Black Arrow Cyber Threat Intelligence Briefing 28 February 2025

2 Mar

Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Executive Summary

The last week has identified several critical cyber security threats that demand immediate attention from business leaders. Third-party risk has become a major concern, with supply chain vulnerabilities now driving 31% of cyber insurance claims. Attackers are also leveraging new techniques, such as MFA fatigue and AI-powered phishing, to bypass traditional defences. The emergence of sophisticated phishing toolkits and deepfake fraud highlights the growing challenge of verifying digital identities, while mobile phishing (mishing) is increasingly targeting employees through personal devices.

The accelerating pace of cyber threats is evident, with 25 new malware variants created every hour and cyber criminals leveraging AI and automation to exfiltrate data at unprecedented speeds, sometimes within minutes. Meanwhile, ransomware actors are shifting strategies, focusing 80% of attacks on data theft rather than encryption, making traditional defences less effective. The surge in generative AI usage within enterprises, often without IT oversight, introduces further risks, including data leakage and code exposure.

Black Arrow Cyber believes that businesses must adopt a proactive, layered security approach. This includes real-time threat detection, robust vendor risk management, AI-driven fraud prevention, and enhanced employee training. With cyber extortion demands rising sharply and operational disruptions increasing, organisations that fail to adapt will face significant financial, operational, and reputational consequences.

Top Cyber Stories of the Last Week

Cyber Security's Biggest Blind Spot: Third-Party Risk

Cyber insurer Resilience has identified third-party risk as a leading driver of cyber insurance claims, accounting for 31% of all claims in 2024. Notably, for the first time, these risks led to direct financial losses, making up 23% of incurred claims. Ransomware remained a major cause, linked to 61% of losses, while transfer fraud increased to 18%. Sectors such as healthcare, finance, and manufacturing were most affected. The findings highlight the growing need for businesses to assess not just their own cyber security, but also that of their vendors to mitigate financial and operational risks.

Cyber Criminals Can Now Clone Any Legitimate Website, and It’s Pretty Terrifying

Researchers have identified a surge in activity around a new phishing toolkit, called Darcula-suite 3.0, which enables cyber criminals to clone legitimate websites with ease. This development significantly lowers the barrier for less technical attackers, allowing them to impersonate trusted brands and steal sensitive information. The toolkit includes an admin panel to track successful attacks and even generate fraudulent payment card details. As phishing scams grow more sophisticated with AI-driven enhancements, organisations must strengthen their cyber security measures to mitigate the risk of falling victim to these increasingly convincing attacks.

Over 25 New Malware Variants Created Every Single Hour

SonicWall’s latest research highlights an alarming rise in cyber threats, with 637 new malware variants detected daily; more than 25 every hour. Encrypted threats have surged by 92%, with attackers leveraging TLS encryption to bypass defences. Security teams are under increasing strain, with burnout and mental health concerns on the rise. Despite the urgency, some organisations take up to 150 days to apply critical patches, leaving them exposed. With cyber attacks doubling in cost in 2024, businesses must move beyond legacy defences and adopt real-time threat monitoring and security operations centre (SOC) capabilities to stay ahead of increasingly sophisticated threats.

Understanding MFA Fatigue: Why Cyber Criminals Are Exploiting Human Behaviour

MFA fatigue attacks are emerging as a critical cyber security threat, exploiting human behaviour rather than technical vulnerabilities. Attackers overwhelm users with repeated MFA prompts, hoping frustration or confusion will lead to accidental approval. High-profile breaches, including Uber in 2022, highlight the risks. Cyber criminals often pair push spamming with social engineering to increase success rates. Organisations must move beyond reliance on MFA alone by implementing phishing-resistant authentication, monitoring for excessive login attempts, and training staff to recognise and report unusual activity. A layered security approach is essential to counter these evolving tactics and protect critical systems.

