Top news stories this week
- Trust me, I’m IT. Threat actor group targeting US law firms by posing as IT support
- Patch palooza. Surge in Microsoft, Ivanti and Veeam flaws underscores urgency of patching
- Open to phishing. Researchers find OpenClaw AI agent susceptible to phishing attacks
- Degrees of exposure. UK universities hit by breaches linked to third-party platforms
- Stock take. SoFi Hong Kong confirms third-party data breach
- Defence data danger. Large-scale device losses at the UK’s Ministry of Defence
1. Threat actor group targeting US law firms by posing as IT support
The Silent Ransom Group (also known as Luna Moth, Chatty Spider) is actively targeting US law firms through social engineering campaigns that impersonate internal IT support. Victims receive phishing emails or calls directing them to fake help desks requesting remote access. The group has also attempted to gain physical access to on-premises systems to steam sensitive data.
So what?
Law firms and other organisations that hold high quantities of sensitive information are encouraged to stay hypervigilant during this campaign. Increasing or enhancing controls around identity verification, physical access controls, and phishing/vishing are highly recommended.
[Researcher: Steve Ross]
2. Surge in Microsoft, Ivanti and Veeam flaws underscores urgency of patching
Microsoft has released its largest-ever Patch Tuesday update, fixing over 200 vulnerabilities. The surge in activity coincides with a wave of critical third-party vulnerabilities: Ivanti has patched a maximum-severity flaw in its Sentry gateway, while Veeam has patched a critical issue enabling low-privileged domain users to achieve remote code execution on backup servers.
So what?
This cluster of high-severity vulnerabilities highlights shrinking patching windows. Organisations should prioritise rapid patch deployment, particularly for edge systems and backup infrastructure, as attackers are likely to quickly weaponise newly disclosed flaws against unpatched environments.
[Researcher: Jenny Eysert]
3. Researchers find OpenClaw AI agent susceptible to phishing attacks
Researchers conducting simulated phishing attacks against OpenCLaw’s open-source AI email agent with access to internal systems and sensitive data, were able to manipulate it into disclosing confidential information including AWS keys, database credentials, internal reports, and customer records. While the agent could identify fake login pages and suspicious URLs, it remained vulnerable to more targeted phishing attempts.
So what?
Organisations should limit AI agents to non-sensitive tasks, enforce strict access controls, and require human validation for any actions involving sensitive data to prevent leakage.
[Researcher: Aditya Ganjam Mahesh]
4. UK universities hit by breaches linked to third-party platforms
The University of Oxford has confirmed a second incident in recent months after attackers compromised the third-party careers platform ‘CareerConnect’, exposing names, email addresses, and encrypted passwords via a supplier vulnerability. Separately, the University of Nottingham disclosed a major cyberattack linked to the ShinyHunters group, which accessed its student records system and reportedly stole sensitive data affecting both current students and alumni.
SO WHAT?
These incidents highlight the risks posed by third-party platforms and shared systems in the education sector, as well as the scale and sensitivity of university data, making institutions increasingly attractive targets.
[Researcher: Jenny Eysert]
5. SoFi Hong Kong confirms third-party data breach
SoFi Hong Kong confirmed a data breach after hackers gained unauthorised access to a third-party vendor database containing customer information. The attack was not malware-based but relied on social engineering, exploiting weaknesses in third-party vendor security controls.
So What?
This incident underlines the continued risk of third-party vendor access to customer information. Companies should review on a regular basis which vendors have access to customer data, how that access is monitored, and whether vendor-side activity can be quickly detected.
[Researcher: Lester Lim]
6. Large-scale device losses at the UK’s Ministry of Defence
Over 1,000 laptops and mobile devices, with a total value of around GBP 1.6 million, have reportedly been lost or stolen from the UK’s Ministry of Defence (MoD) since 2024. The scale of these losses has raised concerns about the security of the data stored on them.
SO WHAT?
Asset management procedures remain critical to governing the lifecycle of physical devices. Mobile device management software should be configured on managed devices, with controls such as remote wipe, device compliance policies, and application protection settings to help safeguard data.
[Researcher: Jack Woods]
