This week
- Self-rewriting AI malware itself grabs headlines, but isn’t very good
- Russia targeting Ukraine grain with wiper attacks
- Three cyber responders indicted for role in BlackCat ransomware attacks
- Meta allowed fraudsters to run scam ads while jacking up their prices
- M&S results show cost of incident, revenues up year-on-year
Interesting stats
12.2% drop in sales for SK Telecom and 90% operating profit drop following their April announcement of an incident affecting 27 million customers. LINK
239 malicious apps found on the Google Play Store in the last year, with 42 million downloads, according to Zscaler, which says that 69% (~2x increase) are adware, and 23% (~40% decrease) are for the Joker info-stealer. LINK
10% Meta’s projection of its revenue that may come from scammers (see below).
Five things
-
PROMPTFLUX: A threat intelligence report from Google outlines generative AI uses by threat actors. There’s been much hype about Google’s characterisation of these as “novel AI-enabled malware in active operations”. One example details malware using Gemini to rewrite itself — which sounds scary — though the report is clear to note that “development or testing phase, as opposed to being used in the wild, and currently does not have the ability to compromise a victim network or device”. This type of self-replication is likely an attempt to avoid signature-based detection; however, reporting shows that the malware itself was easily detected. Overall, this is a direction of travel, but there is likely a long way to go. GenAI is good at synthesising the statistically most likely thing, so will it therefore only ever generate ‘generic’ code that’s easy to detect, rather than genuinely novel approaches to bypass security defences? Time will tell. PROMPTFLUX, REPORT
-
Russia’s Sandworm state-affiliated group has been linked to wiper malware attacks against Ukraine’s grain industry. The attacks, dating back to April 2025, stand out amongst attacks more ‘traditional’ Ukrainian government and energy targets, as Russia presumably attempts to inflict economic pain on its adversary. Researchers at ESET tracked two wiper malware strains, dubbed Sting and Zerlot, with one triggered via a scheduled task translated to mean “eat some goulash”. Wiper malware, as the name suggests, attempts to erase data and render the systems unusable. Unlike ransomware, there’s no intention to potentially reverse the situation: the attacks are intended to be destructive. SANDWORM
-
‘Rogue’ cyber security pros involved in incident response and ransomware negotiation have been indicted over alleged involvement in ransomware attacks. Ryan Clifford Goldberg of Watkinsville, Georgia, and Kevin Tyler Martin of Roanoke, Texas, worked as an incident response manager for Sygnia and a ransomware negotiator at DigitalMint, respectively. A third co-conspirator from Land O’Lakes, Florida, may also have worked for DigitalMint. The trio are alleged to have been affiliated with the ALPHV/BlackCat ransomware-as-a-service operation and to have used the malware on multiple US firms between May and November 2023. Their employers were keen to distance their firms from the investigations, with Sygnia saying they terminated Goldberg’s employment upon learning of the allegations. In a separate case, TechCrunch has more details on Peter Williams’ sale of exploits developed by his company, L3Harris, to exploit brokers. Amusingly, the Trenchent vulnerabilities were reportedly worth $25 million, but Williams only received $1.3 million. No honour among thieves, eh? ROGUE, TRENCHENT
-
Meta chose to allow scammers to accrue “more than 500 strikes” while charging them higher rates to run ads to bring in revenue needed for its AI expansion plans, according to Reuters. Internal documents seen by Reuters show that Meta estimates scam adverts will bring in $16 billion, or 10% of ad revenue, and that their users encounter 15 billion “high risk” scam ads every day. The report also highlights that victims of these scam ads were more likely to be targeted by Meta’s ad platforms with similar ads again. Overall, Meta bans accounts only when its automated systems are 95% confident they are engaged in fraudulent activity. Below this rate, they don’t suspend the account, but do charge more to run ads, which is why there are accusations of profiteering. META, REPORT
-
Marks & Spencer says that its April cyberattack will cost it £136 million ($177M), while year-on-year revenues are up. The British retailer has made a £100 million claim, maxing out its cyber insurance policy. While profits were down 55% to £184 million, revenues were up 22% to £7.96 billion, despite the disruption to online orders. Part of the profit slump was attributed to a new packaging disposal levy applied to large businesses, which increased costs by £50 million compared to previous years. You’ll likely see these results and the “hundreds of millions costs” figures banded around on social media. These are big numbers, but boosting revenue and absorbing other, non-cyber costs tells a fuller story. The big numbers come from the fact that M&S, like JLR, is a big company. If you want to see where M&S CEO Stuart Machin’s head is at, you need to look at his ‘chancellor-baiting’ this week, rather than dwelling on cyber recovery. M&S, CEO
Startup spotlight
As part of my pledge to support the UK cyber ecosystem, I’ll be featuring a different UK cyber startup each week.
This week it’s Venari Security, an early-stage business, finding product market fit and gaining initial customers:
- What do they do? Venari Security is a sovereign cryptographic platform enabling real-time discovery, CBOM creation, and AI-driven remediation for Post-Quantum Cryptography (PQC) readiness.
- Who is it for? Regulated Enterprise in Financial Services, Government and Defence organisations in UK/EU.
