Cyber Series: January 2025 

Microsoft and DOJ Response: 

• Microsoft observed this activity in mid-November 2024, with the campaign winding down by the end of the month. 
• The shift to WhatsApp likely followed exposure of Star Blizzard’s traditional phishing tactics. 
• Since October 2023, Microsoft and the US DOJ have seized or taken down over 180 Star Blizzard-operated phishing domains. 
• Despite these disruptions, Star Blizzard remains highly adaptable, continuously shifting techniques to evade detection. 

The campaign, active from January 2023 to November 2024, primarily targeted government officials, diplomats, defense policy experts, and researchers on Russian affairs and Ukraine. Microsoft continues to monitor and block new attacks. 

https://www.theregister.com/2025/01/16/russia_star_blizzard_whatsapp/ 

Enzo Biochem Settles Ransomware Lawsuit for $7.5M After Major Data Breach 

Enzo Biochem has settled a $7.5 million class-action lawsuit stemming from a ransomware attack in April 2023, which compromised the personal and medical data of 2.47 million individuals. This settlement comes just five months after the company was fined $4.5 million by three state attorneys general, for failing to implement adequate security measures. The investigation revealed that attackers gained access using genuine company credentials shared among five employees, one of which had not been updated in 10 years. Enzo also failed to require multi-factor authentication (MFA), had ineffective data encryption, and lacked proper IT risk evaluation processes. The breach resulted in the exfiltration of 1.4 TB of sensitive data, including names, Social Security numbers, addresses, dates of birth, and medical records, before the attackers encrypted the company’s systems. The attack was never attributed to a known ransomware group, and it remains unclear whether a ransom was paid. 

Despite Enzo's firewall detecting suspicious activity on April 4, 2023, there were no real-time monitoring or alerting mechanisms, causing a two-day delay before the company realised it had been compromised. This failure allowed the attackers to steal patient data and deploy an encryption payload before Enzo could respond. In the wake of the breach, Enzo undertook a major cyber security overhaul, implementing MFA, stricter password policies, endpoint detection & response (EDR), a 24/7 managed security operations center (SOC), and a Zero Trust security model to prevent future incidents. However, the damage was significant—Enzo’s stock price plummeted to $0.70 per share, marking its lowest valuation since 1991. 

This breach was part of a larger trend of healthcare cyberattacks in Spring 2023, affecting companies such as Zoll, NextGen Healthcare, Independent Living Systems, and PharMerica. While there is no confirmed link between these incidents, the widespread targeting of healthcare providers highlights the sector’s vulnerabilities and the increasing need for stronger cyber security measures. The Enzo case serves as a stark reminder of the consequences of poor credential hygiene and inadequate security protocols, reinforcing the importance of proactive defenses in protecting sensitive patient information from cybercriminals. 

https://www.theregister.com/2025/01/16/enzo_biochem_ransomware_lawsuit/ 

Hackers Exploit Fake YouTube Links to Steal Login Credentials 

Cybercriminals are exploiting fake YouTube links to steal login credentials by redirecting unsuspecting users to phishing pages through URI manipulation and layered obfuscation techniques. This method is particularly deceptive, as it makes malicious URLs appear authentic by incorporating legitimate-looking strings such as “http://youtube”, preying on users’ tendency to trust familiar domain names. 

The attack begins with a phishing email, often disguised as a legitimate notification prompting the recipient to "View Completed Document." Instead of leading to a real YouTube page, the embedded link cleverly redirects users to a malicious phishing site designed to steal login credentials. This redirection process employs multiple intermediate domains, further concealing the final phishing destination. 

To add an extra layer of deception, the attackers present victims with a fake Cloudflare verification page upon clicking the fraudulent link. This counterfeit page mimics legitimate browser security checks, featuring animations and prompts that resemble real authentication processes. By the time the user arrives at the final phishing site, they are less likely to question its authenticity and are more likely to enter their login credentials. 

Beyond URI manipulation, this attack employs layered redirections to evade detection by both automated security tools and human scrutiny. The phishing infrastructure is meticulously designed, incorporating checkers, redirectors, and customised phishing templates. These components work together to create a seamless user experience, further reducing suspicion and increasing success rates for the attackers. 

This particular campaign is linked to the Storm1747 group, a threat actor known for its sophisticated phishing operations. Storm1747 relies on the Tycoon 2FA phishing kit, a tool that simplifies large-scale phishing attacks by providing pre-configured fake login pages. Attackers also use a technique that modifies user info fields in URLs, making malicious links appear legitimate—a tactic shared by other phishing kits such as Mamba 2FA and EvilProxy. 

The rise of these advanced phishing techniques highlights the growing need for proactive cyber security measures. As cybercriminals continue refining their tactics, businesses must invest in robust threat detection solutions, implement strong email security policies, and educate users on how to identify and avoid social engineering attacks. By staying vigilant and utilising advanced cyber security tools, organisations can effectively mitigate the risk posed by phishing campaigns like this one. 

https://hackread.com/hackers-fake-youtube-links-steal-login-credentials/ 

New PhishWP WordPress Plugin Turns Websites into Phishing Traps 

In an alarming development for online security, cyber security researchers have uncovered a malicious WordPress plugin known as PhishWP, a tool designed by Russian cybercriminals to turn ordinary websites into highly convincing phishing platforms. This sophisticated plugin creates fake payment pages that closely mimic legitimate services like Stripe, deceiving users into entering sensitive financial information, including credit card numbers, CVVs, expiration dates, and even one-time passwords (OTPs) for 3D Secure (3DS) authentication. The stolen data is then transmitted in real time to attackers via Telegram, allowing for immediate exploitation or sale on dark web marketplaces. 

