The post Ransomware Review January 2025: Clop’s CLEO Exploit Fuels a Record Month appeared first on Black Kite.
Written by: Ferdi Gül
In this week’s Focus Friday, we examine high-impact vulnerabilities affecting Palo Alto Networks PAN-OS, Ivanti Connect Secure, Zimbra Collaboration, and Cacti, all of which pose significant third-party risk concerns. These vulnerabilities range from remote code execution (RCE) flaws to SQL injection attacks that could lead to data breaches, system takeovers, and supply chain risks.
Organizations relying on network security appliances, email collaboration tools, and monitoring frameworks must take proactive measures to assess their exposure and secure their vendor ecosystem against these threats. In this blog, we provide an in-depth Third-Party Risk Management (TPRM) perspective, detailing how these vulnerabilities could impact vendor security postures and what questions security teams should ask to mitigate risks.
Additionally, we highlight how Black Kite’s FocusTags™ provide real-time insights into vendor exposure, helping organizations prioritize remediation efforts and streamline their risk management processes.
Two high-severity vulnerabilities have been identified in Palo Alto Networks PAN-OS, affecting network security devices:
Both vulnerabilities were published on February 12, 2025. One proof-of-concept exploit is available on github.com. There is no evidence of active exploitation or inclusion in CISA’s KEV catalog at this time. However, PAN-OS vulnerabilities have been targeted in the past, making proactive mitigation crucial.
Third-party risk management (TPRM) professionals should be concerned due to the critical role of PAN-OS in enterprise cybersecurity.
For vendors relying on PAN-OS for perimeter security, exploitation of these vulnerabilities could lead to network-wide security breaches, data exposure, and compromised firewall configurations.
To assess vendor exposure, TPRM professionals should ask:
To mitigate the risk associated with these vulnerabilities, vendors should:
✔ Upgrade PAN-OS to patched versions:
✔ Update OpenConfig plugin to version 2.1.2 or later (if enabled).
✔ Restrict management interface access to trusted internal IPs only.
✔ Disable the OpenConfig plugin if not in use to reduce the attack surface.
✔ Monitor system logs for unusual access or command execution activity.
✔ Apply Palo Alto Networks’ Threat Prevention rules to block potential exploits (Threat IDs 510000, 510001).
Black Kite has tagged this issue as “PAN-OS – Feb2025” with a VERY HIGH confidence level.
The FocusTag™ was published on February 13, 2025, allowing TPRM teams to take proactive measures before potential exploitation.
Multiple critical vulnerabilities have been identified in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products:
These vulnerabilities were publicly disclosed on February 11, 2025. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Other vulnerabilities to be mindful of include CVE-2024-12058 (arbitrary file read), CVE-2024-13842 (sensitive data exposure), and CVE-2024-13843 (cleartext storage of sensitive information), which, despite their lower CVSS scores, should still be carefully considered.
Third-Party Risk Management (TPRM) professionals should be concerned due to the following reasons:
To assess vendor exposure, TPRM professionals should inquire:
To mitigate the risks associated with these vulnerabilities, vendors should:
✔ Update to Patched Versions:
✔ Restrict Administrative Privileges:
✔ Implement Multi-Factor Authentication (MFA):
✔ Monitor System Logs:
✔ Apply Security Best Practices:
Black Kite has tagged these vulnerabilities under “Ivanti Connect Secure – Feb2025” with a HIGH confidence level.
Zimbra Collaboration (formerly known as Zimbra Collaboration Suite or ZCS) is an open-source and commercial groupware email platform. It includes features such as email, calendaring, contacts, task management, instant messaging, and file sharing, designed for enterprises, government institutions, and service providers.
CVE-2025-25064 is a critical SQL injection vulnerability affecting Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. This flaw arises from insufficient sanitization of user-supplied parameters in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this vulnerability by manipulating specific request parameters to inject arbitrary SQL queries, potentially allowing unauthorized retrieval of email metadata and other sensitive information. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 0.05%. It was publicly disclosed on February 9, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-25064 due to its potential impact on email security. Zimbra Collaboration is widely used by organizations for email and collaboration services. Exploitation of this vulnerability could allow attackers to access sensitive email metadata, leading to unauthorized disclosure of confidential information. If a vendor utilizes vulnerable Zimbra Collaboration products, their compromised systems could serve as entry points for attackers, resulting in data breaches and disruptions that may affect connected organizations.