Only a Fifth of Ransomware Attacks Now Encrypt Data

ReliaQuest’s latest report reveals that ransomware actors are increasingly abandoning encryption, with 80% of attacks in 2024 focused solely on data exfiltration, which is 34% faster. Service accounts were a key vulnerability, implicated in 85% of breaches, while insufficient logging was identified as the leading cause of security failures. Two-thirds of critical intrusions involved legitimate software, and a quarter stemmed from exploited public-facing applications. The report urges organisations to enhance monitoring, deploy AI-driven automation, and strengthen endpoint security to keep pace with increasingly rapid cyber threats.

Biggest Crypto Heist in History, Worth $1.5Bn, Linked to North Korea Hackers

A cyber attack on the Dubai-based cryptocurrency exchange Bybit resulted in the theft of an estimated $1.5bn, with analysts attributing the breach to North Korea’s Lazarus Group. Experts report that malware was used to authorise fraudulent transactions, with the stolen funds allegedly laundered to support North Korea’s missile programme. Bybit has offered a $140m bounty to trace and freeze the stolen assets. Blockchain analysis indicates North Korea-linked hackers were responsible for one in five crypto breaches in 2024, stealing $1.34bn across 47 incidents, up from $660m across 20 incidents the previous year.

89% of Enterprise GenAI Usage is Invisible to Organisations, Exposing Critical Security Risks

A new report by LayerX highlights a significant blind spot in enterprise security, revealing that nearly 90% of generative AI (GenAI) usage occurs without IT oversight. This lack of visibility increases risks such as data leakage and unauthorised access. While only 15% of employees use GenAI daily, 50% engage with these tools at least biweekly. Notably, 39% of frequent users are software developers, raising concerns over proprietary code exposure. Additionally, half of all data pasted into GenAI tools contains corporate information, underscoring the urgent need for robust security measures to manage ‘shadow AI’ and protect sensitive business data.

Combating Deepfakes in Financial Services: A Call to Action

Deepfake fraud is emerging as a critical threat to financial institutions. Criminals use AI-generated video and audio to bypass traditional security measures, impersonating executives and manipulating high-value transactions. One incident saw an organisation transfer $25 million following a deepfake video call. To combat this, financial firms must adopt advanced identity verification, including liveness detection and AI-driven fraud analysis. A layered security approach, combined with employee awareness and customer education, is essential to mitigating risk and maintaining trust in digital banking.

Threat Actors Are Increasingly Trying to Grind Business to a Halt

Palo Alto Networks’ Unit 42 found that nearly 9 in 10 cyber attacks it responded to last year led to business disruption, with organisations facing operational downtime, fraud-related losses and reputational damage. Attackers increasingly use disruption as leverage, alongside encryption and data theft, to pressure victims into paying. The median extortion demand surged by almost 80% to $1.25 million in 2024, though negotiated payments averaged $267,500. Critical infrastructure sectors, including health care and manufacturing, were particularly targeted. These findings highlight the growing threat of cyber extortion and the increasing financial and operational toll on businesses.

With AI and Automation, Hackers are Stealing Data at Unprecedented Speeds

ReliaQuest’s Annual Cyber-Threat Report highlights how AI and automation are accelerating cyber attacks, with hackers now exfiltrating critical data in record time. On average, attackers achieve lateral movement within 48 minutes, with the fastest observed data theft occurring in just 4 hours and 29 minutes. Ransomware groups increasingly prioritise data exfiltration over encryption, with 80% of attacks focused on stealing information. In 60% of cases, stolen data is sent to legitimate cloud platforms. With the threat landscape evolving rapidly, organisations must rethink their response strategies to detect and mitigate attacks before critical assets are compromised.

Mobile Phishing Attacks on the Rise

Mishing (mobile phishing) attacks have risen sharply, with one major global campaign compromising over 600 organisations. Attackers are increasingly using advanced social engineering tactics, including device-aware phishing and geolocation-based redirection, making scams more targeted and harder to detect. The rise in Bring Your Own Device policies and reduced user verification of URLs have contributed to this trend. Security experts highlight the need for organisations to adapt, recommending mobile threat defence, phishing-resistant multi-factor authentication, clear Bring Your Own Device policies, and strong password management to counter the growing risk of credential-based attacks.

