This week
A condensed format this week because I’m travelling.
-
Colt Technology Services, a UK-headquartered telco, says it is recovering from a “cyber incident” that took out its internal systems. A customer portal and other services were reportedly down for several days last week, including preemptive action taken to contain the attack. Security researcher Kevin Beaumont claims that the company’s SharePoint server was exposed to the internet. Microsoft warned of a critical vulnerability in its on-premises software around a month ago. The ‘WarLock’ cybercrime group has claimed responsibility for the attack and says it has stolen 1 million company documents. COLT
-
Cyber norms: Lawfare has an interesting long-read on the challenges and opportunities facing the next phase of United Nations cyber security sessions. The “Global Mechanism” will progress negotiations on so-called ‘cyber norms’, responsible state behaviour in cyberspace, the application of international law in cyberspace, and other confidence- and capability-building measures. UN
-
M&S click and collect services have been restored, after being suspended following the cyberattack 15 weeks ago. Rebuild and recovery following a cyber incident can have a long tail. M&S
Check out the latest episode of Communicating Cyber, where I chat to Larry Tampkins about power of asking “Why and So What” when communicating cyber security and “fifty audiences of one”. WATCH
Interesting stats
$40 for a legit FBI email account, according to Abnormal AI research (hey Piotr!) LINK
In brief
-
⚠️ Incidents: Manpower is notifying over 140,000 people that their personal information was stolen in December 2024. RansomHub claimed responsibility for the attack in January of this year, stating that it had stolen passport scans, IDs, SSNs, addresses, contact information, test results, and other corporate data. The entry on RansomHub’s leak site has disappeared, suggesting Manpower may have paid the criminal’s demands. The personal data of up to 3,700 Afghans seeking resettlement in the UK may have been stolen from an MoD contractor. Unnamed threat actors compromised Inflite the Jet Centre, which operated resettlement flights into London Stansted, and also transported civil servants, soldiers, and journalists. It follows another personal data breach that was subject to a similar super injunction involving the same data. MANPOWER, INFLITE (Vol. 8, Iss. 29)
-
🌍 Canada’s House of Commons is investigating a potential data breach of employee and device information. Norway’s security police service has blamed the compromise of control systems on Russian state-aligned actors. The incident lasted four hours and resulted in the loss of three Olympic swimming pools’ worth of water after the attacker opened a floodgate. CANADA, NORWAY
-
🕵️ Threat Intel: Advanced persistent teenagers: Scattered Spider, ShinyHunters, and Lapsus$ appear to be working together. A Telegram channel titled “Scattered LAPSUS$ Hunters” appeared briefly last week, sharing some data from recent attacks, and claiming to be developing a Ransomware-as-a-Service operation. The groups have gained notoriety for social engineering attacks against large companies, originally for attention and to cause chaos; however, more recent attacks have taken a financial focus. EDR Bypass: Trend Micro reports that over 12 ransomware gangs have incorporated kernel-level tools into their malware, which turns off endpoint security software. SCATTERED LAPSUS HUNTERS, EDR
-
🪲 Vulnerabilities: Fortinet is warning customers that exploit code has been seen in the wild for a critical vulnerability in its FortiSIEM product. CVE-2025-25256 (9.8/10) may allow an unauthenticated attacker to execute code. Cisco says there is a critical remote code execution vulnerability in its Secure Firewall Management Center (FMC) product. CVE-2025-20265 (10/10) can be exploited by unauthenticated attackers sending specially crafted credentials during authentication to FMC’s RADIUS server. FORTINET (ADVISORY), CISCO (ADVISORY)
And finally
- Speedy response: A cyberattack on the Netherlands Public Prosecution Service is preventing the use of some speed cameras across the country. PPS