FOCUS MODE
EXTRACT IOC
0Trash

Monday, March 3, 2025

iocOne
Monday, March 3, 2025
The Qilin ransomware group has claimed responsibility for a cyber attack on Lee Enterprises, a prominent U.S. media company, disrupting its operations and threatening to release stolen data by March 5 unless a ransom is paid. The breach resulted in unauthorized access to sensitive information, affecting numerous publications and digital platforms. Additionally, Microsoft warned that hackers are exploiting a zero-day vulnerability in Paragon Partition Manager’s driver to escalate privileges and launch further attacks. Affected: Lee Enterprises, Paragon Partition Manager

Keypoints :

  • The Qilin ransomware group attacked Lee Enterprises on February 3, halting its operations.
  • Hackers threatened to release over 120,000 stolen files, including personal identification and sensitive financial documents, if the ransom is not paid by March 5.
  • The attack resulted in the company losing access to its internal systems, cloud data storage, and VPN services.
  • Lee Enterprises confirmed that critical applications were encrypted and various files were stolen.
  • The incident has impacted more than 77 print publications and several hundred digital platforms.
  • Qilin has a history of targeting large organizations, including automotive and healthcare sectors.
  • A zero-day vulnerability in the BioNTdrv.sys driver of Paragon Partition Manager is being exploited by ransomware groups to elevate system privileges.
  • Paragon Software has released a patch for the driver and recommends users enable the Windows Vulnerable Driver Blocklist for protection.

MITRE Techniques :

  • T1468: Execute Command-Line Interfaces – Ransomware groups often execute commands to encrypt files within a system.
  • T1190: Exploit Public-Facing Application – Using known vulnerabilities in software components like BioNTdrv.sys to gain unauthorized access.
  • T1059: Command and Scripting Interpreter – The attackers use command-line tools for file manipulation during the ransomware attack.
  • T1203: Exploit Vulnerability – Exploiting zero-day vulnerabilities in the driver to escalate privileges.
  • T1140: Decrypt Data – The ransomware encrypts critical files and data.

Indicator of Compromise :

  • [Domain] leeenterprises.com
  • [CVE] CVE-2025–0289
  • [CVE] CVE-2025–0288
  • [CVE] CVE-2025–0287
  • [CVE] CVE-2025–0286

Full Story: https://medium.com/@National_CERT_NCSA/%E0%B8%9B%E0%B8%A3%E0%B8%B0%E0%B8%88%E0%B8%B3%E0%B8%A7%E0%B8%B1%E0%B8%99%E0%B8%88%E0%B8%B1%E0%B8%99%E0%B8%97%E0%B8%A3%E0%B9%8C%E0%B8%97%E0%B8%B5%E0%B9%88-3-%E0%B8%A1%E0%B8%B5%E0%B8%99%E0%B8%B2%E0%B8%84%E0%B8%A1-2568-6dbc2a57189b?source=rss——cybersecurity-5

Tags: FINANCIAL, WINDOWS, ZERO-DAY, HEALTHCARE, EXPLOIT, CLOUD, CVE, PATCH