This week
- ‘Sophisticated’ threat had ‘long-term’ access to F5
- UK business Chairs, CEOs sent letter by ministers
- NCSC says ‘highly significant’ attacks against UK up 50%
- NK hiding malware in Ethereum smart contracts
- Capita fined £14M for 2023 pensions data breach
Interesting stats
18 (up 48%) category 2, “highly significant”, and 204 (up 50%) category 3, “nationally significant” cyber-attacks against the UK in the past year, according to NCSC in their most recent annual report, released this week. LINK, (see also below).
97% of the Danish population over 15 is enrolled in the country’s MitID digital ID scheme. LINK
97% of identity attacks are password spray or brute force attacks, and less than 3% are: 2.4% Token theft by malware 0.24% Attacker-in-the-middle 0.003% attacks on MFA 0.0005% consent phishing, and a similar focus on identity can be seen in the techniques used by Initial Access Brokers (IAB) who gain and sell access to other cybercriminals: 80% of initial access vectors are credential-based, 17% involve vulnerability exploitation, and just 0.5% involves insider access, according to the Microsoft Digital Defence 2025 report. LINK
49 million fraudulent online accounts linked to 40,000 SIM cards installed in 1,200 SIM-box devices, seized in a Europol raid this week. LINK
Five things
-
BIG-RIP: Seattle-based networking vendor F5 disclosed a breach on Wednesday. The company says that a “sophisticated,” undisclosed nation-state actor gained access to their systems. The intrusion is believed to have persisted for years. During that time, F5 says that the attackers gained control of an environment used to create and distribute the software update for its BIG-IP line of network appliances, used by 48 out of the world’s top 50 companies. BIG-IP is often deployed on the edge of networks as a firewall or load balancer, leaving it naturally exposed to the internet. Attackers have stolen source code and vulnerability information, including issues identified internally that have not yet been remediated. F5 has published letters from IOActive and NCC Group attesting that the build pipelines and source code have not been tampered with. This type of nation-state actor is almost certainly concerned with quiet espionage activities. Having insider knowledge of weaknesses in edge networking components gives them a great leg-up in gaining access to large corporate or government networks. Given the “long-term” access here, it’s almost certain that some benefit, if any, has already been gained. CISA and NCSC have issued guidance on the “imminent threat,” urging prompt action from government agencies. If you’re an F5 customer, I’d identify where all of their products are deployed in your organisation, apply all security updates as they’re released, and pay special attention to any suspicious activity in the logs from those devices. F5, MORE, CISA, NCSC
-
UK Letter: UK ministers sent a letter to the Chair and CEO of over 350 businesses this week, warning of ‘hostile cyber activity’ and urging them to take action. All companies in the FTSE100, the FTSE250, and some other leading UK firms have been sent the letter. Three specific requests are made: to adopt the Cyber Governance Code of Practice, sign up to the NCSC’s Early Warning Service, and to require suppliers to adopt Cyber Essentials. LETTER, GOVERNANCE,
-
NCSC Annual Review: “Highly significant” (category 2) cyber-attacks rose by 50% in the past year, and NCSC says it deals with a ‘nationally significant’ (category 3) attack every other day. The NCSC’s ‘DEFCON’ style categories range from 6 (a localised incident) to 1 (a national cyber emergency). The UK security services, including MI5, are reported to be stepping up discussions with businesses too. The UK government is also understood to be reviewing how cyber groups within agencies can be brought together. Also this week, Dominic Cummings, former aide to Prime Minister Boris Johnson, claimed that “vast amounts” of sensitive intelligence information were compromised by the Chinese in 2020. Ciaran Martin, CEO of NCSC at that time, has taken to social media with a firm denial of those claims. NCSC, REVIEW, MI5, CHINA
-
EtherHiding: Google says threat actors, including North Korea and a financially motivated group tracked as UNC5142, have been busy stashing malware on the blockchain as a form of ‘bulletproof’ hosting. The malicious code is embedded within smart contracts on the Ethereum blockchain. (Smart contracts are like apps on the blockchain that run when certain conditions are met.) An initial piece of malware infects the victim’s device and then queries the smart contract on the blockchain to download a subsequent stage of malicious code. As the blockchain is immutable and distributed, it makes taking down the code difficult. It’s also extremely cheap, costing less than $2 per transaction to create or modify a smart contract. ETHERHIDING
-
Capita has been fined £14 million ($18.8M) for data protection failings in a 2023 breach that led to the theft of 6.6 million people’s personal information. Capita Group, and its ‘pension solutions’ arm, which administered 325 pension funds, split the penalty. Capita detected the incident within 10 minutes, but did not shut down the device for a further 58 hours. During that time, the attackers made off with over one terabyte of data, installed ransomware, and reset all user passwords. Capita’s SOC was ‘understaffed’ with just one analyst working per shift, achieving their SLA for P2 incidents just 30% of the time, against a target of 95%. The company doubled its SOC resourcing in the wake of the incident. The ICO was not impressed that systems hadn’t been penetration tested, and “there is no evidence that Capita had ever undertaken an internal audit of the security of these business units” (h/t Niall). CAPITA
Startup spotlight
As part of my pledge to support the UK cyber ecosystem, I’ll be featuring a different UK cyber startup each week.
