Top news stories this week
- ShinySpider. Chaotic Telegram channel points to overlaps between three notorious threat actors.
- Computer says no. South Korean ticketing giant disrupted by second ransomware attack in two months.
- Dutch diagnostic data breach. Personal health information for 485,000 people stolen by threat actors.
- Checkmate. Law enforcement seize crypto assets of BlackSuit group and dismantle their extortion sites.
- Patch now. Citrix NetScaler, WinRAR, Zoom and Xerox vulnerabilities are being actively exploited by cyber criminals.
- Service unavailable. Interlock behind City of Saint Paul cyberattack.
Cyber Intelligence Briefing will be taking a two week break, returning in September
1. Scattered LAPSUS$ Hunters Telegram channel combines notorious cybercrime brands
A Telegram channel claiming to combine Scattered Spider, LAPSUS$, and Shiny Hunters appeared last week attracting significant interest from security researchers. The channel included gamified threats to leak the data of a number of high-profile companies through anonymous polls, alleged zero-day software vulnerabilities for sale, and a claim to that a new ransomware as a service platform named ‘SHINYSP1D3R’ was under development. The channel was widely described by security researchers as chaotic, and was reportedly banned and removed by Telegram.
So what?
The channel highlights the overlap between Scattered Spider, LAPSUS$, and Shiny Hunters, who are all believed to be associated with an English-speaking hacker collective known as the “The Com”.
[Researcher: James Tytler]
2. South Korean ticketing giant disrupted by second ransomware attack in two months
YES24, South Korea’s largest ticketing and online book retailer experienced a second cyberattack in just two months, taking its website and app offline. The company allegedly failed to implement remedial actions after the initial attack, such as offline backups. Moreover YES24 reportedly paid a ransom to resolve the first attack.
So what?
It is crucial to implement remediation promptly to avoid further interruption from additional attacks. Companies should also carefully consider the reputational impact of being perceived to be too lax in dealing with cybersecurity risk.
[Researcher: Lester Lim]
3. Dutch medical laboratory data breach
The Dutch laboratory, Clinical Diagnostics NMDL, has reported a data breach resulting in leaked personal health information of over 485,000 people. The breached data was initially believed to include names, addresses, social security numbers, and some cancer screening results, however it has been determined that data from other medial examinations was also included.
So what?
Letters have been sent to affected parties, and those patients should be on the lookout for potential fraud and phishing attempts.
[Researcher: Steve Ross]
4. US DoJ seizes crypto assets of BlackSuit group
The US Department of Justice announced it seized cryptocurrency and digital assets valued at USD 1 million from the BlackSuit threat actor group in January 2024. Authorities tracked the movement of these assets and ultimately froze them in collaboration with a crypto exchange. The announcement comes shortly after US law enforcement dismantled BlackSuit’s extortion sites on the dark web.
SO WHAT?
While cryptocurrencies like Bitcoin are easily traceable on the public blockchain, threat actors use mixers and exchanges to hide their transaction trails and make recovery challenging.
[Researcher: Aditya Ganjam Mahesh]
5. Citrix NetScaler, WinRAR, Zoom and Xerox vulnerabilities exploited by cyber criminals
The Netherlands' National Cyber Security Centre (NCSC) has warned that criminals are actively exploiting a critical Citrix NetScaler vulnerability (CVE-2025-6543) to achieve remote code execution.
Separately, WinRAR, Zoom and Xerox have published patches to their products which allowed arbitrary code execution, privilege escalation and remote code execution.
So What?
Organizations should ensure that all critical vulnerabilities are patched as soon as possible, prioritising those that are actively exploited by cyber criminals.
[Researcher: Milda Petraityte]
6. Interlock behind City of Saint Paul cyberattack
The ransomware group Interlock has listed the City of Saint Paul, Minesota, on their dark web leak site. Interlock claims to have stolen more than 66,000 files, amounting to 43GB. The cyberattack forced the shutdown of multiple systems including payment portals, billing services, library networks, and municipal Wi-Fi.
SO WHAT?
A well-defined disaster recovery plan can help reduce disruption and ensure timely restoration of critical services.
[Researcher: Tlhalefo Dikolomela]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
