Pennsylvania AG Confirms SSN & Medical Data Stolen in INC Ransom Attack

Cyber Breaches Threat Intel today17/11/2025

Background
share close

Public Breach Analysis

The Pennsylvania Office of the Attorney General (OAG) has officially confirmed that the crippling ransomware attack it suffered in August 2025 resulted in a significant data breach, with attackers stealing files containing personal and medical information.

This is not an isolated incident. My analysis confirms this was a high-profile, preventable attack by the INC Ransom gang, who exploited a well-known, critical zero-day vulnerability.

Here is the Brinztech analysis of the attack chain:

  1. The Vulnerability (CVE-2025-5777): The attack vector was “Citrix Bleed 2” (CVE-2025-5777), a critical pre-authentication vulnerability in Citrix NetScaler appliances. This flaw, which allows an attacker to read sensitive memory and steal session tokens to bypass MFA, was disclosed and had a patch available in July.
  2. The Warning: Cybersecurity expert Kevin Beaumont publicly identified several unpatched, vulnerable Citrix appliances on the PA AG’s network before the attack was disclosed.
  3. The Attack (August 2025): The INC Ransom gang exploited this unpatched vulnerability to breach the OAG’s network, encrypt systems, and exfiltrate data. The attack was devastating, taking down the OAG’s website, email, and phone lines for an extended period.
  4. The Extortion (Sept 20, 2025): The INC Ransom group added the PA OAG to its dark web leak site, claiming to have stolen a massive 5.7 TB of data. The group also made the inflammatory claim that this data included access to an FBI internal network.
  5. The Confirmation (Nov 14, 2025): The OAG has now confirmed the data theft includes citizen data, “Social Security number, and/or medical information.” The office has stated it refused to pay the ransom.

Key Cybersecurity Insights

This incident is a textbook example of a “patch-or-perish” failure:

  • Exploitation of a Known Zero-Day: This is the most critical insight. The breach was not caused by a sophisticated, unknown attack but by the failure to apply an emergency patch for a publicly known, actively exploited zero-day (CVE-2025-5777).
  • “Citrix Bleed 2” as a Top-Tier Vector: This vulnerability is the “new MOVEit.” It allows attackers to bypass MFA and steal session tokens, making it a favorite for top-tier ransomware gangs like INC.
  • A High-Profile Ransomware Gang: INC Ransom is a major, active RaaS (Ransomware-as-a-Service) operation. Their other recent high-profile victims include NHS Scotland, Yamaha Motor Philippines, Xerox Business Solutions (XBS), and the retail giant Ahold Delhaize.
  • Failure to Heed Public Warnings: The vulnerable appliances were publicly identified before the attack was fully disclosed. This highlights a critical gap in the organization’s attack surface management and threat intelligence posture.

Mitigation Strategies

In response to this, all organizations must prioritize perimeter security and patch management:

  • Patch All Known Exploited Vulnerabilities (KEVs): This is the #1 defense. All organizations must have an emergency patching process. All Citrix NetScaler appliances must be patched against CVE-2025-5777 immediately.
  • Assume Breach / Threat Hunt: Any organization that was running a vulnerable Citrix appliance must assume it was breached and immediately initiate a threat hunt for indicators of compromise (IoCs) associated with INC Ransom.
  • Reduce Attack Surface: Never expose critical administrative appliances (like Citrix NetScalers, VPN concentrators, or RDP) directly to the public internet. All management interfaces must be placed behind a strict firewall and/or require MFA.
  • Network Segmentation: A breach of a perimeter appliance should not lead to a full network compromise. Implement robust network segmentation to prevent attackers from moving laterally from an external-facing appliance to internal domain controllers and file servers.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com

Written by: Threat Intel

Rate it
Previous post
Similar posts

Cyber Breaches Threat Alert / 17/11/2025

Brinztech Alert: Data of Malaysian Citizens is on Sale

Dark Web News Analysis A threat actor on a known cybercrime forum is advertising the alleged sale of a database containing the personal identifiable information (PII) of Malaysian citizens. The data, which includes full names, usernames, email addresses, mobile numbers, and physical addresses, is being offered for a “fire sale” price of $200. This claim, ...

Read more trending_flat

Cyber Breaches Threat Alert / 17/11/2025

Brinztech Alert: “Fullz” Database of Indonesian Citizens is on Sale, Includes Selfies & KTP Photos

Dark Web News Analysis A threat actor on a known cybercrime forum is advertising the alleged sale of a database from an Indonesian Government database website. This claim, if true, represents the most severe, nation-scale data breach in Indonesia’s history, providing a “fullz” (full information) package for mass identity theft. This is not an isolated ...

Read more trending_flat

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *

Brinztech is a leading technology solutions provider dedicated to empowering businesses in the digital age. Founded in 2013

Useful Link
Contact Info
Follow us