Top news stories this week
- Brands breached. Threat actors claim breaches of Hyatt Hotel, Nike, McDonald’s India and Under Armour.
- Report Fraud UK launches new reporting service in fight against cybercrime and fraud.
- Initial access broken. Law enforcement crackdown on initial access brokers.
- Supremely stupid. Tennessee man hacks US Supreme Court and posts about it on Instagram.
- Pay slip. Attackers redirect pay cheques without breaching systems.
- Git patched. GitLab and Fortinet become prime targets for hackers with latest critical vulnerabilities.
1. Threat actors claim breaches of Hyatt Hotel, Nike, McDonald’s India and Under Armour
Ransomware group, NightSpire, has claimed responsibility for a data breach of the Hyatt Place Chelsea hotel in New York and has released 48.5GB of data on their dark web leak site. The stolen data purportedly includes employee names, contact details, and invoices.
The US sportswear giant Nike may have experienced a data breach after the cybercriminal group World Leaks claimed it hacked the company. The group listed Nike on its dark web leak site, with a countdown on the post set to expire on 24 January when the data is likely to be fully revealed.
Similarly, Everest ransomware group, has made claims alleging the breach of McDonald’s India and the athletic gear retailer Under Armour. The group has asserted that 861GB of data has been exfiltrated from McDonald's India and includes customer and internal company information. Although Under Armour has not yet acknowledged the breach, Everest posted 72.7 million accounts registered with Under Armour.
So what?
Understanding the sensitivity levels of data types stored by your organisation will assist in the timely identification of impacted data sets during a cyber incident.
[Researcher: Adelaide Parker]
2. UK launches new reporting service in fight against cybercrime and fraud
The UK has set up a new reporting service for victims of cybercrime to report incidents directly with authorities. The online portal and analytics platform named ‘Report Fraud’ replaces ‘Action Fraud’ and aims to speed investigations and ensure efficient and effective case processing.
So what?
Report Fraud’s predecessor Action Fraud was widely criticised as not fit for purpose. The new platform is intended to provide more visibility and information to victims.
[Researcher: Jenny Eysert]
3. Law enforcement crackdown on initial access brokers
Ukrainian and German law enforcement authorities raided the homes of two Ukrainian nationals suspected of stealing and cracking user credentials to enable initial access for attacks carried out by the Black Basta ransomware group. Authorities also identified the group’s alleged ringleader as Oleg Nefedov, a Russian national who is wanted by Interpol and Europol for cybercrimes.
Separately, a Jordanian national known online as “r1z,” who operated as an initial access broker, pleaded guilty to charges related to selling unauthorised access to the networks of at least 50 companies via cybercrime forums.
So what?
The crackdown on criminals who provide cracked tools or access to business networks disrupts the activities of cyber criminals and affects their sense of impunity.
[Researcher: Milda Petraityte]
4. Tennessee man hacks US Supreme Court and posts about it on Instagram
A 24-year old man in Tennessee pleaded guilty to hacking the US Supreme Court, Veterans Administration Health System, and accounts at Americorps between August and November of 2023. The man stole credentials from an authorised user, utilised them to access restricted systems dozens of times and posted the information on Instagram.
SO WHAT?
Not all threat actors are savvy operators, but they don’t have to be when they have stolen credentials. This incident underlines the importance of keeping usernames and passwords secure, especially for sensitive systems.
[Researcher: Steve Ross]
5. Attackers redirect pay cheques without breaching systems
Threat actors redirected employee pay cheques into accounts under their control following social engineering attacks against the helpdesks. This methods is not technically sophisticated and requires only publicly available information often harvested from social media platforms. The attack was discovered when employees reported missing salary payments.
So What?
Organisations should ensure help desks enforce proper verification procedures before resetting accounts and redistributing credentials.
[Researcher: Lester Lim]
6. High severity vulnerabilities in Fortinet and GitLab
Fortinet Fortigate devices are being targeted by an new exploit for a previously fixed critical vulnerability (CVE-2025-59718). Fortinet has advised organisations to disable certain features until more complete fixes are released, as previously patched devices are still vulnerable. Separately, GitLab has disclosed high-severity vulnerabilities that allow multi-factor authentication bypass and denial-of-service attacks.
SO WHAT?
Organisations should implement stringent patch policies, and implement defensive configuration changes and monitoring in the event of unpatched vulnerabilities.
[Researcher: Lawrence Copson]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