- Where can you find out more? WEB, LINKEDIN
If you’re a UK-based cyber security startup interested in being featured in a ‘Startup Spotlight’ in my weekly newsletter, please fill out this form for consideration. It’s not a paid thing; just trying to support our ecosystem 🚀
In brief
-
⚠️ Incidents: The attacker behind the email to University of Pennsylvania alumni says they obtained access to an employee account and that they have stolen the data on 1.2 million students, alums, and donors, as well as other organisational files and information. Nikkei, the publishing company behind the Financial Times, says its Slack tenant was compromised. The attackers gained access using credentials stolen from an employee’s computer, which they infected with malware. The names, email addresses, and chat histories for 17,368 employees and business partners may have been compromised. OpenAI says an issue with a “small number of search queries” has been “resolved” after ChatGPT users’ prompts appeared in the Google Search Console of some websites. PENNSYLVANIA, NIKKEI, OPENAI
-
🏴☠️ Ransomware: Akira ransomware gang claims to have stolen 23GB of data from the OpenOffice project, a claim disputed by the parent Apache Software Foundation. The Washington Post says that it is one of the victims of the Clop ransomware gang’s attacks against Oracle E-Business customers. OPENOFFICE, WAPO
-
🕵️ Threat Intel: Proofpoint says that cybercriminal gangs are targeting logistics organisations to identify and intercept high-value cargo shipments that they can resell on the black market. Cargo theft losses rose 27% to $34 billion in 2024. The cybercriminals are abusing remote monitoring and management (RMM) tools to gain access to logistics network systems. Curly COMrades, a Russia-aligned threat group, is using Microsoft Hyper-V to create a Linux virtual machine and bypass endpoint detection and response software, which typically cannot inspect what’s happening in VMs or their associated network traffic. LANDFALL is the name being given to a new “commercial grade” spyware targeting Samsung Galaxy phones in the Middle East. CARGO, CURLY COMRADES, LANDFALL
-
🪲 Vulnerabilities: Check Point has released details of vulnerabilities in Microsoft Teams that allowed attackers to impersonate other users and change the contents of messages. The cyber vendor reported the issues to Microsoft in March 2024, and the Redmond-based company has just finished patching them all. QNAP has fixed seven zero-day vulnerabilities disclosed at the recent Pwn2Own competition (too many to list; if you have a QNAP NAS, get patching!) CISA is warning about a remote code execution vulnerability (CVE-2025-48703; 9.0/10) in CentOS Web Panel (CWP), an open-source web hosting alternative to cPanel and Plesk. TEAMS, QNAP, CWP
-
🧑💻 End user and consumer: A new Telecomms Charter between government, law enforcement, and the UK’s main mobile network operators will see the carriers upgrade their networks to prevent fraudsters from spoofing UK numbers, and add call tracing technology to track down scammers. TELCO CHARTER
-
🧰 Guidance and tools: Microsoft has published a list of key control indicators saying that “risk-based cybersecurity means prioritising efforts to reach maximum effectiveness”. I’d suggest this is control-based security, but notwithstanding, there are core basic hygiene controls that just make sense to implement. KCI
-
🛠️ Security engineering: Unknown attackers planted malicious code in nine NuGet packages for .NET, with ‘delayed fuses’ designed to trigger between 2027 and 2028. Some packages targeted database servers like SQL Server, PostgreSQL, and SQLite, while another was an extension for Siemens S7 programmable logic controllers (PLCs) typically used in manufacturing applications. DELAYED FUSES
-
🏭 Operational technology: There have been five attacks on Britain’s drinking water suppliers since the 1st January 2024, though none affected the safe supply to customers. NCSC is investigating whether buses made by the Chinese firm Yutong can be remotely disabled. The probe follows a Norwegian investigation that found Yutong’s buses could be “stopped or rendered inoperable” by the manufacturer. WATER, BUSSES
-
🧿 Privacy: Sweden’s data protection regulator is investigating a breach at an IT managed service provider. Miljödata works with around 80% of Sweden’s municipalities, and an August breach saw attackers steal the personal data of 1.5 million people. In the US, DHS is making a version of a controversial facial recognition app available to local police as part of a focus on immigration enforcement. Illuminate Education will pay $5.1 million fine and make changes to its security practices to settle a case relating to a 2021 data breach. SWEDEN, IMMIGRATION, ILLUMINATE
-
📜 Policy & Regulation: Electronic Privacy Information Center (EPIC) is arguing for greater rules around US government use of data mining to connect disparate data sets at its disposal and infer things about people. DATA MINING
-
👮 Law Enforcement: Police in Cyprus, Spain, and Germany have arrested nine suspects linked to a €600 million ($689M) cryptocurrency fraud ring. Aleksei Olegovich Volkov (aka chubaka.kor), a 25-year-old Russian national, has pleaded guilty to serving as an initial access broker for Yanluowang ransomware attacks in 2021 and 2022. Volkov faces a maximum penalty of 53 years in prison. Meanwhile, China has handed death sentences to five members of a Myanmar organised crime gang for running scam compounds. Five others were handed life sentences, and nine more received between 3 and 20 years in prison. Yikes! FRAUD, VOLKOV, DEATH
-
💰 Investments, mergers and acquisitions: Bugcrowd has announced its acquisition of 2016 DARPA Cyber Grand Challenge winners Mayhem Security. Deal terms were not disclosed. Bugcrowd says that it will integrate Mayhem’s technology into its platform to “combine the power of artificial intelligence with the knowledge of skilled security experts”. Google’s acquisition of Wiz is a step closer after clearing a US DOJ anti-trust review. MAYHEM, WIZ
-
🗞️ Industry news: Startups have less than a week to apply to AWS & Crowdstrike’s cyber accelerator. ACCELERATOR (APPLY)
And finally
- Common passwords are still various-length versions of 1234567890, admin, and password, according to Comparitech, which reviewed data breaches, rather than asking people! PASSWORDS