6 Warning Signs Your Identity Has Been Stolen (and What to Do About It)
How to Recognize Identity Theft Early and Protect Your Personal Information
Blog
/
Threat Matrix: April 2025
Threat Matrix: April 2025
The latest news from the digital underbelly and how to protect your business
Welcome to the April edition of Upfort’s Threat Matrix, where we cover North Korean operatives using deep fakes to take on IT positions in the west, criminals tapping Zoom for crypto-theft schemes, Apple “zero-day” attacks that Apple says were exploited, but won’t say who it was by, or who it was against), and so much more!
Want to help keep your company safe? It only takes two minutes to complete our interactive cybersecurity checklist to tell how prepared you are. Or take a free cybersecurity risk assessment, which taps Upfort’s state-of-the-art AI to surface exploitable vulnerabilities in your network.
City of Abilene, TX shuts down IT systems after cyberattack disrupts services
The city of Abilene, Texas, was forced to take its IT systems offline after a cyberattack caused widespread server issues. Following its incident response plan, the city disconnected affected assets and launched an investigation with third-party cybersecurity experts. While emergency services and utilities remain operational, other government services, including credit card processing at offices, have been impacted.
Officials are monitoring for unusual activity as systems are gradually restored. The full scope of the attack is still under investigation, and delays in service requests are expected.
How to protect your business: Small businesses and local governments should maintain updated incident response plans, regularly back up critical data offline, and implement network monitoring to detect intrusions early. Ensure that essential services can continue operating even during cyber disruptions.
North Korean operatives use deepfakes to infiltrate companies through fake job interviews
North Korean state-sponsored hackers are leveraging real-time deepfake technology to pose as IT job candidates in an effort to infiltrate U.S. and European organizations. According to Palo Alto Networks’ Unit 42, these operatives use synthetic identities to bypass hiring processes, secure remote positions, and later engage in cyberespionage or deploy malware. Deepfakes allow a single attacker to apply multiple times under different personas while avoiding detection by security watchlists.
The technology is inexpensive and easy to use—researchers demonstrated that convincing deepfake identities could be created in under 70 minutes using free online tools. Cases have already been documented where companies, including cybersecurity firms and small businesses, unknowingly hired these operatives.
How to protect your business: Small businesses hiring remote workers should implement strict identity verification processes, including video interview analysis, document authentication, and IP/geolocation checks. Record interviews and train HR teams to spot deepfake inconsistencies such as audio-visual mismatches or facial glitches.
Hertz breach exposes customer credit card & ID information via vendor hack
Hertz has confirmed a data breach after hackers exploited zero-day vulnerabilities in Cleo Communications’ file transfer platform, a vendor used by the car rental giant. The breach, occurring between October and December 2024, exposed sensitive customer data including names, contact details, dates of birth, credit card numbers, driver’s license information, and, in some cases, Social Security and passport numbers.
While Hertz has not disclosed how many customers were affected, notices have been issued across the U.S., Canada, EU, UK, and Australia. The Russia-linked Clop ransomware gang previously targeted Cleo in a separate mass-hacking campaign, though no group has claimed responsibility for this incident.
How to protect your business: Small businesses should assess third-party vendor risks by ensuring partners follow strong cybersecurity practices. Regularly review data-sharing agreements, limit the amount of sensitive data shared, and monitor for breaches linked to external providers.
Yale New Haven Health data breach exposes 5.5 million patient records
Yale New Haven Health (YNHHS), Connecticut’s largest healthcare network, has confirmed a cyberattack that exposed the personal data of over 5.5 million patients. The breach, discovered in March 2025, compromised sensitive information such as names, Social Security numbers, dates of birth, contact details, and medical record numbers. Fortunately, no financial data or treatment details were affected.
YNHHS is offering credit monitoring and identity protection services to impacted individuals. With class action lawsuits already in motion, the healthcare provider continues working with Mandiant and federal authorities to investigate the incident. No ransomware group has claimed responsibility.
How to protect your business: Small healthcare providers and businesses handling personal data should encrypt sensitive information, limit access based on necessity, and deploy intrusion detection systems. Regularly update cybersecurity protocols and ensure employees are trained on data protection best practices.
Experts warn that healthcare remains a prime target due to the critical nature of patient data and the likelihood of fast ransom payments.
Ransomware hits three healthcare organizations, exposing patient data
A wave of ransomware attacks has struck three major healthcare providers—DaVita, Bell Ambulance, and Alabama Ophthalmology Associates—impacting hundreds of thousands of patients. The attacks encrypted systems, disrupted operations, and exposed sensitive data, including Social Security numbers, medical records, and financial information.
The Medusa and BianLian ransomware gangs have claimed responsibility for two of the incidents. Experts warn that healthcare remains a prime target due to the critical nature of patient data and the likelihood of fast ransom payments.
How to protect your business: Healthcare organizations and small practices should prioritize cybersecurity basics: enforce strong passwords, enable multi-factor authentication, segment networks, and maintain offline backups. Regularly update systems and conduct ransomware readiness drills to minimize impact.
