Breach Roundup: FBI Publishes Ghost Warning

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, a FBI warning on Ghost ransomware, Lee Enterprises confirmed its ransomware attack, a proof-of-concept for Ivanti EPM flaws and a cybersecurity flaw in a Xerox machine. Also, a Chinese cyberespionage hacker apparently moonlighted as a ransomware attacker and NioCorp hit by a cyber heist.

See Also: Top 10 Technical Predictions for 2025

The FBI and the U.S. Cybersecurity and Infrastructure Security Agency warned Wednesday that Ghost ransomware has compromised organizations across more than 70 countries, affecting industries including healthcare, government, education and critical infrastructure.

Active since early 2021, Ghost operators exploit older, unpatched vulnerabilities in Fortinet, ColdFusion and Microsoft Exchange to gain access. The group, also known as Cring, Crypt3r and Phantom, frequently rotates malware variants and ransom tactics, complicating attribution.

Security researchers first spotted Ghost using Mimikatz and CobaltStrike for infiltration, followed by deploying ransomware via Windows CertUtil to evade detection.

Ghost actors are located in China, making the operation an outlier in the Russian-language dominated world of ransomware operators.

Google released patches for two high-severity Chrome vulnerabilities, CVE-2025-0999 and CVE-2025-1426, which could enable remote code execution and system takeover. These heap buffer overflow flaws affect the V8 JavaScript engine and GPU components, risking full system compromise.

A third flaw, CVE-2025-1006, a medium-severity use-after-free vulnerability in Chrome’s Network component, can also enable attackers to execute arbitrary code. Google has released fixes in Chrome for Windows, Mac and Linux.

American newspaper chain Lee Enterprises confirmed a ransomware attack disrupted dozens of newspapers’ operations last week. The media company, which mainly serves secondary and rural markets, owns 350 publications across 25 states. It is the fourth largest newspaper group in the United States. It initially reported a “cyber incident” on Feb. 3. At least 75 newspapers faced printing, subscription and internal service disruptions.

Lee said that the hackers accessed its network, encrypted key applications, and exfiltrated files – hallmarks of ransomware, although the newspaper chain did not use the word “ransomware” to describe the incident.

Operations are gradually recovering, with core products back on schedule as of Feb. 12, though some weekly publications remain impacted, representing 5% of revenue. Lee expects a phased recovery over the coming weeks.

The financial toll is unclear, but the company holds cybersecurity insurance covering response costs, investigations, business interruptions and regulatory fines.

Cybersecurity firm Horizon.ai on Wednesday published a proof of concept that takes advantage of four vulnerabilities in the Ivanti Endpoint Manager that the Utah company patched in January.

Taken together, the vulnerabilities – CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159 could allow “unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially allowing for server compromise,” Horizon.ai researcher Zach Hanley wrote.

The vulnerability boils down to exposed APIS related to vulnerability management for endpoint management by the EPM server, Hanley wrote. Exploitation is possible because Ivanti didn’t sanitize the inputs of a function call, allowing a root path to be called as a remote path.

Two now-patched vulnerabilities in Xerox VersaLink C7025 printers could enable attackers to capture Windows Active Directory credentials and gain full access to an organization’s systems. Rapid7 uncovered the two flaws, tracked CVE-2024-12510 and CVE-2024-12511, present in firmware version 57.69.91 and earlier.

Attackers could reconfigure the printer to send authentication credentials to a malicious server by exploiting these flaws. If LDAP or SMB settings contained domain admin credentials, attackers could seize complete control over Windows environments, including file services, databases and email accounts.

Threat actors need only access an MFP’s web interface or use SNMP queries to identify vulnerable devices. Many organizations leave default printer passwords unchanged.

Xerox issued a firmware patch last month.

Symantec researchers A observed a hacker using tools normally associated with Chinese nation-state cyberespionage deployed in a ransomware attack against “a medium-sized software and services company in South Asia.”

The most likely explanation, wrote researchers, is that the threat actor was moonlighting from its day job, using its employer’s tools to make extra money on the side.

The attacker claimed to have infiltrated the victim netgwoprk through a Palo Alto Networks vulnerability tracked as CVE-2024-0012. The threat actor deployed a variant of PlugX malware seen in documented Chinese cyberespionage attacks.

Evidence exists that this threat actor may have been involved in ransomware for some time, Symantec also said. Researchers discarded the possibility that the ransomware attack is a decoy meant to obscure an underlying espionage attack. The hacker didn’t do a good job of covering up the tools used to initiate the attack. Plus, the South Asian software firm is nto strategically significant.

“Finally, the attacker seemed to be serious about collecting a ransom from the victim and appeared to have spent time corresponding with them. This usually wouldn’t be the case if the ransomware attack was simply a diversion.

NioCorp Developments Ltd. disclosed a cybersecurity breach that led to $500,000 in misdirected vendor payments. The intrusion, detected on Friday involved unauthorized access to the company’s email systems. NioCorp alerted financial institutions and law enforcement but has not confirmed fund recovery.

Other Stories From Last Week

With reporting from Information Security Media Group’s Akshaya Asokan in southern England, Prajeet Nair in Bengaluru, India and David Perera in Washington, D.C.