Unlike traditional phishing scams that rely on fake emails or compromised websites, PhishWP is a WordPress plugin—meaning attackers can easily deploy it on unsuspecting websites with minimal effort. Once installed, it generates realistic payment interfaces that look indistinguishable from authentic checkout pages. Victims, believing they are making a secure transaction, enter their details, which are immediately exfiltrated to the attackers. 

The plugin’s capabilities go beyond simple data theft. It incorporates browser profiling, allowing attackers to customise phishing pages based on the victim’s device and browsing environment. It also automates fake security features, such as auto-response emails confirming fake transactions, creating a false sense of security and delaying suspicion. By the time a user realises the fraud, the attackers may have already used or sold their stolen credentials. 

Advanced Features Make PhishWP a Dangerous Tool 

PhishWP is not just another phishing kit; it is a well-developed, feature-rich tool designed for maximum efficiency and stealth. Some of its key capabilities include: 

• Customisable Fake Checkout Pages – Attackers can tailor phishing sites to resemble well-known payment services, increasing credibility. 
• Real-Time Data Theft via Telegram – Unlike traditional phishing pages that store stolen credentials in databases, PhishWP immediately sends the captured information to attackers via Telegram, allowing for instant use in fraudulent transactions. 
• 3DS Code Harvesting – The plugin displays pop-ups asking victims to enter OTPs for 3D Secure authentication, effectively bypassing multi-factor security measures. 
• Multi-Language Support & Global Reach – The plugin allows attackers to target victims worldwide, adapting to different languages and user interfaces. 
• Obfuscation & Evasion Techniques – PhishWP hides its true purpose using various obfuscation methods, making it difficult for security tools to detect and block. 

This new breed of phishing attack demonstrates the evolution of cybercrime, where criminals weaponise everyday tools—in this case, WordPress plugins—to conduct highly sophisticated fraud at scale. The fact that PhishWP is available on Russian cybercrime forums means it could soon become widely used among hackers, escalating global phishing threats. 

As cybercriminals continue refining their methods, businesses, financial institutions, and individual users must stay ahead of emerging threats. Proactive security measures, continuous monitoring, and public awareness will be crucial in mitigating the impact of tools like PhishWP before they become widespread. 

https://hackread.com/phishwp-plugin-russian-hacker-forum-phishing-sites/ 

BASHE Ransomware Group Targets ICICI Bank: A Growing Threat to Cyber Security 

In a concerning development for the global banking sector, the notorious BASHE ransomware group (also known as APT73 or Eraleig) has reportedly breached ICICI Bank, one of India’s largest private financial institutions. The group has already posted stolen data on a dark web leak site and issued a ransom deadline of January 24, 2025. If the bank refuses to comply, millions of customers could see their sensitive financial information exposed, raising serious concerns about cybersecurity in the banking industry. 

ICICI Bank has not yet officially confirmed the breach, but cyber security experts warn that the scale and severity of this attack could have major consequences for both individuals and the broader financial system. As the deadline approaches, concerns are growing over the potential fallout, with experts urging immediate action to contain the damage and mitigate risks. 

Who is BASHE? 

Active since April 2024, BASHE specialises in data extortion and operates dark web leak sites (DLS). They previously targeted Federal Bank in December 2024 and focus on critical infrastructure, banking, and technology sectors. 

Potential Risks 

• Identity Theft & Financial Fraud – Stolen data could be used for fraud or unauthorised transactions. 
• Reputation Damage & Legal Consequences – ICICI Bank may face regulatory scrutiny and customer trust issues. 
• National Security Concerns – As a critical infrastructure entity, the breach could have wider implications for India’s financial sector. 

What Customers Should Do 

• Monitor bank accounts for suspicious transactions. 
• Change passwords & enable 2FA for extra security. 
• Be cautious of phishing emails pretending to be from ICICI Bank. 
• Consider fraud alerts or credit freezes if personal data is compromised. 

The alleged BASHE ransomware attack on ICICI Bank is a stark reminder of the evolving threats facing the banking industry. With millions of customers potentially at risk, the situation demands swift action from both the bank and cyber security experts. 

As the January 24, 2025 deadline approaches, all eyes are on ICICI Bank—will they comply, negotiate, or risk data exposure. Meanwhile, customers must take proactive measures to protect themselves, staying vigilant against fraud, identity theft, and phishing scams. 

In the long run, this incident underscores the need for stronger cyber security frameworks—not just in India, but across the global financial sector. With ransomware groups growing bolder and more advanced, banks must adapt, strengthen defenses, and invest in cutting-edge security to protect their customers and the financial ecosystem at large. 

https://medium.com/@jasbir66/bashe-ransomware-group-targets-icici-bank-a-growing-threat-to-cybersecurity-f5644f798a17 

Threat actors targeting financial entities in December 2024 

Ransomware vs Finance (last three months)