Cyber Threat Intelligence Weekly Report: March 10–14, 2025
Editor’s Note:
This past week has been a stark reminder that cybercriminals are evolving faster than most organizations can adapt. The trends we’ve tracked indicate a significant shift in attacker methodologies, particularly in how they gain access, maintain persistence, and extort victims.
Initial access brokers (IABs) are flooding dark web markets with high-value corporate credentials. The sale of stolen VPN, RDP, and privileged admin accounts is fueling a rapid increase in double-extortion ransomware attacks—where exfiltration happens before encryption. If your organization is not actively hunting for unauthorized credential use, you’re already behind.
Nation-state actors, particularly China’s Silk Typhoon, are embedding themselves within IT supply chains. This is no longer just about attacking end targets—these groups are breaching trusted third-party providers (MSPs, cloud vendors, and software update mechanisms) to pivot into larger organizations. A breach at a vendor may be the first step toward compromising your network.
Fortinet’s latest zero-day vulnerabilities (CVE-2024-55591 & CVE-2025-24472) are a case study in rapid weaponization. Within days of a proof-of-concept exploit surfacing, ransomware operators had already integrated these vulnerabilities into active attack campaigns. The attack window between disclosure and mass exploitation is shrinking, leaving little room for reactive patching. If your organization still has unpatched FortiGate appliances, assume you’re already on an attacker’s target list.
Ransomware operations have entered a new phase—financial extortion is no longer just about encryption. Triple extortion (data theft + encryption + DDoS threats) is becoming a common tactic, particularly among ransomware-as-a-service (RaaS) affiliates. Security leaders need to move beyond traditional ransomware defenses and assume all critical data must be encrypted at rest to reduce the risk of exposure in extortion schemes.
The reality is clear: Threat actors are optimizing their business models. They have streamlined initial access through credential theft, automated exploitation, and dark web marketplaces. Your ability to adapt must match their speed.
This week’s report will provide a detailed breakdown of how these threats are evolving, where they are coming from, and the immediate actions required to mitigate risk. The security landscape is shifting, and organizations that fail to anticipate these changes will be caught off guard.
Now, let’s get into the intelligence that matters.
Board Summary: Business Impact & Financial Risks
Fortinet Firewall Zero-Day Exploits → Ransomware Deployments
Threat Overview
Fortinet CVE-2024-55591 & CVE-2025-24472 are actively exploited by threat actors to gain administrative control over enterprise firewalls, modify configurations, and facilitate ransomware deployment and espionage operations.
Attackers are leveraging these exploits to:
Modify firewall rules and disable logging to evade detection
Extract VPN credentials and escalate privileges for lateral movement
Install backdoor access points, allowing persistent unauthorized entry
Sell compromised access on underground marketplaces to ransomware affiliates
Business Risks
Full Network Takeover: Attackers can bypass traditional endpoint security and establish command-and-control channels.
Regulatory Penalties: GDPR, SEC, and DORA compliance mandates require disclosure if compromised credentials lead to data breaches.
Financial Impact: Downtime, ransom payments, legal fees, and recovery costs can exceed $4M per incident.
Technical Breakdown: Attack Progression
Initial Exploitation
Attackers scan for Fortinet devices with exposed management interfaces.
They use CVE-2024-55591 to bypass authentication, gaining immediate administrative control.
Privilege Escalation & Persistence
Security monitoring and logging are disabled.
New administrator accounts are created to ensure long-term access, even if patches are applied.
Firewall rules are modified to allow lateral movement into internal networks.
Credential Theft & Lateral Movement
VPN credentials and SSH keys are extracted from firewall configurations.
Attackers pivot into Active Directory, escalate privileges, and deploy SuperBlack ransomware.
Defensive Action Plan
Immediate Steps (Next 24 Hours)
Patch FortiOS immediately (7.0.16+ / 7.2.5+)
Conduct firewall audits for unauthorized administrative accounts
Reset all firewall and VPN credentials, enforcing MFA on all remote access
Block unauthorized outbound connections from security appliances
Ongoing Monitoring & Hardening
Enable strict firewall logging policies to detect unauthorized rule changes
Deploy deception technologies (honeypots) to detect unauthorized credential access
Implement real-time alerting for any firewall configuration modifications
Perform regular penetration testing focusing on firewall and VPN attack vectors
China’s Silk Typhoon APT Targeting IT Supply Chains
Threat Overview
Silk Typhoon, a China-sponsored APT group, has pivoted its attack strategy from direct enterprise targeting to infiltrating IT vendors, MSPs, and SaaS providers. This allows adversaries to leverage trusted third-party access to infiltrate high-value targets while remaining undetected.
Key Findings:
Three MSPs and two cloud vendors were confirmed compromised, impacting hundreds of enterprise customers.
Stolen SaaS authentication tokens, API keys, and privileged credentials were used to escalate privileges across multiple cloud environments.
Silk Typhoon’s attack methodology mirrors that of APT40’s past software supply chain campaigns.
How These Attacks Work
Exploiting MSP Access: Adversaries breach an IT vendor, compromising privileged accounts that allow access to downstream customers.
Cloud Credential Abuse: Attackers steal API tokens and service account credentials to move across hybrid and multi-cloud environments.
Supply Chain Malware Insertion: Compromised software updates inject backdoors that are deployed onto enterprise networks unknowingly.
Business Risks
Data Exfiltration & Espionage: Intellectual property and sensitive enterprise data are stolen before the attack is detected.
Compliance Violations: Enterprises remain legally responsible for vendor-related breaches under global regulatory frameworks.
Supply Chain Service Disruptions: MSP and cloud provider breaches could result in operational outages affecting multiple customers.
Defensive Action Plan
Immediate Steps (Next 24 Hours)
Conduct a full review of all third-party vendor access controls
Monitor SaaS API activity for unauthorized authentication attempts
Scan cloud environments for overprivileged service accounts
Implement real-time alerting for abnormal third-party user behaviors
Ongoing Monitoring & Hardening
Require IT vendors to enforce strong authentication and access control policies
Deploy cloud security posture management (CSPM) solutions to detect misconfigurations
Mandate continuous penetration testing of vendor access pathways
Implement Zero Trust principles across all third-party integrations
Ransomware Surge – Medusa, CL0P, & Triple Extortion Escalation
Threat Overview
Ransomware groups are increasingly shifting to extortion-based attacks, with stolen data used as leverage before encryption.
Triple extortion models now include direct DDoS attacks on victims' public services.
Ransomware-as-a-service (RaaS) affiliates are recruiting insiders for large-scale deployments.
Business Risks
Regulatory fines for exposure of personally identifiable information (PII)
Brand damage and legal exposure from exfiltrated data being sold on dark web forums
Significant operational losses from downtime, ransom payments, and remediation efforts
Defensive Action Plan
Immediate Steps (Next 24 Hours)
Enhance endpoint detection and response (EDR) rules for early-stage ransomware indicators
Deploy deception techniques (fake privileged accounts) to detect ransomware pre-execution
Isolate critical backups in an immutable, air-gapped environment
Ongoing Monitoring & Hardening
Conduct red team exercises simulating ransomware affiliate tactics
Monitor dark web intelligence sources for leaked corporate credentials
Implement AI-based anomaly detection for user behavior analysis
Dark Web Intelligence: Cybercrime Trends & Emerging Threats
Fortinet Exploit Sales Have Skyrocketed
Threat intelligence sources confirm that Fortinet firewall credentials and exploits are now among the most frequently traded assets on dark web marketplaces. Initial access brokers (IABs) are actively monetizing compromised firewalls, providing ransomware affiliates and state-sponsored actors with ready-to-use entry points into corporate networks.
Key Findings
Multiple underground forums have listed Fortinet administrator credentials for sale, with prices ranging from $2,000 to $5,000 per compromised device.
Some access brokers are offering bulk sales of 10–50 compromised Fortinet firewalls to ransomware groups, significantly reducing the time required for network infiltration.
Exploit kits containing automated tools to bypass logging and create persistent VPN tunnels are being advertised, allowing buyers to maintain access even after patches are applied.
Why This Matters
Organizations that applied Fortinet patches late may still be compromised, as attackers create persistent access points before patching occurs.
Enterprises relying on perimeter-based security should assume that any externally exposed firewall could be a potential breach point.
The use of dark web marketplaces to distribute exploits is accelerating ransomware deployment cycles, meaning that attack windows are shortening.
Defensive Actions
Conduct forensic analysis of Fortinet firewalls to detect any unauthorized admin accounts, firewall rule modifications, or outbound connections.
Rotate all VPN credentials stored within Fortinet appliances, as they may have been extracted prior to patching.
Implement deception techniques such as dummy admin accounts to detect and flag unauthorized login attempts.
Monitor for mentions of company IP ranges and credentials on underground forums using dark web intelligence services.
Ransomware Gangs Are Paying Employees to Facilitate Attacks
Dark web recruitment activity indicates that ransomware operators are actively seeking insider assistance to bypass corporate defenses. Employees within IT departments, security teams, and finance divisions are being targeted with financial incentives to provide privileged access.
Key Findings
Recruitment ads on cybercrime forums offer payouts ranging from $100,000 to $500,000 for employees willing to install malware or disable security controls.
Multiple confirmed ransomware incidents this month involved insider collaboration, with employees providing VPN credentials or whitelisting attack infrastructure in firewall settings.
Industries most targeted for insider recruitment include financial services, healthcare, and manufacturing, where privileged access to sensitive systems provides high-impact entry points.
Why This Matters
The insider threat risk associated with ransomware is increasing, meaning traditional perimeter defenses and endpoint security tools are no longer sufficient deterrents.
Organizations need to reconsider how privileged access is granted and monitored, especially for users with administrative control over security tools.
Ransomware groups are adapting their playbooks to include human assets in the attack chain, reducing the need for technical exploit development.
Defensive Actions
Implement behavioral monitoring to detect unusual activity by privileged accounts, such as logging in from new locations or modifying security configurations.
Introduce financial disincentives for employees who assist cybercriminals, including contractual penalties and legal repercussions.
Establish a cybersecurity whistleblower program, allowing employees to anonymously report suspicious recruitment attempts.
Rotate administrative credentials regularly and enforce mandatory multi-party approval for critical system modifications.
Security Tool Effectiveness: What’s Detecting These Threats?
Fortinet Exploitation Detection
Solutions That Perform Well
CrowdStrike Falcon, SentinelOne, and Microsoft Defender successfully detect Fortinet privilege escalation attempts.
Palo Alto Cortex XDR and Darktrace identify anomalous firewall admin activity, flagging unauthorized configuration changes.
Where Defenses Fail
Traditional firewalls often fail to detect unauthorized rule modifications that allow lateral movement post-compromise.
Many SIEM solutions lack real-time alerting on firewall admin changes, allowing attackers to operate undetected.
Ransomware Deployment & Lateral Movement Detection
Solutions That Perform Well
SentinelOne, Microsoft Defender ATP, and deception-based security tools detect ransomware payload execution in real time.
Proactive threat-hunting techniques, including honey tokens and fake admin accounts, have proven effective at exposing ransomware operators before deployment.
Where Defenses Fail
Most SOC teams detect ransomware after encryption begins, rather than identifying early-stage compromise indicators.
Legacy antivirus solutions fail to detect ransomware that operates entirely within memory, bypassing file-based scanning.
Data Exfiltration Prevention
Solutions That Perform Well
Symantec DLP, McAfee Skyhigh, and Microsoft Purview successfully prevent unauthorized file transfers.
Cloud security posture management (CSPM) solutions like Wiz and Prisma Cloud effectively detect unauthorized SaaS data exfiltration.
Where Defenses Fail
Encrypted exfiltration using trusted VPN tunnels often bypasses DLP and firewall controls.
Many organizations lack visibility into third-party applications and APIs accessing sensitive data.
Monday Morning Threat Drill: SOC Team Exercise
Scenario:
Assume that SuperBlack ransomware operators have exploited a Fortinet firewall and gained persistent access through a hidden VPN tunnel. The attacker has created rogue admin accounts and disabled logging to evade detection.
Objective
This exercise simulates an advanced persistent attack using firewall exploitation as the initial access point. The SOC team will need to detect, contain, and neutralize the threat before ransomware deployment occurs.
Step 1: Identify Initial Compromise Indicators
Check Fortinet firewall logs for the creation of new administrator accounts within the last 30 days.
Identify any VPN connections originating from unknown IP addresses, particularly those associated with threat intelligence feeds.
Step 2: Perform a Red Team vs. Blue Team Simulation
Red Team: Simulate an adversary escalating privileges within the firewall, disabling security controls, and pivoting into internal systems.
Blue Team: Detect the attack using SIEM, EDR, and behavioral analytics tools, then implement containment measures.
Step 3: Measure Incident Response Performance
Track how long it takes for the SOC team to identify the rogue administrator accounts.
Assess the effectiveness of existing firewall monitoring rules in detecting unauthorized rule modifications.
Test the ability to block an active ransomware deployment using automated containment policies.
General Cyber News & Emerging Threats
DDoS Attack Against X (Twitter) Disrupts Global Users
On March 10, 2025, the social media platform X suffered a massive DDoS attack, causing outages for more than 40,000 users worldwide.
Attribution: Pro-Palestinian hacktivist group Dark Storm Team claimed responsibility.
Impact:
Service degradation across North America and Europe.
Increased botnet traffic targeting X’s infrastructure, indicating a large-scale, coordinated attack.
Security Implications:
DDoS-for-hire services are expanding, posing risks for enterprises and financial platforms.
Organizations should monitor geopolitical tensions as potential catalysts for hacktivist-driven cyberattacks.
AI-Generated Malware on the Rise
On March 11, 2025, researchers detected a new AI-driven malware strain capable of dynamically modifying its execution flow to evade detection.
What Makes It Dangerous:
The malware autonomously alters its code in response to security tools, making signature-based detection ineffective.
AI-powered attacks can prioritize high-value targets based on contextual analysis of compromised environments.
Security Implications:
Traditional endpoint security solutions must transition to behavior-based anomaly detection.
Red teams should incorporate AI-driven malware tactics into penetration testing scenarios.
Visa’s Global Crackdown on Online Scams
On March 12, 2025, Visa’s fraud detection team announced a major disruption effort that prevented over $350M in fraudulent transactions.
Key Findings:
AI voice-cloning scams are increasingly used for phishing attacks.
Scam networks are leveraging paid advertising on social media to target victims.
Security Implications:
Financial institutions must enhance fraud prevention with AI-based detection.
Organizations should monitor for fake brand impersonation campaigns on social media platforms.
Final Considerations:
Firewalls and security appliances are now prime adversary targets.
Ransomware operators are shifting toward multi-layered extortion models.
Nation-state actors are prioritizing IT supply chain infiltration.
Organizations must transition from compliance-based security to proactive adversary detection.