To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:
Vendors using affected Zimbra Collaboration products should:
Black Kite has proactively addressed this issue by publishing the “Zimbra – Feb2025” FocusTag™ on February 11, 2025. This tag enables TPRM professionals to identify vendors potentially affected by CVE-2025-25064. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.
Cacti is an open-source network monitoring and graphing tool designed to collect, store, and visualize performance data for IT infrastructure. It is widely used by network administrators and IT professionals to monitor network devices, servers, and applications in real time.
CVE-2025-22604 is a critical security flaw in Cacti, an open-source network monitoring and fault management framework. This vulnerability allows authenticated users with device management permissions to execute arbitrary commands on the server by injecting malformed Object Identifiers (OIDs) into SNMP responses. When processed by functions like ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), parts of these OIDs are used as keys in an array that becomes part of a system command, leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.1. It was publicly disclosed on January 26, 2025. There is no evidence of proof of exploitation at the moment.
Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-22604 because Cacti is widely used by organizations to monitor network performance and availability. A successful exploit of this vulnerability could allow attackers to execute arbitrary commands on the server, potentially compromising system integrity and data security. This could lead to unauthorized access to sensitive information, disruption of network monitoring capabilities, and further exploitation within the organization’s network. Given the critical nature of this vulnerability and the availability of proof-of-concept exploit code, it is imperative for organizations to assess their exposure and ensure that their vendors have addressed this issue.
To assess the risk associated with this vulnerability, TPRM professionals should consider asking vendors the following questions:
Vendors should take the following actions to remediate the risk associated with CVE-2025-22604:
Black Kite has published a FocusTag™ titled “Cacti – Feb2025” to help organizations identify potential exposure to CVE-2025-22604. TPRM professionals can utilize this tag to assess their vendors’ risk related to this vulnerability. By leveraging Black Kite’s platform, professionals can identify vendors using vulnerable versions of Cacti and take proactive steps to mitigate potential risks. This includes obtaining asset information such as IP addresses and subdomains associated with the vendors’ systems, which is crucial for effective risk assessment and management.
With high-profile vulnerabilities such as PAN-OS authentication bypass (CVE-2025-0108), Ivanti Connect Secure RCE (CVE-2025-22467), Zimbra SQL injection (CVE-2025-25064), and Cacti remote code execution (CVE-2025-22604), organizations must rapidly assess third-party security risks to prevent cascading impacts. Black Kite’s FocusTags™ enable security teams to efficiently identify, analyze, and mitigate these threats by offering:
✅ Real-Time Risk Identification – Instant visibility into which vendors are affected by the latest vulnerabilities, allowing organizations to take immediate action.
✅ Risk Prioritization – Insights into vendor importance and vulnerability severity, helping security teams allocate resources effectively.
✅ Informed Vendor Engagement – Targeted discussions with vendors about their security measures and remediation strategies for identified vulnerabilities.
✅ Comprehensive Security Posture Enhancement – A holistic view of third-party risks, enabling organizations to make data-driven security decisions.
By leveraging Black Kite’s FocusTags™, organizations can stay ahead of evolving cyber threats, ensuring proactive risk mitigation in their third-party ecosystems. These tags provide critical intelligence, transforming complex vulnerability data into actionable insights for better vendor security management.
Want to take a closer look at FocusTags™?
Take our platform for a test drive and request a demo today.
Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.
https://nvd.nist.gov/vuln/detail/CVE-2025-0108
https://nvd.nist.gov/vuln/detail/CVE-2025-0110
https://security.paloaltonetworks.com/CVE-2025-0108
https://security.paloaltonetworks.com/CVE-2025-0110
https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os
https://forums.ivanti.com/s/article/KB29805?language=en_US
https://nvd.nist.gov/vuln/detail/CVE-2025-22467
https://nvd.nist.gov/vuln/detail/CVE-2024-10644
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
https://nvd.nist.gov/vuln/detail/CVE-2025-25064
https://nvd.nist.gov/vuln/detail/CVE-2025-22604
https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36
https://securityonline.info/cve-2025-22604-cvss-9-1-remote-code-execution-flaw-in-cacti-poc-released
The post Focus Friday: Addressing Third-Party Risks in PAN-OS, Ivanti Connect Secure, Zimbra, and Cacti Vulnerabilities appeared first on Black Kite.