With Millions Upon Millions of Victims, Scale of Info-Stealer Malware Laid Bare

A vast trove of stolen credentials has been added to the privacy-breach-notification service ‘Have I Been Pwned’ (HIBP) after a government agency tipped off its founder, Troy Hunt. The dataset, linked to the "Alien Txtbase" Telegram channel, comprises 1.5TB of data, including 23 billion records and 284 million unique email addresses, harvested by info-stealer malware. HIBP has integrated 244 million new passwords and updated 199 million existing ones. Attackers increasingly exploit stolen credentials to bypass security, with new HIBP APIs now enabling organisations to check if their domains are compromised, reinforcing the need for strong cyber security measures.

Sources:

https://www.prnewswire.com/news-releases/cybersecuritys-biggest-blind-spot-third-party-risk-new-resilience-analysis-finds-302386804.html

https://www.xda-developers.com/cybercriminals-clone-legitimate-website/

https://www.techradar.com/pro/security/over-25-new-malware-variants-created-every-single-hour-as-smart-device-cyberattacks-more-than-double-in-2024

https://www.itsecurityguru.org/2025/02/25/understanding-mfa-fatigue-why-cybercriminals-are-exploiting-human-behaviour/

https://www.infosecurity-magazine.com/opinions/healthcare-ai-fight-cyber-attacks/

https://news.sky.com/story/biggest-crypto-heist-in-history-worth-1-5bn-linked-to-north-korea-hackers-13317301

https://thehackernews.com/2025/02/89-of-enterprise-genai-usage-is.html

https://www.finextra.com/blogposting/27927/combating-deepfakes-in-financial-services-a-call-to-action

https://cyberscoop.com/cyberattacks-business-disruption-2025-unit-42-palo-alto-networks/

https://cybernews.com/security/hackers-stealing-data-at-unprecedented-speeds/

https://www.scworld.com/brief/mobile-phishing-attacks-on-the-rise

https://www.theregister.com/2025/02/26/hibp_adds_giant_infostealer_trove/

Governance, Risk and Compliance

Speed of cyber-attacks increased in 2024 with lateral movement achieved in just 27 minutes: ReliaQuest Annual Threat Report | Business Wire

Threat actors are increasingly trying to grind business to a halt | CyberScoop

A pivotal year for geopolitical cyber attacks – how should businesses manage the risks? | Insurance Business America

Geopolitical Tension Fuels APT and Hacktivism Surge - Infosecurity Magazine

The Time to Speak to Employees About Insider Risk Is Now

Cyber attacks Become Increasingly Efficient | MSSP Alert

The CISO's dilemma of protecting the enterprise while driving innovation - Help Net Security

Insurers still concerned over cyber risk unknowns

2025 CrowdStrike Global Threat Report: Cyber Criminals Are Shifting Tactics – Are You Ready? - Security Boulevard

Data: Cyber threats skyrocket as attackers think like businesses | Capacity Media

The Future of Auditing: What to Look for in 2025 - Security Boulevard

Failure, Rinse, Repeat: Why do Both History and Security Seem Doomed to Repeat Themselves? - SecurityWeek

Cyber security professionals face expanding responsibilities, with 61% covering multiple domains

Threats

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

Aggressive Tactics, Weaponization of AI-powered Deception Rises | Business Wire

The Growing Threat of Cyber Warfare from Nation-States - PaymentsJournal

Nation State Actors

A pivotal year for geopolitical cyber attacks – how should businesses manage the risks? | Insurance Business America

Geopolitical Tension Fuels APT and Hacktivism Surge - Infosecurity Magazine

How APT Naming Conventions Make Us Less Safe

China

It's not just Salt Typhoon: All China-backed attack groups are showcasing specialized offensive skills | CyberScoop

FBI Has Warned About 'Ghost' Cyber Attacks. What You Need to Know. - Business Insider

Chinese Botnet Bypasses MFA in Microsoft 365 Attacks - Infosecurity Magazine

A Tale of Two Typhoons: Properly Diagnosing Chinese Cyber Threats - War on the Rocks

