21 June 2024

6 min read

US bans Russian antivirus vendor Kaspersky | Cyber Intelligence Briefing: 21 June

June 2024
Cyber Intelligence Briefing

Top news stories this week

  1. Uninstalled. US bans Russian antivirus vendor Kaspersky.
  2. Vein pursuit. Qilin leaks NHS blood test data and claims attack was politically motivated.
  3. Long arm of the law. Scattered Spider ringleader and dark web marketplace operators arrested.
  4. You've got mail. ONNX phishing-as-a-service platform targets finance sector.
  5. Hefty penalties. Regulators criticise Medibank and Blackbaud for inadequate cyber security.
  6. Double strike. Global software provider to US car dealerships hit by second cyber attack during recovery.
  7. Red card. Polish TV broadcaster disrupted by DDoS attack during Poland’s Euros opening match.

Zywave IR Team of the Year 2024


1. US prohibits sales of Russian antivirus software Kaspersky

The Biden administration has banned the sale of antivirus software made by Russian firm Kaspersky in the United States. There are concerns that the software's privileged access to computer systems could potentially enable it to steal sensitive data or install malware. Kaspersky has denied the claim that it poses a threat to national security, stating that the ban is motivated by geopolitical and theoretical concerns.

So What?

The ban also prohibits Kaspersky from providing important updates to existing users after 29 September 2024. US-based customers should carefully consider whether to switch providers.

[Researcher: James Tytler] 

2. Qilin leaks Synnovis data, including NHS patient information and blood test data

The ransomware group Qilin has published approximately 400GB of data stolen from NHS pathology provider Synnovis on its telegram channel. The leaked data includes patient names and descriptions of blood tests. The group has claimed the attack on the healthcare organisation, which lead to thousands of appointments being cancelled, was intentional and politically motivated.

So what?

Although Qilin claims the attack was politically motivated, threat actor claims are notoriously unreliable. Reportedly the group leaked the data after Synnovis did not pay a USD 50 million ransom quickly enough, indicating their goal is ultimately financial gain.

[Researcher: Lawrence Copson]

3. Scattered Spider ringleader and dark web marketplace operators arrested

A 22-year-old British man has been arrested in Spain as a suspected ringleader of the prolific cyber criminal collective Scattered Spider, the group responsible for the large-scale cyber attack on MGM Resorts last year. Separately, two individuals have been arrested for operating Empire Market, a dark web marketplace responsible for facilitating over USD 430 million of illegal transactions.

So what?

As law enforcement become more proficient at unmasking cyber criminals, we can expect to see further arrests and takedown operations.

[Researcher: David Broome]

4. ONNX phishing kit uses QR codes to target financial sector firms

A new phishing-as-a-service platform called ONNX is offering phishing kits which are being used to target Microsoft 365 accounts in banks, credit union service providers, and private funding firms. The kits allow threat actors to generate emails which contain malicious QR codes and a multi-factor authentication (MFA) bypass mechanism.

So what?

QR code-based phishing is increasingly common. Do not scan QR codes on unsolicited emails and enter sensitive data.

[Researcher: Lena Krummeich]

5. Regulators criticise lack of basic infosec practices at Medibank and Blackbaud

Australia’s data protection regulator found that the 2022 Medibank cyber attack was due to inadequate basic cyber security measures. This included not enforcing MFA on their VPN. The company could now face a fine of up to AUD 21 trillion. Separately, the California attorney general has fined Blackbaud USD 6.75 million for poor cyber security practices and misleading the public about the scale of a breach that occurred in 2020.


Regulators are increasingly penalising organisations that do not have basic cyber security practices. Organisations should proactively invest in solutions that prevent, detect, and stop threats.

[Researcher: Jon Seland]

6. Cyber attacks on CDK Global impact car dealerships

CDK Global, an American multinational that provides software for auto dealerships, was forced to shut down its systems again following an additional cyber attack. The second attack occurred just as the company was beginning to restore systems that had been previously shut down due to an earlier breach.

This incident disrupted services for over 15,000 car dealerships across the US, including General Motors, who rely on CDK's software for managing sales and payroll operations.

So what?

To prevent recurring breaches, organisations should adhere to secure restoration guidelines, taking rigorous measures to eliminate all unauthorised access points and mitigate vulnerabilities that led to the initial breach.

[Researcher: Ineta Simkunaite]

7. Polish TV broadcaster disrupted by DDoS attack during Poland’s Euros opening match

Polish TV broadcaster, TVP, has blamed a distributed denial of service (DDoS) attack for disruption to its website during Poland’s opening Euros match against the Netherlands. Russia-based hackers are suspected of conducting the attack, which started at the same time as the match kick-off.

So what?

A well-tested business continuity plan is important in quickly restoring key services in the event of a cyber incident.

[Researcher: David Broome]


The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.