Vercara’s Open-Source Intelligence (OSINT) Report – July 18 – July 24, 2025

Anne Arundel Dermatology Data Breach Impacts 1.9 Million People

(TLP: CLEAR) Anne Arundel Dermatology (AAD), a multi-state dermatology provider, experienced a prolonged cybersecurity incident from February 14 to May 13, 2025. During this window, threat actors gained unauthorized access to internal systems, potentially compromising sensitive data for approximately 1.9 million individuals. AAD initiated containment protocols immediately upon detection, followed by a forensic investigation to assess the scope and impact. By May 20, investigators confirmed that certain accessed files contained personally identifiable information (PII) and protected health information (PHI). Notifications were issued on June 27, advising affected individuals to monitor identity theft or fraud. AAD has not identified any evidence of data exfiltration or misuse currently. Furthermore, they offer 24 months of identity protection services and recommend proactive monitoring of financial accounts and credit reports. The breach has been officially logged with the U.S. Department of Health and Human Services. No group has claimed responsibility, and the attribution remains undetermined. This incident highlights the critical security needs for robust intrusion detection, extensive monitoring, and continuous security posture assessments in healthcare environments. Engineers and IT professionals should treat this as a case study in breach containment and the post-incident communication strategy.

(TLP: CLEAR) Comments: The Anne Arundel Dermatology breach highlights critical gaps in detection and response protocols. A three-month intrusion window suggests insufficient monitoring or delayed alerting, especially concerning an organization managing PHI. While containment and notification steps were eventually taken, the delay between breach confirmation and public disclosure raises compliance concerns. The lack of attribution also points to a need for stronger threat intelligence integration. Moving forward, AAD should prioritize Employee Security Awareness, Malware Protections, and Enhanced Security Awareness to adopt Threat Hunting for their Security Personnel.

(TLP: CLEAR) Recommended best practices/regulations: Department of Health and Human Services Fact Sheet: Ransomware and The Health Information Portability and Accountability Act (HIPAA): “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include:

• Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks.
• Implementing procedures to guard against and detect malicious software.
• Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections.
• Implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

(TLP: CLEAR) DigiCert: DigiCert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://securityaffairs.com/180100/data-breach/anne-arundel-dermatology-data-breach-impacts-1-9-million-people.html

Ransomware Deployed in Compromised Sharepoint Servers

(TLP: CLEAR) A China-based threat actor known as Storm-2603 has been actively exploiting vulnerabilities in Microsoft SharePoint on-premises servers (CVE-2025-53770 and CVE-2025-53771) to deploy the Warlock ransomware. Microsoft disclosed the campaign on July 23, warning organizations to expand their mitigation strategies beyond patching, including ransomware-specific defenses. The attack chain, dubbed “ToolShell,” involves sophisticated exploitation techniques that bypass identity controls and escalate privileges within compromised environments. Storm-2603 is one of three groups targeting these SharePoint flaws, alongside Linen Typhoon and Violet Typhoon—both known Chinese nation-state actors focused on intelligence gathering. While Storm-2603 has previously deployed LockBit ransomware, Microsoft has not confirmed its current motives, which may include both financial gain and disruptive reconnaissance. Over 400 SharePoint systems have been compromised across four attack waves between July 17 and 21, following the release of a public proof-of-concept exploit on GitHub. High-profile U.S. government agencies—including the Department of Education, DHHS, DHS, and the National Nuclear Security Administration—are among the confirmed victims. Microsoft has urged all on-prem SharePoint users to assume compromise, rotate cryptographic material, engage in incident response teams, and consider disconnecting vulnerable servers from the internet to prevent further damage.

(TLP: CLEAR) Comments: The recent attacks on Microsoft SharePoint servers are a serious reminder of how quickly cyber threats can escalate. A group believed to be based in China used flaws in SharePoint to install ransomware, affecting over 400 systems—including several U.S. government agencies. Even organizations that patched the vulnerabilities were still at risk, which shows that patching alone isn’t enough. Microsoft is urging companies to take extra steps like disconnecting vulnerable servers from the internet and rotating security credentials. These attacks highlight the importance of strong malware protection, regular system reviews, and application protection.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

Web Security Top 10 A03:2021 – Injection: An application is vulnerable to attack when:

• User-supplied data is not validated, filtered, or sanitized by the application.
• Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
• Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
• Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.”
• One way to validate input on the server side is through a Web Application Firewall.

OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.

Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://www.infosecurity-magazine.com/news/ransomware-compromised-sharepoint/

Attacks Targeting Linux SSH Servers to Install SVF DDoS Bot

(TLP: CLEAR) The AhnLab Security Intelligence Center (ASEC) has identified a surge in cyberattacks targeting poorly secured Linux servers, particularly those with SSH services using weak or default credentials. These attacks are primarily conducted by DDoS and cryptocurrency mining threat actors who exploit exposed servers. Using honeypots, ASEC recently discovered a specific campaign that weaponizes DDoS bot malware known as SVF Botnet. Developed in Python, SVF Botnet stands out for its use of Discord as its command-and-control (C&C) infrastructure and its ability to route traffic through multiple proxy servers during attacks. Once attackers gain access to a vulnerable Linux system, they deploy SVF Bot by downloading and running a Python script that installs necessary libraries and sets up the malware. The bot identifies itself as being developed by a group called “SVF Team,” allegedly created as a more functional alternative to a failed PuTTY-based botnet. Upon execution, SVF Bot authenticates with Discord using a hardcoded bot token and assigns the infected server to a specific group. This grouping allows the threat actor to issue DDoS commands to multiple bots simultaneously, based on their assigned group. SVF Bot is designed primarily for launching DDoS attacks and includes both Layer 7 (HTTP Flood) and Layer 4 (UDP Flood) methods. A key feature of the bot is its proxy support system, which enhances its anonymity and evasion capabilities. It scrapes proxy addresses from ten public proxy listing websites and validates them by attempting to log into Google with each address. Only functional proxies are used in subsequent attacks, ensuring greater effectiveness and obfuscation.

(TLP: CLEAR) Comments: The SVF Botnet highlights several troubling trends in the evolving threat landscape. Most notably, its use of Discord as a command-and-control (C&C) platform marks a shift toward abusing legitimate, widely used communication tools to hide malicious activity in plain sight. This tactic makes detection and disruption more difficult, as traffic to services like Discord is typically trusted and often overlooked by security systems. Another concerning feature is the bot’s ability to automatically scrape and validate public proxy servers, allowing it to rotate through functional proxies to mask the origin of its DDoS attacks. This not only enhances the botnet’s anonymity but also increases the complexity of mitigation efforts.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Digicert’s UltraDDoS Protect.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Digicert’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.

Source: https://asec.ahnlab.com/en/89083/

New “Lamehug” Malware Deploys AI-Generated Commands

(TLP: CLEAR) Ukrainian authorities have uncovered a new and sophisticated malware strain called LameHug, which leverages an AI-powered large language model (LLM) to generate system commands on compromised Windows machines. Identified by CERT-UA, the malware has been observed in recent cyber-attacks targeting Ukraine’s security and defense sectors. The attack campaign has been attributed, with moderate confidence, to APT28, a Russian state-sponsored hacking group affiliated with the GRU and known as Fancy Bear, Sednit, and Sofacy Group. LameHug is distributed through phishing emails containing a ZIP file attachment disguised as an official government document. The archive contains a .pif file built with PyInstaller, which CERT-UA has confirmed to be the malware payload. Developed in Python, LameHug stands out due to its integration with the Hugging Face API, allowing it to interact with Alibaba’s open-source Qwen2.5-Coder-32B-Instruct LLM. This enables the malware to dynamically generate system commands during an intrusion, eliminating the need for pre-packaged payloads and making it more evasive against static analysis and traditional security tools. LameHug demonstrates a dangerous convergence of advanced AI tools with state-sponsored cyber warfare, raising new concerns about the evolving capabilities of threat actors in global conflict zones.

(TLP: CLEAR) Comments: The discovery of the LameHug malware is especially concerning because it shows how cybercriminals are again using artificial intelligence in new malicious ways. Instead of relying on traditional, pre-written instructions, this malware can ask a powerful AI system what to do once it infects a computer, giving it the ability to think on its feet. This makes it much harder for antivirus programs to recognize or stop it, because the malware can change its behavior on the spot. What’s even more troubling is that this attack was linked to APT28. Their use of real government-style emails to trick people into opening infected files shows just how convincing these scams can be. This isn’t just about one piece of malware, it’s part of a bigger trend where state-sponsored hackers are starting to use AI to make their attacks smarter and more effective. Tools that were designed to help people write code or solve problems are capable of being weaponized. This incident is a reminder that AI isn’t just a tool for good, it can also be abused, and both governments and the public can raise awareness of how fast the cyber threat landscape is changing.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.

• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.

• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.

• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://www.infosecurity-magazine.com/news/new-lamehug-malware-deploys