This week
- Iran cuts off Internet access amidst Israeli-linked attacks
- Scattered Spider has shifted focus to the insurance sector
- WaPo staff told foreign government accessed some journalist’s emails
- 16 billion credential leak is mostly repacking previous breaches
- 23andMe bought by founder at bankruptcy auction; fined by ICO
- Spain’s investigation into power grid failure points at cascading failures
Interesting stats
100% of AWS root accounts now have multi-factor authentication enabled. LINK
Five things
-
Israel/Iran(/USA) tensions are heating up. The Predatory Sparrow group targeted Bank Sepah, Iran’s oldest bank, owned by the state and used to pay government salaries. Predatory Sparrow (aka Gonjeshke Darande in Persian), believed to be linked to Israel, claimed the attacks destroyed the bank’s infrastructure, while Iranian sources downplayed the incident. Iranian cryptocurrency exchange Nobitex also found itself the victim of Predatory Sparrow, who compromised accounts and moved $90 million worth of cryptocurrency to “vanity” (profanity?) addresses with variations of the term “F*ckIRGCterrorists”. Researchers and monitoring organisations also observed a bunch of other odd happenings to web traffic in Iranian cyberspace. This “near-total national internet blackout” was later confirmed as a preventative step by the Iranian government to ward off Israeli attacks. Israel has played on confidence in communication networks before, with its attack on Hamas pagers. Unsurprisingly, this kind of disruption can severely hamper coordination and leave an opponent on the back foot. The US bombed nuclear sites in Iran, and shortly after, Truth Social ‘crashed’, and it’s unclear why. Given that it is the US President’s social network, perhaps it is fair game? BANK SEPAH, NOBITEX, WEB TRAFFIC, BLACKOUT, TRUTH SOCIAL
-
Scattered Spider has shifted focus to the insurance industry, according to Google’s Threat Intelligence Group, citing awareness of “multiple intrusions” that follow the attacker’s modus operandi. Erie Insurance reported a breach last week, while Georgia-based Aflac says it stopped a “sophisticated cybercrime group” from deploying ransomware but that some files were stolen during the attack. Scattered Spider typically uses social engineering techniques against (outsourced) helpdesk teams. Often, they will want to reenroll/change a multi-factor authentication token: ensuring that you have a much stricter flow when doing this when associated with privileged accounts is a worthwhile consideration. SPIDER, AFLAC
-
Washington Post Executive Editor Matt Murray warned staff of an incident affecting their email system. All employees had their passwords reset as a precautionary measure following the “possible targeted unauthorised intrusion”. It’s reported that the journalists being targeted wrote on national security and economic policy topics. Identifying journalists’ sources can be useful for intelligence agencies, so this sort of targeting seems pretty plausible. WAPO
-
23andMe founder Anne Wojcicki has purchased the company in a bankruptcy auction. Also this week, the UK Information Commissioner has fined 23andMe over £2.3 million ($3M) for poor security practices — lacking additional verification before downloading genetic information — that led to their 2023 data breach, affecting more than 150,000 UK residents. PURCHASE, PENALTY
-
Spain’s government released its report into the electricity blackout earlier this year, confirming that the cause was cascading issues in plans to stabilise the grid rather than a cyber attack. SPAIN
And finally, a few other bits
-
16 billion credentials in “one of the largest data breaches in history” is just a repackaging of previous breaches. LINK
-
Meta has a ‘Discover’ feature that shows what other users are asking their AI. That, well, not great. Did anyone think (about the privacy assessment)? META AI
-
Veamm has patched a critical remote code execution vulnerability (CVE-2025-23121 (9.9/10). VEAMM (ADVISORY)