Marco Rubio and Sergei Lavrov meet for talks on Ukraine, but even before sitting down Russia demonstrated its hard bargaining mindset.
The post U.S.-Russia Talks Begin: Moscow Pours Cold Water On Expectations, Says No Territorial Concessions in Pre-Negotiation Positioning appeared first on Breitbart.
The Israel Defense Forces (IDF) and Lebanese Armed Forces (LAF) redeployed Tuesday in accord with the ceasefire deal that ended the war with Hezbollah -- though Lebanon is formally objecting to Israel retaining a "buffer zone."
The post Israel, Lebanon Redeploy Forces as Ceasefire Holds; ‘Buffer Zone’ in Contention appeared first on Breitbart.
Actor Robert Picardo, who played The Doctor on Star Trek: Voyager, said that America should cancel Presidents Day due to Trump allegedly canceling "our justice system" and other causes.
The post ‘Star Trek’ Actor Robert Picardo: ‘Let’s Cancel Presidents’ Day’ Since Trump Has Canceled ‘Our Justice System’ appeared first on Breitbart.
A juvenile reportedly retrieved a handgun Saturday morning in Manchester, Kentucky, and shot and killed two alleged armed intruders.
The post Juvenile Retrieves Handgun, Shoots Two Alleged Armed Intruders Dead appeared first on Breitbart.
President Donald Trump on Monday exited his presidential limousine, known as "the Beast," to wave to supporters who were gathered as his motorcade approached.
The post Trump Exits ‘Beast’ to Share Moment with Supporters on Presidents Day appeared first on Breitbart.
A new protest movement is gathering strength in Iran, driven by public outrage over the death of 19-year-old Amir Mohammad Khaleghi, an undergraduate business student at the University of Tehran who was robbed and killed near the dormitory last week.
The post Protests Resurge in Iran After Teen Student Killed near Dorm appeared first on Breitbart.
The Israel Defense Forces (IDF) will hold five strategic posts inside southern Lebanon to maintain security and surveillance even after withdrawing from the region on Tuesday in accordance with the ceasefire with Hezbollah.
The post Israel To Hold 5 Posts Inside Southern Lebanon to Prevent Attack appeared first on Breitbart.
Border Czar Tom Homan reports that over the last 24 hours there were only 229 illegal alien encounters along the Southwest border.
The post Nolte: Border Czar Tom Homan Says Illegal Daily Encounters Down to 229 from 11,000 appeared first on Breitbart.
The Washington, DC, area housing market has seen an increase in homes being listed for sale as more government employees have either been laid off or have accepted buyouts.
The post D.C. Housing Market Sees Increase in Homes for Sale as Federal Workers Laid Off appeared first on Breitbart.
The latest sneak peek for the Walt Disney Company's live-action remake of "Snow White," starring Rachel Zegler, is getting hammered online, with the video receiving 84,000 "dislikes" on YouTube in just two days.
The post Disney’s Latest Sneak Peek for ‘Snow White’ Starring Rachel Zegler Gets 84K Dislikes in Just Two Days appeared first on Breitbart.
South Korean Actress Kim Sae-ron, who had recently gone into hiding after crashing her vehicle while drunk driving, died on Sunday at the age of 24. Her cause of death has been ruled a suicide.
The post Actress Kim Sae-ron Dies at 24, Cause of Death Revealed appeared first on Breitbart.
Film director Spike Lee wore a jacket to the NBA All-Star Game with a message demanding slavery reparations.
The post Spike Lee Wears Jacket Demanding Reparations at NBA All-Star Game appeared first on Breitbart.
Los Angeles residents are furious at an announcement by the Army Corps of Engineers that there will be no testing of local soil for toxins after the first six inches of topsoil are taken away during debris removal that began this week.
The post L.A. Residents Outraged After Army Corps Abandons Soil Testing in Burn Areas appeared first on Breitbart.
The Los Angeles Fire Department (LAFD) could have pre-deployed ten engines to the Pacific Palisades ahead of the deadly Palisades Fire on January 7, but chose not to, according to former fire chiefs quoted by the Los Angeles Times.
The post Report: L.A. Fire Dept. Could Have Pre-Deployed 10 Engines to Palisades, but Did Not appeared first on Breitbart.
Login