Attacker, Rey, from HellCat ransomware group, breaches Orange Group’s data
An attacker from the HellCat ransomware group, who goes by Rey, claims to have breached Orange Group and stolen thousands of internal documents, including customer and employee data. The threat actor attempted to extort the company but later leaked the stolen data on a hacker forum after negotiations failed.
Orange confirmed the breach, stating it affected a noncritical application and that investigations are ongoing to minimize the impact. According to Rey, most of the stolen data originates from Orange Romania and includes 380,000 unique email addresses, source code, invoices, contracts and partial payment card details. The hacker reportedly gained access through compromised credentials and vulnerabilities in Orange's Jira software and internal portals, extracted 6.5GB of internal data across 12,000 files, while remaining undetected for over a month.
Despite having received a ransom note, the company did not engage in negotiations. Some of the leaked data appears outdated, including expired payment card details and emails from former employees. Orange reassured customers that their operations were not impacted and is working with authorities to assess the breach and strengthen security.
Phishing attacks with FatalRAT malware leveraging Chinese cloud services to target APAC industries
Various industrial organizations in the APAC region have been targeted by phishing attacks deploying the FatalRAT malware. Attackers leveraged legitimate Chinese cloud services like myqcloud and Youdao Cloud Notes to evade detection and facilitate multistage payload delivery.
The campaign primarily targeted government agencies and industries such as manufacturing, IT, telecommunications, health care, and logistics across Taiwan, Malaysia, China, Japan and other APAC nations.
The phishing emails contained ZIP archives with Chinese-language filenames, which initiated a chain of execution to download FatalRAT from myqcloud. The malware uses DLL side-loading techniques to maintain persistence while disguising its activity as legitimate processes. FatalRAT allows attackers to log keystrokes, manipulate system settings, steal browser data and install remote access tools. While attribution remains uncertain, evidence suggests a Chinese-speaking threat actor is behind the attacks.
Cracked software being used to distribute Lumma and ACR Stealer in new malware campaign
A new malware campaign is using cracked software as bait to distribute information stealers like Lumma and ACR Stealer.
ACR Stealer employs a technique called dead drop resolver, leveraging services like Steam, Telegram’s Telegraph, Google Forms and Google Slides to extract command-and-control (C2) addresses. Attackers encode the C2 domain in Base64 on a specific page, allowing the malware to extract and use it for malicious operations. Previously spread via Hijack Loader, ACR Stealer is capable of stealing files, browser data and cryptocurrency wallet extensions from compromised systems.
In a different campaign, threat actors are exploiting Microsoft Management Console (MMC) files with MSC extensions to deliver Rhadamanthys Stealer using PowerShell-based attacks. According to researchers, infostealers have gained significant popularity in the past few years, infecting over 30 million computers and enabling cybercriminals to sell stolen corporate credentials for post-exploitation attacks.
EU health care organizations targeted by new NailaoLocker ransomware
A new ransomware strain dubbed NailaoLocker has been detected in attacks on European health care organizations between June and October 2024.
Threat actors exploited CVE-2024-24919, a vulnerability in Check Point Security Gateway, to infiltrate networks and deploy malware linked to Chinese state-sponsored groups. Some researchers attribute the tactics to Chinese cyber espionage, but there is insufficient evidence to link the attacks to a specific group.
NailaoLocker is considered relatively unsophisticated, lacking features like security process termination, sandbox evasion, and network scanning. The ransomware encrypts files using AES-256-CTR and appends the ".locked" extension, leaving a ransom note with an unusually long filename. Victims are instructed to contact the attackers via a ProtonMail address, but there is no indication that data was stolen. Analysts speculate the attacks may involve false flag operations, revenue-driven espionage, or a shift in Chinese cyber tactics similar to North Korea's ransomware campaigns.
Termite ransomware gang claims responsibility for breach of Australian IVF giant Genea’s health care data
The Termite ransomware gang has claimed responsibility for breaching Genea, one of Australia's largest fertility service providers, and stealing sensitive health care data. Genea, which operates 22 fertility clinics across multiple states, confirmed the breach after detecting suspicious activity.
The attackers exploited a Citrix server vulnerability to infiltrate the network and gain access to critical systems, exfiltrating 940.7GB of data to a DigitalOcean cloud server. The stolen information includes personal details, medical records, insurance data and patient history, though financial information appears unaffected. Genea has obtained a court-ordered injunction to prevent the leaked data from spreading and is collaborating with Australian cybersecurity authorities.
The Termite gang, active since October 2024, has claimed 18 victims globally, using a version of the Babuk encryptor for ransomware attacks. In December, they also targeted Blue Yonder, a major supply chain software provider with high-profile clients.
