Featured image of post Cybersecurity Week in Review: April 22–28, 2025
NEWS

Cybersecurity Week in Review: April 22–28, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

Major Data Breaches and Leaks

  • Onsite Mammography (April 23, 2025): A phishing attack on an employee’s email exposed sensitive records. Onsite Mammography (ME) notified regulators that 357,265 patients were affected. Compromised data included names, Social Security numbers, dates of birth, driver’s license numbers, credit cards, and medical information (including physical/mental health details). The clinic engaged experts, notified law enforcement, and offered free credit monitoring for one year.
  • Bell Ambulance (Wisconsin, disclosed April 22, 2025): The Medusa ransomware gang announced an attack on Bell Ambulance, and the U.S. Health & Human Services (HHS) breach portal confirmed 114,000 individuals impacted. Stolen data reportedly includes names, birthdates, SSNs, driver’s licenses, financial, medical and insurance information. Bell Ambulance has not detailed the full scope beyond the HHS count.
  • Alabama Ophthalmology Associates (AL, disclosed April 10, update Apr 22): BianLian ransomware hit this eye-care provider, compromising PHI. Investigation shows hackers had access since January; on April 22 HHS reported 131,000+ patients affected. Exposed records include personal identifiers (names, addresses, DOB, SSNs, driver’s licenses) and medical/insurance details. The practice is notifying victims and secured systems.
  • VeriSource Services (employee benefits administrator, updated Apr 28): A February 2024 breach affecting benefits data was recently revised to 4 million people. VeriSource (TX) provides HR, enrollment and payroll services. Stolen data spanned employees and dependents (names, addresses, DOB, gender, Social Security numbers). An April 17, 2025 investigation closure led to notifications being sent; multiple class-action lawsuits have been filed.

Significant Cyberattacks and Incidents

High-impact attacks this week included ransomware and sophisticated phishing. Marks & Spencer (UK retailer) confirmed a “cybersecurity incident” on April 22 affecting store operations. By Apr 28 investigators learned it was a Scattered Spider (Octo Tempest) ransomware attack: intruders breached M&S as early as February (stealing the Active Directory NTDS.dit database) and on April 24 deployed the DragonForce encryptor against VMware ESXi servers. M&S engaged CrowdStrike and Microsoft for response; no customer data loss has been confirmed publicly.

  • Hitachi Vantara (April 26, 2025): The Hitachi data services spin-off took servers offline after detecting a ransomware breach. BleepingComputer reports the Akira ransomware gang is responsible; they stole files and left ransom notes before Hitachi contained the incident. Hitachi has been restoring systems and working with partners. Its cloud-hosted services remained operational, but several internal environments and manufacturing systems were disrupted for containment.
  • SK Telecom (South Korea, announced Apr 28): The nation’s largest mobile carrier disclosed a “large-scale” data leak detected on Apr 18 attributed to malware. While details are sparse, SKT has 23 million users, and offered free SIM card replacements for all customers as a precaution. The incident rattled markets (stock fell ~6.7%). SKT is investigating the breach, urging customers to use its fraud protection service.
  • Lazarus Group (North Korea, Apr 28): Researchers found the Lazarus APT running a cyber-espionage campaign against cryptocurrency developers. Fake companies “Blocknovas LLC” and “Softglide LLC” offered crypto job interviews to deliver malware. Victims’ credentials and wallets were targeted, and the U.S. FBI has seized the Blocknovas website used in the scam. This highlights North Korea’s continued focus on crypto theft (recently linked to the Feb 2025 Bybit hack).
  • Insider threat (Oklahoma, reported Apr 26): In an unusual case, the CEO of security firm Veritaco was charged with planting malware on hospital PCs. Surveillance showed the CEO wandering hospital wards and installing software to capture screenshots every 20 minutes. The hospital contained the breach immediately and no patient data was accessed. The case serves as a reminder that insider attacks can come even from trusted IT personnel.

Critical Vulnerabilities and Patches

  • SAP NetWeaver (CVE-2025-31324): A critical zero-day RCE in SAP Visual Composer (NetWeaver) was disclosed and actively exploited in late April. The flaw (CVSS 10.0) lets unauthenticated attackers upload arbitrary files for full system compromise. SAP released an emergency patch on April 24, 2025, and industry tools (e.g. Onapsis scanner) were deployed to detect exploits. Organizations running SAP Visual Composer must apply the update immediately.
  • Erlang/OTP SSH (CVE-2025-32433): A critical vulnerability in the Erlang/OTP SSH server implementation (CVSS 10.0) was announced April 22. It allows unauthenticated remote code execution on impacted systems (commonly used in telecom and embedded devices). Patches were released in Erlang/OTP versions 27.3.3, 26.2.5.11, and 25.3.2.20 to address this issue. All organizations using affected OTP versions should upgrade and scan for signs of compromise.
  • Fortinet FortiGate SSL-VPN (zero-day): On April 22, Secure-ISS detailed an active zero-day in Fortinet’s SSL-VPN that allows unauthenticated RCE. The exploit uses a symlink technique enabling full device takeover; Secure-ISS observed over 14,000 FortiGate units compromised via this bug. Fortinet has released fixed firmware versions (FortiOS 6.0.18+, 6.2.16+, 6.4.9+, etc.) to patch the flaw. Any SSL-VPN servers should be updated immediately to the patched versions to prevent further exploitation.