2025 CrowdStrike Global Threat Report: China’s Cyber Espionage Surges 150% with Increasingly Aggressive Tactics, Weaponization of AI-powered Deception Rises | Business Wire

CrowdStrike: China hacking has reached 'inflection point' | TechTarget

Chinese APT Uses VPN Bug to Exploit Worldwide OT Orgs

China-linked threat actors stole 10% of Belgian State Security Service (VSSE)'s staff emails

Data Leak Exposes TopSec's Role in China's Censorship-as-a-Service Operations

Cisco Details ‘Salt Typhoon’ Network Hopping, Credential Theft Tactics - SecurityWeek

China compromised GOP emails ahead of Republican convention • The Register

Chinese-Backed Silver Fox Plants Backdoors in Healthcare Networks - Infosecurity Magazine

Russia

The evolution of Russian cyber crime | Intel 471

Ukrainian hackers claim breach of Russian loan company linked to Putin’s ex-wife | The Record from Recorded Future News

Space Pirates Targets Russian IT Firms With New LuckyStrike Agent Malware

Russia warns financial sector organisations of IT service provider LANIT compromise

Cyber Attacks Hits Leading Russian IT Service Provider’s Subsidiaries | MSSP Alert

Russia warns financial sector of major IT service provider hack

Australia Bans Kaspersky Software Over National Security and Espionage Concerns

Apple Cuts Off Russian Developers from Enterprise Program Amid Ongoing Sanctions - gHacks Tech News

Sweden investigates suspected sabotage of undersea telecoms cable - BBC News

Germany takes the fight to Russia in undersea cable war

Drone-Equipped U.S. Marines Now Helping Protect Baltic Sea Submarine Cables

Putin’s secret weapon: The threat to the UK lurking on our sea beds - BBC News

North Korea

Biggest crypto heist in history, worth $1.5bn, linked to North Korea hackers | Science, Climate & Tech News | Sky News

Lazarus Group launches ‘QinShihuang’ meme coin to launder $26M more from Bybit stash | Cryptopolitan

FBI Confirms North Korea’s Lazarus Group as Bybyit Hackers - Infosecurity Magazine

Inside the Lazarus Group money laundering strategy

FBI fingers North Korea for $1.5B Bybit cryptocurrency heist • The Register

Lazarus Group moves funds to multiple wallets as Bybit offers bounty

EU sanctions North Korean tied to Lazarus group over involvement in Ukraine war | The Record from Recorded Future News

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Modern Approach to Attributing Hacktivist Groups - Check Point Research

How Anonymous Actually Works, According to a Founding Member - Business Insider

Tools and Controls

Cyber criminals prefer remote tools over malware, says CrowdStrike | SC Media

Chinese APT Uses VPN Bug to Exploit Worldwide OT Orgs

Why you can’t afford to botch staff onboarding processes | ITPro

Why Internal Audit Services Are Key to Risk Management in Today’s Business Landscape - Security Boulevard

99% of Organisations Report API-Related Security Issues - Infosecurity Magazine

Nations Open 'Data Embassies' to Protect Critical Info

Privacy tech firms warn France’s encryption and VPN laws threaten privacy

Reports Published in the Last Week

CrowdStrike 2025 Global Threat Report: Beware the Enterprising Adversary

Other News

Cyber Attacks Become Increasingly Efficient | MSSP Alert

26 New Threat Groups Spotted in 2024: CrowdStrike - SecurityWeek

SITA report reveals how aviation industry is doubling down on cyber security | Times Aerospace

Failure, Rinse, Repeat: Why do Both History and Security Seem Doomed to Repeat Themselves? - SecurityWeek

OpenSSF Releases Security Baseline for Open Source Projects - SecurityWeek

What Netflix's 'Zero Day' Got Right (and Wrong) About Cyber Attacks

Threat Actors Stealing Users Browser Fingerprints To Bypass Security Measures & Impersonate Users