This week it’s SenseON, an growth-stage business, scaling its operations:
- What do they do? Give security teams AI superpowers: cut 93% of alerts, detect autonomously, respond 10x faster—elite SOC capabilities without the headcount.
- Who is it for? Security leaders battling SIEM failures and log costs at 500-3,000 employee organisations.
- Where can you find out more? WEB, LINKEDIN
If you’re a UK-based cyber security startup interested in being featured in a ‘Startup Spotlight’ in my weekly newsletter, please fill out this form for consideration. It’s not a paid thing; just trying to support our ecosystem 🚀
In brief
-
⚠️ Incidents: Jeep has pulled an update for its Wrangler 4xe hybrid 4x4s after it caused models to loose power… while they were underway. US medical radiology company SimonMed is notifying over 1.2 million individuals that the company suffered a breach between 21st January and 5th February this year. SimonMed appeared on the Medusa ransomware portal for a period of time before being removed, suggesting that the company may have paid the ransom. Clothing retailer Mango says that a third-party marketing company suffered a breach, exposing customer information. JEEP, SIMONMED, MANGO
-
🕵️ Threat Intel: Poland’s national security bureau chief Sławomir Cenckiewicz told the Financial Times that Russia is paying saboteurs in cryptocurrency to carry out ‘hybrid’ attacks against European countries. Scattered Lapsus$ Hunters (SLH) says it’s going dark ’til 2026 in the wake of the FBI seizing its website infrastructure. (Though worth nothing last time they said this, they returned three days later.) Pixnapping: researchers have shown that a malicious Android app can steal multi-factor authentication codes and location data from the screens of Google and Samsung devices without the user knowing, by essentially ‘taking a screenshot’ of the device. POLAND, SLH, PIXNAPPING
-
🪲 Vulnerabilities: Fortra has confirmed “unauthorised activity related to CVE-2025-10035” (10/10) in its GoAnywhere MFT file transfer solution, but has not provided any details on how private key materials came to be in the possession of the ‘unauthorised’ actors. Oracle has released an out-of-band security update to fix CVE-2025-61884 (7.5/10) in its E-Business suite. Remote monitoring and management (RMM) platform ConnectWise has fixed a critical vulnerability (CVE-2025-11492; 9.6/10) that exposed sensitive communications and left them susceptible to attacker-in-the-middle attacks. FORTRA (ADVISORY), ORACLE (ADVISORY), CONNECTWISE (ADVISORY)
-
🧑💻 End user and consumer: The final updates for Microsoft Windows 10 have been released and the operating system is now considered end-of-life. WIN10
-
🏭 Operational technology: US San Diego and University of Maryland researchers say that satellites are leaking unencrypted information and that they were able to intercept it using just $800 of off-the-shelf equipment. Over three years, the academics obtained calls and text messages, airline passengers’ in-flight Wi-Fi browsing, ICS signals from critical infrastructure, and even military communications from geosynchronous satellites overhead. SATELLITES, PAPER
-
📜 Policy & Regulation: Ofcom has fined message board 4chan £20,000 ($26K) for failing to comply with the Online Safety Act, a figure set to rise by £100 ($133) per day. The Netherlands has invoked special powers allowing it to compel semiconductor firm Nexperia to reverse or take certain business decisions ordered by its Chinese owners (h/t Dave). The UK Financial Conduct Authority (FCA) has called on banks and payment companies to implement better controls to protect their customers from romance scams and fraud. 4CHAN, NEXPERIA, FCA
-
👮 Law Enforcement: The US and UK have sanctioned 146 entities and people, including the prominent Cambodian company Prince Group, for their involvement in cyber scams. US authorities also seized $15 billion of Bitcoin from accounts linked to Prince Group’s chairman, Chen Zhi. PRINCE GROUP
-
💰 Investments, mergers and acquisitions: LevelBlue (formerly AT&T Cybersecurity) has acquired Cyberreason. SoftBank and Liberty Strategic Capital will become investors in LevelBlue as part of the transaction, the value of which was not made public. LevelBlue has also recently acquired Trustwave and Stroz Freidberg. 1Password founders have sold a $75 million stake to Halo Fund. CYBERREASON, 1PASSWORD
And finally
- Quantum Signal: A geeky read on the Signal team’s work to implement quantum-resistant encryption into their popular messaging app. SIGNAL