Hackers exploit Zoom’s remote control feature in targeted crypto theft attacks
A hacking group known as “Elusive Comet” is leveraging Zoom’s remote control feature in a sophisticated social engineering campaign targeting cryptocurrency holders. Attackers pose as journalists offering fake interviews via Zoom, tricking victims into granting remote access by renaming themselves “Zoom” in meeting prompts. Once access is granted, attackers steal sensitive data, install malware, and initiate unauthorized crypto transactions.
This tactic mirrors methods used in high-profile hacks, including the $1.5 billion Bybit crypto theft. Security experts warn that users accustomed to approving Zoom prompts may unknowingly hand over full control of their systems.
How to protect your business: Disable Zoom’s remote control feature unless absolutely necessary, and train employees to scrutinize all access requests. For organizations handling sensitive data or crypto assets, consider using browser-based Zoom alternatives and enforce strict device access policies.
Apple zero-days exploited in sophisticated attacks, details remain scarce
Apple has patched two zero-day vulnerabilities—CVE-2025-31200 and CVE-2025-31201—that were actively exploited in highly targeted attacks, likely linked to nation-state actors or commercial spyware campaigns. The flaws impact multiple Apple platforms, including iOS, macOS, and visionOS. One vulnerability allowed remote code execution via malicious audio streams, while the other could bypass hardware-level security protections.
Despite patching the issues, Apple provided minimal information about the attackers or potential targets, raising concerns among security experts who emphasize the need for greater transparency to help defenders respond effectively.
How to protect your business: Ensure all Apple devices are updated immediately. Businesses handling sensitive data should monitor for unusual device behavior and consider mobile threat defense (MTD) solutions to detect sophisticated exploits targeting zero-day vulnerabilities.
SuperCard X Android malware steals credit card data for NFC payment fraud
A new Android malware-as-a-service (MaaS) platform called SuperCard X is enabling cybercriminals to steal credit card data and perform fraudulent contactless payments through NFC relay attacks. Distributed via social engineering scams, victims are tricked into installing a fake “security” app that captures payment card data when they tap their card to their phone. Attackers then use this data to emulate the card and make unauthorized purchases or ATM withdrawals.
SuperCard X is sophisticated, evading antivirus detection and securing its communications with advanced encryption techniques. The malware is being promoted on Telegram, offering customized versions for cybercriminals across different regions.
How to protect your business: Educate employees about mobile phishing and social engineering tactics. Only install apps from trusted sources like Google Play, and disable NFC when not in use. Businesses handling payments should monitor for unusual small transactions that could indicate card cloning or NFC-based fraud.
Distributed via social engineering scams, victims are tricked into installing a fake “security” app that captures payment card data when they tap their card to their phone.
FBI warns of scammers posing as agents to ‘help’ recover stolen funds
The FBI has issued a warning about fraudsters impersonating FBI Internet Crime Complaint Center (IC3) employees to target victims of previous scams. These criminals contact individuals via phone, email, social media, or forums, claiming they’ve recovered lost funds—only to trick victims into handing over financial information or making additional payments. Over 100 such cases have been reported since late 2023.
In one scheme, scammers posed as fellow fraud victims in online groups, directing targets to a fake IC3 “director” on Telegram. The FBI reminds the public that IC3 will never contact victims directly or request payment for fund recovery.
How to protect your business: Educate employees about impersonation scams, especially if your business has experienced fraud before. Never share sensitive information or send money based on unsolicited offers of recovery assistance. Verify all communications claiming to be from government agencies through official channels.
57 Chrome extensions with 6 million installs found hiding tracking code
A new investigation has uncovered 57 Chrome extensions—installed by over 6 million users—that contain hidden tracking code capable of spying on browsing activity, accessing cookies, modifying search results, and injecting remote scripts. Some of these extensions claimed to offer security or privacy benefits, but instead performed extensive tracking and reported user data to external domains.
Many of these extensions were unlisted from the Chrome Web Store, making them accessible only via direct links, a tactic often used to evade detection. Google has removed several of the flagged extensions following the report, but others may still be active.
How to protect your business: Small businesses should audit all browser extensions installed on company devices and limit them to only those vetted and necessary. Disable extension installations from unapproved sources and train employees to avoid unknown privacy or coupon tools, even if they appear useful.
CISA warns of breach risks after Oracle Cloud credential leak
CISA has issued a security advisory following the compromise of legacy Oracle Cloud servers, warning that leaked credentials—including usernames, passwords, tokens, and encryption keys—pose ongoing risks to enterprise and small business environments. Although Oracle claims its active cloud services weren’t affected, attackers accessed older systems, stealing credential data that could enable long-term unauthorized access if reused or embedded in scripts and automation tools.
CISA urges organizations to reset exposed credentials, replace hardcoded passwords, enforce phishing-resistant MFA, and monitor authentication logs for suspicious activity. The breach reportedly began in early 2025, with some data traced back to Oracle’s Identity Manager systems.
How to protect your business: Regularly audit for reused or hardcoded credentials, enforce MFA across all accounts, and rotate passwords frequently—especially if your business relies on third-party cloud services. Monitor for unusual login behavior to catch unauthorized access early.
