🛡️ Darkwire Weekly — Issue #2

🚨 Top Threats This Week

1. Interlock Ransomware Hits Major Hospital: 

Kettering Health (14 hospitals in Ohio) suffered a system-wide IT outage forcing cancellation of procedures after a cyberattack suspected to be Interlock ransomware. Threat intel reports link the breach to the “Nefarious Mantis” actor, with the Interlock gang threatening to leak stolen data if the hospital doesn’t negotiate.

 👉 Read More

2. Chinese APT Exploits Ivanti Zero-Day at Scale:  

A Chinese state-affiliated group (UNC5221) has been exploiting a zero-day RCE in Ivanti Endpoint Manager Mobile (EPMM) – CVE-2025-4428 – to breach high-profile targets worldwide. Ivanti patched the flaw on May 13, but since May 15 attackers have used it to infiltrate organizations including national healthcare systems, telecoms, government agencies, and manufacturers across the US, Europe, and Asia. The campaign appears aimed at espionage, with attackers dumping credentials and installing backdoors for ongoing access.

 👉 Details

🔍 Dark Web Watch

• Ransomware Gang Leaks Its Own Source Code: The VanHelsing ransomware-as-a-service crew preemptively leaked the source code for its admin panel, leak site, and Windows encryptor builder on a hacker forum. This move was a bid to undercut a rogue former developer who tried selling VanHelsing’s code on the RAMP cybercrime forum for $10,000bleepingcomputer.com. By open-sourcing their old toolkit, the operators both punished the insider and warned others against using the stolen code.

 👉 Read More

• Massive Healthcare Data Dump by Interlock: The Interlock ransomware gang has listed healthcare giant DaVita as a victim on its dark web leak site, releasing 1.5 TB of data (nearly 700,000 files) allegedly stolen from the company’s systems. DaVita, a Fortune 500 dialysis provider, had been breached earlier this month – and Interlock’s leak of sensitive patient and business data is likely an effort to pressure payment. (Notably, Interlock is the same group implicated in the Kettering Health attack above.)

 👉 Read More

🛡️Recent CVEs You Should Know

• CVE-2025-4428 (Ivanti EPMM RCE): A critical code injection vulnerability in Ivanti’s mobile device management platform, exploited in the wild by a Chinese threat actor. It allows remote code execution via crafted API calls. Patch available: Ivanti issued fixes on May 13, 2025 (along with an auth bypass CVE-2025-4427) and admins should update immediately.
  

• CVE-2025-34027 (Versa Concerto Auth Bypass/RCE): A newly disclosed critical bug in Versa Networks’ Concerto portal (score 10.0) that lets attackers bypass authentication and achieve remote code execution. By exploiting a URL decoding race condition, an unauthenticated attacker could upload malicious files and gain full control over the system. No patch yet: This and two related Versa bugs (CVE-2025-34026, -34025) remain unpatched as of this week, so affected organizations should restrict access to Concerto and monitor for updates.
  

• CVE-2025-4918 & CVE-2025-4919 (Firefox 0-days): Two Firefox vulnerabilities demonstrated at Pwn2Own Berlin 2025 (out-of-bounds read/write issues in the JS engine) were patched in Firefox’s emergency May 19 update. While not known to be exploited in the wild, these flaws could potentially allow code execution. Patch available: Update Firefox to the latest version (Firefox 116.0.1 or later) to get these fixes.

🛠️ Tools & Resources

• Qtap (GitHub): A lightweight eBPF-based tool for Linux that intercepts network data before or after encryption without requiring any app modifications.

• TrailAlerts (GitHub): A serverless AWS-native alerting framework for CloudTrail logs that uses Sigma rules to detect suspicious activity.

(Bonus: Also noteworthy is Checkov, an open-source IaC scanner that checks Terraform, K8s, Docker configs for misconfigurations, secrets, and known vulnerabilitiesthehackernews.com – a handy tool to catch security issues early in the dev cycle.)

📚 Quick Bytes

• Global Ransomware Crackdown: Law enforcement agencies led by Europol and the FBI seized 300 servers and 650 domains used by ransomware operations, as part of “Operation Endgame.”

• 3AM Ransomware’s New Trick: A newcomer ransomware affiliate dubbed 3AM is using aggressive social engineering – email bombing employees’ inboxes and posing as IT support in spoofed calls – to overwhelm targets and steal VPN credentials for network access. 

• Bumblebee Loader via SEO Poisoning: Attackers are pushing the Bumblebee malware loader by creating fake download pages for popular IT tools (like Zenmap and WinMRT) and using SEO poisoning to make them rank high on Google. 

👀 Privacy Tip of the Week

Audit Your App Permissions: Take a few minutes this week to review the permissions on your smartphone apps. Many apps collect far more data than they truly need. On iOS or Android, go into Settings and check which apps can access sensitive info like your location, contacts, camera, microphone, etc. Revoke any permissions that aren’t essential

👋 Stay sharp,

– The Darkwire Weekly Team
darkwireweekly.com