Government and Industry Cyber Responses

  • U.S. CISA ICS Advisories: On April 22, CISA released five Industrial Control Systems security advisories covering Siemens, Schneider Electric and ABB products. These bulletins alert operators to new control-system vulnerabilities and provide mitigation guidance. Critical infrastructure organizations should review these advisories and update or harden affected ICS components.
  • FBI/CISA Ransomware Warning: On April 23, the U.S. FBI reported ransomware was the top cyber threat to critical infrastructure in 2024. Complaints to the FBI IC3 center rose 9% year-over-year, especially targeting manufacturing, healthcare, government and utilities. FBI and CISA noted that variants like Medusa have hit hundreds of victims. This underscores calls for stronger defenses: the FBI/CISA joint advisory in March warned of Medusa’s stealthy attacks. Organizations should heed such advisories and prioritize ransomware readiness.
  • Industry Guidelines and Tools: Security vendors released detection tools for emerging threats. For example, CrowdStrike added a YARA “Defend” rule (April 24) to detect the SAP CVE-2025-31324 exploit. Onapsis published an open-source scanner for CVE-2025-31324 on April 27, and updated threat intel kits for detection. These industry efforts complement vendor patches.
  • Regulatory Developments: No new major cyber laws were enacted this week, but regulators (e.g. EU and U.S. agencies) continue work on stricter cyber rules and enforcement. For instance, U.S. agencies emphasize rapid breach notifications and incident reporting, while Europe’s NIS2 transposition deadlines are approaching. Organizations should track policy updates and ensure compliance with evolving requirements.

Miscellaneous

  • Threat Intelligence & Research: Security firms released their latest threat trend reports. Early Q1 2025 reports (from firms like PDI, Check Point, etc.) note sustained high ransomware activity and rising attacks on new sectors (e.g. retail, transportation). (Example: a report highlights Akira ransomware growing 24% and a 75% surge in retail-targeted ransom demands). Analysts advise proactive, intelligence-driven defense.
  • Tools & Open Source: The open-source community remains active. Notable April releases include tools for security teams (e.g. automated reporting systems, AWS S3 configuration scanners). Researchers also published new technical blogs on tactics (e.g. UNC3944/Scattered Spider social-engineering tactics) and defensive measures.

Conclusion

This week’s events reinforce key themes: cybercrime remains relentless and diverse. Data breaches struck both niche healthcare providers and large service firms, exposing millions of personal records. Ransomware continued to disrupt major vendors (Marks & Spencer, Hitachi Vantara) and even banked attackers (Everest gang targeting a Jordanian bank). Attackers exploited zero-days (e.g. SAP, Fortinet, Erlang) with high severity, underscoring the need for rapid patch management. High-impact incidents like the SK Telecom breach and Lazarus attacks on crypto infrastructure demonstrate that nation-state and organized cybercriminal threats are very much global. In response, governments and industries issued advisories (CISA’s ICS alerts; FBI/CISA ransomware warnings) and updated defenses.

Takeaways: Organizations should apply the latest patches immediately (especially for critical CVEs), segment and monitor networks, and maintain robust incident response plans. Healthcare, finance, and critical infrastructure sectors must be especially vigilant. Regular training against phishing (the root cause of several breaches) and rapid detection of unusual activity (e.g. via updated YARA rules and scanners) are essential. For users, key actions include monitoring financial accounts, enabling multi-factor authentication (with strong controls to prevent “MFA fatigue” attacks), and promptly replacing potentially compromised devices (as with SK Telecom’s SIM swap precaution). By learning from each week’s breaches and attacks, defenders can better harden defenses against the evolving threat landscape.

Sources

  • TechCrunch, “Marks & Spencer confirms cybersecurity incident amid ongoing disruption” (Apr. 22, 2025)
    techcrunch.com
  • SecurityWeek, “Data Breach at Onsite Mammography Impacts 350,000” (Apr. 23, 2025)
    securityweek.com
  • SecurityWeek, “Two Healthcare Orgs Hit by Ransomware Confirm Data Breaches Impacting Over 100,000” (Apr. 22, 2025)
    securityweek.com
  • GovInfoSecurity, “Employee Benefits Firm Says 4 Million Affected by 2024 Hack” (Apr. 28, 2025)
    govinfosecurity.com
  • BleepingComputer, “Marks & Spencer breach linked to Scattered Spider ransomware attack” (Apr. 28, 2025)
    bleepingcomputer.com
  • BleepingComputer, “Hitachi Vantara takes servers offline after Akira ransomware attack” (Apr. 28, 2025)
    bleepingcomputer.com
  • Reuters, “Complaints about ransomware attacks on US infrastructure rise 9%, FBI says” (Apr. 23, 2025)
    reuters.com
  • Reuters, “SK Telecom shares plunge after data breach due to cyberattack” (Apr. 28, 2025)
    reuters.com
  • Digital Watch Observatory, “Lazarus Group uses fake firms to spread malware to the crypto industry” (Apr. 28, 2025)
    dig.watch
  • Security Affairs via CybersecurityInformer, “Veritaco CEO faces charges for installing malware on hospital systems” (Apr. 26, 2025)
    cybersecurityinformer.com
  • Onapsis Research Blog, “Active Exploitation of SAP Vulnerability CVE-2025-31324” (Apr. 25, 2025)
    onapsis.com
  • Secure-ISS Advisory, “Fortinet FortiGate SSL-VPN Zero-Day RCE” (Apr. 22, 2025)
    secure-iss.com
  • CrowdStrike (SOC advisory), “Erlang/OTP SSH Vulnerability CVE-2025-32433” (Apr. 22, 2025)
    secure-iss.com
  • U.S. CISA Alert, “Five Industrial Control Systems Advisories” (Apr. 22, 2025)
    cisa.gov
© 2025 Senthorus Blog