Top news stories this week
- Short retirement. ShinyHunters offshoot announces new ransomware operation and targets Salesforce via supply chain attack
- Enforcement action. Dutch Police and international sanctions target malicious hosting services.
- Go-phish. Personal data exposed in data breach at Princeton University.
- Own goal. Oracle are latest victims of E-Business Suite vulnerability with Clop dark web leak.
- Patch now! Multiple Fortinet vulnerabilities are being exploited by cyber criminals.
- Sensitive data targeted. Major breaches in French childcare and UK healthcare sectors.
1. Scattered LAPSU$S Hunters launches ransomware operation and to target Salesforce
The criminal gang collective known as Scattered Lapsus$ Hunters has announced the upcoming launch of a ransomware-as-a-service (RaaS) platform, despite recent multiple retirement claims. The gang has reportedly developed its own encryption tool highlighting a shift away from data theft towards a more scalable operation. Separately, Salesforce confirmed a data breach related to Gainsight-published applications, which has been attributed to the same group.
So what?
Scattered Lapsus$ Hunters has emerged as one of the most vocal threat actors in 2025 using public statements to pressure their alleged victims. The Gainsight breach highlights the risks of giving broad access to third-party SaaS applications.
[Researcher: Milda Petraityte]
2. Bulletproof hosting services in the crosshairs of law enforcement operations
The Dutch police seized 250 servers from a bulletproof hosting service in the Netherlands. Additionally, the Russian bulletproof hosting service 'Media Land' has been sanctioned by the UK, US, and EU. These bulletproof hosting services facilitated malicious activity such as ransomware, botnets and phishing operations.
So what?
These actions show the importance of global collaboration to combat cybercrime and dismantling the infrastructure it relies on.
[Researcher: Lena Krummeich]
3. Princeton University suffers data breach after phishing attack
Princeton University has revealed that a phishing attack led to access to a database with personal info on alumni, donors, faculty, and students. The data likely includes names, contact details and university-engagement records. The university says there is no evidence so far that financial or social security numbers were exposed.
So what?
This is a reminder that even big universities remain vulnerable to phishing attacks. Attacks like this show how important it is for institutions and individuals to stay alert and use stronger protections
[Researcher: Ayomikun Olayinka ]
4. Oracle allegedly hit with E-Business Suite vulnerability and named by Clop
The Clop ransomware group has listed Oracle on its dark web leak site, marking the latest in a series of Clop-related incidents targeting Oracle’s own E-Business Suite (EBS). This listing suggests that Oracle itself has fallen victim to the same vulnerability exploited in its software.
SO WHAT?
With Oracle itself listed as one of the latest victims in Clops campaign, it is crucial for organisations utilising their EBS to patch the vulnerability and consider engaging incident response service lines.
[Researcher: Lawrence Copson]
5. Multiple Fortinet vulnerabilities are being exploited by cyber criminals
Fortinet has issued a security patch for a zero-day vulnerability in FortiWeb CVE-2025-58034, which is currently being actively exploited by threat actors. This flaw enables attackers to inject malicious code into the system without requiring any user interaction. Additionally, attackers continue to target previously disclosed Fortinet vulnerabilities CVE-2025-64446, CVE-2025-64446 and CVE-2025-25256, for which patches have already been released.
So What?
Organisations must ensure that the vulnerabilities of externally facing devices are patched as soon as security updates become available as threat actors actively exploit these vulnerabilities to break into networks.
[Researcher: Milda Petraityte]
6. Major breaches in French childcare and UK healthcare sectors
A data breach at the French childcare service provider, Pajemploi, has compromised the personal information belonging to 1.2 million professional caregivers in the country. Separately, the UK fertility treatment provider, The London Women's Clinic, is reportedly one of the latest victims of the ransomware group Qilin, as patients across 17 clinics risk having their private medical records exposed.
SO WHAT?
Regularly review data loss prevention strategies to detect sensitive data leaving the network, and ensure this information is encrypted at rest to protect it in the event of a breach.
[Researcher: Jack Woods]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
