In today’s cybersecurity news…
Proton recovers from worldwide outage
The privacy firm Proton is dealing with a massive outage that started at 10:00 a.m. eastern time yesterday, leaving members unable to access ProtonVPN, Mail, Calendar, Drive, Pass, and Wallet. Most services were restored quickly. Proton Mail was restored later at 1:09 p.m., and Calendar was still not available as of the time of this recording. Explanations about the cause of the outage have not yet been delivered.
BayMark Health Services announces data breach
North America’s largest provider of substance use disorder (SUD) treatment and recovery services is now notifying patients that their personal and health information was stolen in a September 2024 breach. BayMark said it learned of the breach on October 11, 2024, following “an IT systems disruption.” They determined that the attackers accessed its systems between September 24 and October 1. The number of individuals who were sent letters was not revealed. The data stolen includes Social Security numbers, driver’s license number, date of birth, services received, and insurance information. Based in Texas, the organization provides medication-assisted treatment services for substance use and mental health disorders in more than 400 service sites across 35 U.S. states and three Canadian provinces.
U.S. Treasury breach linked to Silk Typhoon group
Following up on a story we have been watching these past few weeks, it has now been revealed that the Silk Typhoon APT group were responsible for the Treasury hack. Using stolen Remote Support SaaS API keys through third-party cybersecurity vendor BeyondTrust, it was able to steal data from workstations in the Office of Foreign Assets Control (OFAC), as well as the Treasury Department’s Office of Financial Research. Silk Typhoon’s actual name is Hafnium, is well known for hitting targets in education, healthcare, defense, and non-governmental organizations. The “Typhoon” appellation is a Microsoft convention for labelling Chinese APT groups, the same way Blizzard is used for Russian threat actors, Sleet for North Korean threat actors and Sandstorm for Iranian threat actors.
Russian ISP confirms Ukrainian hackers “destroyed” its network
Hacktivists from the Ukrainian Cyber Alliance group, announced on Tuesday they had breached the network of Russian internet service provider Nodex and had wiped its systems after stealing sensitive documents, leaving only “empty equipment without backups.” The hackers showed off screenshots of the ISP’s VMware, Veeam backup, and Hewlett Packard Enterprise virtual infrastructure that were hacked during the breach.
Huge thanks to our sponsor, Nudge Security
CISA adds Ivanti products and ZTA Gateways flaw to its KEV catalog
The Ivanti Connect Secure Vulnerability, with a CVSS score of 9.0 was added to the agency’s Known Exploited Vulnerabilities catalog alongside ZTA Gateways, also manufactured by Ivanti. They stated, “successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution.” “CVE-2025-0283 could allow a local authenticated attacker to escalate privileges.” Although, as usual, private companies are also urged to update their systems, the KEV addition means that federal agencies must address this vulnerability by January 15.
Casio releases information on their October ransomware attack
The electronics company has published a post-mortem on the October 5 attack, stating that 6,456 employees, 1,931 business partners and 91 customers were impacted by the ransomware incident. An outside cybersecurity firm blamed the ransomware attack on phishing emails that allowed the hackers into Casio’s servers on October 5. The stolen data included PII on the employees, the business partners affected had basic company information stolen and the customers data was PII along with product purchase information. “The attack was claimed by the Underground ransomware gang, which said it stole more than 200 GB of data, and in addition to the data theft,” and also caused the company weeks of delivery delays.
Critical RCE Flaw in GFI KerioControl allows remote code execution
GFI KerioControl is a network security solution that provides firewall functionality and unified threat management capabilities such as threat detection and blocking, traffic control, intrusion prevention, and VPN features. Security researcher Egidio Romano published a writeup of the vulnerability on December 16, and explained that the reflected XSS attack vector can be exploited to perform one-click RCE attacks. Threat intelligence firm Censys says it has observed “almost 24,000 GFI KerioControl instances accessible from the internet, many of which are in Iran. However, it is unclear how many of these are vulnerable.”
Medical billing firm Medusind announces data breach
The medical and dental billing and revenue cycle management company based in Florida says an intrusion that occurred on December 29, 2023, involves the PII, health information, Social Security numbers and other government identification, just over 360,000 people. Security Week suggests that “while Medusind’s brief description of the incident suggests that the company may have been targeted in a ransomware attack, SecurityWeek has not seen any known cybercrime group taking credit for the breach.”