This week
- Oracle’s continued (pedantic?) denials
- Europol operation to shut down large CSAM site
- Cred stuffing attacks against Aussie supers
- Fast Flux rapid DNS switches to evade detection
- UK Cyber Security & Resilience Bill
Interesting stats
39 million leaked secrets detected by GitHub security tools in 2024. LINK
Five things
-
Oracle continued to deny that its cloud platform has been breached whilst also scrubbing evidence from The Wayback Machine. Oracle’s defence appears to be that Oracle Cloud, the proper noun for one of its services, has not been breached. Instead, it appears that the incident may have affected Oracle Classic. The masses aren’t taking well to the pedantry of Cloud vs cloud, with two class action lawsuits being brought against the database giant in Texas. On Wednesday, Bloomberg, citing ‘people familiar with the matter’, said that Oracle has begun acknowledging the breach of a “legacy environment” and claiming that the stolen data is not sensitive. That differs from some of the sample records provided by the attacker, which appear to show records from 2025. WORDING, LAWSUIT, CONFIRMATION
-
Fast Flux: American, Australian, Canadian, and New Zealand cyber security agencies warn of a threat actor technique to evade detection. ‘Fast flux’ involves rapidly changing DNS records to hamper the tracking and blocking of malicious activities. The technique is reportedly used by cybercriminals and nation-state accounts, with Nefilim ransomware and Gamaredon state actors cited as examples. The alert is a call to action for agencies, internet service providers, and cyber firms to collaborate on better detecting and shutting down the activity. Whilst such rapid switching of IP addresses associated with domain names may, on first hand, be something you think would stand out, such round-robin DNS techniques are used by many organisations as a form of load balancing. LINK, ALERT (PDF)
-
Australian superannuation (pension) funds were targeted in a string of attacks this week, with a handful of members losing AU$500,000. The credential stuffing attacks used passwords compromised in other breaches to log in as members to their accounts. Thousands of attempts were successful, highlighting how many people re-use passwords across many sites, including important financial accounts. While the financial impact appears limited, attackers may have accessed personal data, including names, addresses, beneficiaries, and balances. Many pension accounts may be ‘forgotten’ or long-running, with users only ever checking intermittently. Implementing a second factor or requiring proof of access to the registered email address could prevent these sorts of attacks. LINK
-
Cyber Security and Resilience Bill: The UK government announced details of the CSR bill this week. The King’s Speech has already set out key points of the bill, and its alignment to parts of the EU’s NIS2, such as expanding the scope to include, for example, IT Managed Service Providers. Three parts of note are: daily £100,000 or 10% turnover fines for failing to patch against widely exploited vulnerabilities; mandatory early reporting of incidents to NCSC within 24 hours (with full reports due within 72 hours), and the ability for regulations to be adapted flexibly in response to emerging threats, such as bringing new sectors in-scope without requiring further legislation. LINK, NCSC
-
Operation Stream: Europol has shutdown KidFlix, one of the world’s largest paedophile networks that serve up child sexual abuse materials (CSAM). The operation, led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB), involved over 35 different countries and led to 79 arrests and the identification of 1,393 suspects. Over 91,000 unique videos were found on the seized servers. Thirty-nine children have been protected from further abuse. Suspects were identified by analysing payment data from the seized server. LINK
In brief
-
🤓 Interesting reads: Former NSA and US Cyber Command director, General Paul Nakasone, tells Dina Temple-Raston that China is now the United States’ biggest cyber threat in this interview, which covers national security threats, resourcing challenges, and artificial intelligence. The obituary of Betty Webb MBE, one of the few remaining people who worked at Bletchley Park during World War II and who died this week aged 101. NAKASONE (PODCAST: APPLE, SPOTIFY), WEBB
-
⚠️ Incidents: The Moscow subway app and website suffered disruption this week in suspected retaliatory action for the recent attack on Ukraine’s national railway operator. A GCHQ intern has pleaded guilty to taking sensitive information — described as a ‘top secret tool’ — home two days before the end of his placement year. CheckPoint has confirmed a security incident affecting customers but claims it is an “old, known and very pinpointed event”. Spectos, a performance management company and supplier to British postal service Royal Mail, has confirmed an incident occurred on 29th March. The attacker is threatening to release over 16,500 files totalling 144GB, which they say contain personal data of Royal Mail customers. The Washington Post reports that Michael Waltz used personal Gmail accounts for government communications, in addition to Signal, to discuss potential classified US government matters (the Pentagon watchdog has opened an investigation into Waltz’s use of Signal). MOSCOW, INTERN, CHECKPOINT, SPECTOS, WALTZ (INVESTIGATION)
-
🏴☠️ Ransomware: Hunters International ransomware gang is rebranded to World Leaks and pivoted to data extortion-only attacks as of the beginning of 2025, according to Group-IB. WORLD LEAKS
-
🕵️ Threat Intel: GreyNoise is reporting a spike in suspicious IP addresses scanning Palo Alto Networks GlobalProtect login pages, potentially signifying reconnaissance ahead of malicious activity. Google says that North Korea’s ‘IT warriors’, those posing as remote IT workers, are increasingly targeting European companies in Germany, Portugal, and the UK. PALO, N. KOREA
-
🪲 Vulnerabilities: CISA has issued an alert for Ivanti’s Connect Secure appliances, which Chinese-aligned threat actors are targeting with a buffer overflow vulnerability disclosed in January and infecting with Resurge malware. A ‘perfect 10’ vulnerability (CVE-2025-30065) in Apache Parquet big data format can lead to arbitrary code execution. IVANTI (ALERT), PARQUET (MORE)
-
🧑💻 End user and consumer: Gmail is rolling out a new method to encrypt messages. GMAIL
-
🧰 Guidance and tools: NCSC’s guidance on building secure HTTP-based APIs. HTTP APIS
-
🧿 Privacy: The FTC has said that a prospective buyer of genetic testing firm 23AndMe must honour the firm’s privacy policies for genetic data. 23ANDME
-
📜 Policy & Regulation: The European Commission has launched its ProtectEU strategy, which jumps into the end-to-end encryption (E2EE) debate, calling for “lawful and effective access to data”. Also, it proposes beefing up Europol to become something akin to the US FBI. PROTECTEU
-
👮 Law Enforcement: Mayor of London Sadiq Khan has closed a cybercrime helpline for the victims of digital fraud and harassment at the end of an extended pilot period. Critics argue the scheme should have been extended while results and future support are determined. HELPLINE
-
💰 Investments, mergers and acquisitions: US firm ReliaQuest has closed a $500 million funding round to expand its GreyMatter AI-powered platform. Ballistic Ventures is raising $100 million for a new cyber-focused venture fund. Adaptive Security, a New York-based AI hack simulation startup, has closed a $43 million Series A round, including funding from OpenAI. RELIAQUEST, BALLISTIC, ADAPTIVE
-
🗞️ Industry news: PwC China plans to spin off its 200-person cyber security business to generate an expected $128M-$256M. The Trump administration has fired General Timothy Haugh, a 30-year military veteran, from his position as head of the NSA and Cyber Command. PWC, HAUGH
And finally
- Do ransomware gangs pay tariffs? ;-)