Mounting Threats to Cyber-Physical Systems - Security Boulevard

Manufacturers told beware cyber-attacks as sector becoming rising target

Experts Warn of Maritime Industry’s Cyber Vulnerabilities | AFCEA International

Security and privacy concerns challenge public sector's efforts to modernize - Help Net Security

Nine Threat Groups Active in OT Operations in 2024: Dragos - SecurityWeek

Report: Health System Cyber Security Budgets Increasing, But Lack of AI Governance Threatens Security | HIMSS

New malware disrupts critical industrial processes • The Register

Vulnerability Management

23 Vulnerabilities in Black Basta's Chat Logs Exploited in Wild

Software Vulnerabilities Take Almost Nine Months to Patch - Infosecurity Magazine

UK Home Office’s new vulnerability reporting mechanism leaves researchers open to prosecution | The Record from Recorded Future News

61% of Hackers Use New Exploit Code Within 48 Hours of Attack - Infosecurity Magazine

Software security debt is spiralling out of control – remediation times have surged 47% in the last five years, and it’s pushing teams to breaking point | ITPro

What is VMaaS? Why You Should Consider Vulnerability-Management-as-a-Service

Misconfigured Access Systems Expose Hundreds Of Thousands Of Employees And Organisations

US Government Supercharges Security Vulnerabilities

Vulnerabilities

Atlassian fixed critical flaws in Confluence and Crowd

Second Recently Patched Flaw Exploited to Hack Palo Alto Firewalls - SecurityWeek

Huge cyber attack found hitting vulnerable Microsoft-signed legacy drivers to get past security | TechRadar

Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA

CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation

Cisco Patches Vulnerabilities in Nexus Switches - SecurityWeek

Vulnerabilities in MongoDB Library Allow RCE on Node.js Servers - SecurityWeek

Mac security researchers expose two new exploits | Macworld

Max Severity RCE Vuln in All Versions of MITRE Caldera

Siemens Teamcenter vulnerability could allow account takeover (CVE-2025-23363) - Help Net Security

Sector Specific

Industry specific threat intelligence reports are available.

· Automotive

· Construction

· Critical National Infrastructure (CNI)

· Defence & Space

· Education & Academia

· Energy & Utilities

· Estate Agencies

· Financial Services

· FinTech

· Food & Agriculture

· Gaming & Gambling

· Government & Public Sector (including Law Enforcement)

· Health/Medical/Pharma

· Hotels & Hospitality

· Insurance

· Legal

· Manufacturing

· Maritime & Shipping

· Oil, Gas & Mining

· OT, ICS, IIoT, SCADA & Cyber-Physical Systems

· Retail & eCommerce

· Small and Medium Sized Businesses (SMBs)

· Startups

· Telecoms

· Third Sector & Charities

· Transport & Aviation

· Web3

Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Admin

Black Arrow Cyber Threat Intelligence Briefing 28 February 2025

Executive Summary

Top Cyber Stories of the Last Week

Cyber Security's Biggest Blind Spot: Third-Party Risk

Cyber Criminals Can Now Clone Any Legitimate Website, and It’s Pretty Terrifying

Over 25 New Malware Variants Created Every Single Hour

Understanding MFA Fatigue: Why Cyber Criminals Are Exploiting Human Behaviour

Only a Fifth of Ransomware Attacks Now Encrypt Data

Biggest Crypto Heist in History, Worth $1.5Bn, Linked to North Korea Hackers

89% of Enterprise GenAI Usage is Invisible to Organisations, Exposing Critical Security Risks

Combating Deepfakes in Financial Services: A Call to Action

Threat Actors Are Increasingly Trying to Grind Business to a Halt

With AI and Automation, Hackers are Stealing Data at Unprecedented Speeds

Mobile Phishing Attacks on the Rise

With Millions Upon Millions of Victims, Scale of Info-Stealer Malware Laid Bare

Sources:

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Business Email Compromise (BEC)/Email Account Compromise (EAC)

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Bots/Botnets

Mobile

Denial of Service/DoS/DDoS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Regulations, Fines and Legislation

Models, Frameworks and Standards

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda