- with readers working within the Property industries
- within Compliance topic(s)
Malware Activity
DanaBot Resurfaces with New Infrastructure and Crypto Channels After Operation Endgame Takedown
Six (6) months after its takedown in Operation Endgame, the DanaBot malware has reemerged with version 669, featuring a rebuilt command-and-control (C2) infrastructure leveraging Tor domains and "backconnect" nodes. Researchers at Zscaler ThreatLabz report that threat actors are now using multiple cryptocurrency wallets in BTC, ETH, LTC, and TRX to collect stolen funds. Originally discovered by Proofpoint as a Delphi-based banking trojan operating under a malware-as-a-service (MaaS) model, DanaBot has evolved into a modular infostealer and loader capable of harvesting credentials and crypto wallet data from browsers. Despite law enforcement's global disruption in May, the malware's operators have rebuilt the network, spotlighting the resilience of cybercriminals when key actors remain operational. DanaBot continues to spread via phishing emails, SEO poisoning, and malvertising campaigns that can lead to ransomware infections. CTIX analysts advise organizations to follow Zscaler's guidance to apply updated indicators of compromise (IoCs) and enhance endpoint defenses to mitigate renewed DanaBot activity.
Threat Actor Activity
NHS Supplier Synnovis Wraps Up Investigation into 2024 Qilin Ransomware Attack that Left One Patient Dead
Synnovis has concluded its complex 18-month investigation into the June 2024 ransomware attack by the Qilin cybercrime group, which severely disrupted pathology services across London and is believed to have contributed to at least one (1) patient's death. The attack resulted in the exposure of sensitive data, including NHS numbers, names, dates of birth, and possibly intimate medical conditions such as cancer and sexually transmitted infections. CaseMatrix estimates that data from over 900,000 NHS patients was compromised, although Synnovis has not confirmed this figure. The investigation faced challenges due to the fragmented and unstructured nature of the stolen data, requiring specialized platforms and processes to piece together the information. Synnovis has begun notifying affected NHS organizations, which are responsible for informing individual patients under UK data protection laws. The company warned that patient notifications may take time and advised checking healthcare providers' websites for updates. Synnovis and its NHS Trust partners decided not to pay a ransom, reflecting their commitment to ethical principles and the rejection of funding future cybercriminal activities. The Qilin gang, suspected to be of Russian origin, typically uses double-extortion tactics, exfiltrating data before encrypting systems and threatening to publish stolen material if ransoms are not paid. The group told The Register that its attack on Synnovis was deliberate, stating that "all of our attacks are not accidental" and that they target companies affiliated with political elites of certain countries. Synnovis has replaced all affected infrastructure, but the exact method of the attackers' initial entry remains undetermined.
Vulnerabilities
CISA Orders Urgent Patching of Cisco ASA and Firepower Zero-Days Amid Ongoing ArcaneDoor Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 25-03, mandating all U.S. Federal Civilian Executive Branch (FCEB) agencies to immediately patch two (2) actively exploited vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices, tracked as CVE-2025-20362 and CVE-2025-20333. These flaws, when chained, allow unauthenticated remote attackers to gain full control of vulnerable devices. Initially patched in September, Cisco confirmed the bugs had been exploited as zero-days in the ArcaneDoor campaign, which has targeted government networks since late 2023. Despite prior warnings, CISA found that some agencies incorrectly believed their systems were fully updated, leaving thousands of devices still exposed (over 30,000 globally, according to Shadowserver). CISA emphasized that agencies must verify they've applied the correct software versions and patch all ASA and Firepower devices, not just those exposed to the Internet. The directive aligns with broader federal mitigation efforts, which also include emergency patching for Samsung and WatchGuard Firebox vulnerabilities exploited in recent zero-day campaigns. Although the mandate only applies to FCEB agencies, CTIX analysts urge any affected administrators to ensure their Cisco devices are protected from this exploit.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
