Life Insurance Breach, Notorious Malware Identified, Fake Ransom Scam – Cybersecurity News [March 03 2025]
Your wait is over as we’re back with cybersecurity’s latest this week! We’ll discuss about a data breach impacting policyholders of a significant insurance organization, a notorious malware spam host resurfacing under a new provider, a new scam targeting US executives using deceptive postal mail; experts recently uncovered a new botnet that is infecting thousands and a concerning discovery of sensitive API keys within AI training datasets. Let’s not wait further and dive in!
Life Insurance Data Breach Exposes Information of 335,000 Individuals
According to recent news headlines, allegedly New Era Life Insurance organization was the victim of a data breach where the PHI (Protected Health Information) of 335,506 people was put at risk. The branches of New Era Life Insurance Company that were affected include the Midwest branch of New Era, the Philadelphia American Life Insurance Company, and New Era Life Insurance Company, where the suspicious presence was detected earlier on, dated around 18 December 2024.
Even after swift action was taken to isolate affected systems, the engaged third-party security experts have confirmed unauthorized access occurring between 9th and 18th December 2024. The threat actors maliciously copied files from the organizational systems, including the data of agents, policyholders, and insurance carrier partners, especially names, insurance IDs, birth dates, SSNs (Social Security Numbers), and treatment data.
If you were a part of this unfortunate data breach, you will likely receive an individual notification letter, highlighting your exposed data, and complimentary credit monitoring and identity theft protection. Of course, New Era Insurance has made it clear that they have implemented additional safeguards to ensure that all systems are better protected and monitored, to avoid any such incidents in the future.
Notorious Malware and Alleged Spam Host was Identified by Kaspersky Lab
This week, Kaspersky Lab found itself at the center of a cybersecurity controversy after researchers noticed that Prospero OOO, a hosting provider, notorious for sheltering cybercriminals, was routing its traffic through Kaspersky’s networks.
Prospero, linked to the bulletproof hosting services Securehost and BEARHOST, has long been a hub for malware operations, phishing schemes, and botnet controllers. The connection was flagged by Spamhaus, an enterprise that tracks malware and spam sources, which reported that Prospero suddenly started using Kaspersky’s infrastructure for internet access. Obviously, the discovery raised immediate concerns, and Kaspersky denied any direct partnership with the provider, suggesting that the routing may have occurred through third-party telecom networks it works with. They also launched an internal review and say they are working to prevent their network from being misused.
Meanwhile, cybersecurity experts argue that whether Kaspersky is knowingly providing services to Prospero or not, its infrastructure playing any role in supporting a known cybercriminal host is problematic, given the fact that Kaspersky software has already been banned for sale in the US.
Fake BianLian Ransom Notes Sent to US CEOs in Postal Mail Scam
The BianLian ransomware gang is allegedly being impersonated by scammers who have taken a liking to sending fake ransom notes to international organizations using snail mail via the US Postal Service.
Guidepoint Security took the lead in reporting these ransom notes that claim to be from the group and even have a return address pointing to an office in Boston, Massachusetts. The C-Suite needs to be aware of this cybersecurity news as they’re the prime targets of the scam and receive said ransom notes on their corporate mail addresses. A giveaway is that the mail is often stamped with the words, “TIME SENSITIVE, READ IMMEDIATELY,” to create a sense of urgency, and the letter is tailored to the target’s industry, informing them of the allegedly stolen data in relation to their specific activities. The emails follow a style similar to that of BianLian but state they’re no longer negotiating and threaten data leakage if a ransom demand (typically between $250,000 and $500,000) is not paid to a Bitcoin address.
Mitigating such threats is really easy because the solution is simply not succumbing to the demand in these extortions; the scammers use these emails to scare executives, and there have been no indications of an actual data breach occurring in any of the email-receiving organizations.
Eleven11bot Botnet Compromises 86,000 Devices for DDoS Attacks
A new botnet malware also came to light this week–one that has already infected over 86,000 IoT (Internet of Things) devices for DDoS attacks.
Security researchers report that the botnet is being used for large-scale DDoS attacks, with telecommunication providers and online gaming servers among its primary victims. It has grown rapidly, with expert Jérôme Meyer calling it one of the largest non-state actor DDoS botnets seen in recent years.
According to The Shadowserver Foundation, most of these infected devices are located in the US, U.K., Mexico, Canada, and Australia, and the attacks have reached speeds of hundreds of millions of packets per second, sometimes lasting for days. Furthermore, GreyNoise and Censys have already identified 1,400 IPs (Internet Protocols) linked to the botnet.
Eleven11bot spreads by exploiting weak credentials, scanning networks for exposed Telnet and SSH ports, and using brute-force attacks on admin accounts. If you wish to stay safe against this threat, you should focus on changing default passwords, disabling remote access if unnecessary, and make sure the firmware is up to date. Since IoT devices often lack long-term support, regularly checking for end-of-life status and replacing outdated models is also important.
AI Training Dataset Leaks Nearly 12,000 API Keys and Passwords
Researchers have uncovered nearly 12,000 valid API keys and passwords within the Common Crawl dataset, which is a massive open-source web archive widely used for AI model training.
This discovery raised concerns about LLMs (Large Language Models) being trained on sensitive, hardcoded credentials, potentially exposing them to security risks. Many organizations and services like OpenAI, Google, Meta, and Anthropic rely on web-scraped datasets, making it challenging to filter out confidential data completely. The security enterprise Truffle Security scanned 400 terabytes of data from 2.67 billion web pages in Common Crawl’s December 2024 archive, finding 11,908 secrets that were still valid. Among them were AWS root keys, MailChimp API keys, and Slack webhooks, many of which were hardcoded into front-end HTML and JavaScript instead of being securely stored using server-side environment variables.
While AI datasets undergo pre-processing to remove sensitive information, filtering out all confidential data is nearly impossible. Attackers could exploit exposed keys for phishing, brand impersonation, or data theft. That’s why, in response, Truffle Security contacted affected vendors, helping revoke or rotate thousands of compromised credentials.