While February 2025 saw fewer large-scale cyber incidents than previous months, that doesn’t mean the threats are slowing down. Cyber adversaries remain active—exploiting critical vulnerabilities, selling stolen credentials, and shifting tactics to evade detection.
This month’s cyber events serve as a crucial reminder that proactive security is non-negotiable. From an actively exploited Trimble Cityworks vulnerability to Sandworm expanding its global campaign, the risks remain significant. Meanwhile, a drop in ransomware payments signals progress, but nation-state groups are doubling down on ransomware as a revenue stream. And with DOD credentials surfacing on the dark web, national security risks remain front and center.
Every edition of the Cyber Risk Roundup, we break down the top stories of the month. Here’s what you need to know for February 2025.
Trimble Cityworks Vulnerability Actively Exploited
CISA warns that Trimble Cityworks, an asset management tool widely used by local governments and infrastructure organizations, is actively being exploited. The vulnerability (CVE-2025-0994), rated 8.6 in severity, received a patch in late January. Federal civilian agencies must apply the patch by the end of the month.
The vulnerability highlights the ongoing risks to critical infrastructure and the need for a more proactive security approach. Relying solely on patching is insufficient, as attackers exploit vulnerabilities before fixes are applied, making Zero Trust access controls essential for limiting damage. Implementing identity-based security helps prevent lateral movement, ensuring attackers cannot spread through networks even if they gain access. Additionally, continuous monitoring and least privilege access are crucial for detecting and containing threats in real time.
Sandworm Expands Cyber Attacks Beyond Eastern Europe & Asia
Sandworm (aka Seashell Blizzard), the group behind the 2017 NotPetya attack that crippled Ukraine’s power grid, is broadening its latest campaign, “BadPilot,” according to a Microsoft report. Initially focused on Eastern Europe and Asia, the campaign now targets the US, UK, and Australia.
Microsoft states: “Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises. Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, in addition to international governments.”
Campaigns like BadPilot, which compromise credentials that can be used for privilege escalation threats, pose significant risks to IT and operational technology (OT) environments, enabling attackers to gain unauthorized access and compromise critical systems. To mitigate these risks, organizations must implement a robust Privileged Access Management (PAM) strategy. This involves enforcing the principle of least privilege, ensuring enterprise-wide protection across cloud and OT environments, and continuously monitoring access with advanced security controls.
Read more about privilege escalation threats and mitigation strategies
DOD and Defense Contractors’ Credentials Up for Sale
Hundreds of compromised credentials belonging to US DOD agencies and contractors are up for sale, posing a major national security risk. Even more alarming, some stolen logs include active session cookies, potentially allowing attackers to bypass MFA. This breach underscores the critical need for best practices, including regular credential rotation and least privilege access to minimize risk. Without these safeguards, compromised privileged accounts can serve as critical attack vectors.
Discover why stale privileged accounts are a ticking time bomb.
Ransomware Payments Drop 35% – A Positive Trend
Ransomware payments dropped 35% in 2024 compared to the previous year—$813.55 million in 2024 vs. $1.25 billion in 2023—according to blockchain analysis firm Chainalysis. The decline is credited to increased law enforcement action and victims refusing to pay. Authorities seized infrastructure belonging to several high-profile groups, including LockBit, BlackCat/ALPHV, and Radar/Dispossessor.
And Yet… Nation-State Hackers Shift Focus to Ransomware
State-sponsored espionage groups, particularly from Russia and North Korea, are increasingly turning their skills toward for-profit cybercrime, according to Google’s Mandiant. In 2024, Mandiant responded to four times more financially motivated attacks than espionage breaches.
This shift raises new national security concerns. The healthcare sector remains a prime target, with a 64% increase in the number of people affected by healthcare data breaches in 2024 vs. 2023, according to the HIPAA Journal.
Although ransom payments have declined, ransomware continues to pose a major threat across all industries. The growing involvement of nation-state-sponsored groups in ransomware operations should serve as a warning. What began as a quick-profit scheme could now be evolving into a more sophisticated and strategic attack model. This transformation signals a new era of ransomware campaigns, demanding heightened vigilance and advanced defense strategies.
