CyberSecurity news

FlagThis - #ransomware

@cyberpress.org //
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against critical U.S. infrastructure, with a notable 133% surge in activity observed during May and June 2025. The transportation and manufacturing sectors have been identified as the primary targets of these intensified operations. This trend aligns with ongoing geopolitical tensions, as well as recent warnings issued by U.S. authorities like CISA and the Department of Homeland Security, which highlighted U.S. entities as prime targets for Iranian cyber actors.

Nozomi Networks Labs reported a total of 28 distinct cyber incidents linked to Iranian APTs during May and June, a substantial increase from the 12 incidents recorded in the preceding two months. Among the most active groups identified are MuddyWater, which targeted at least five U.S. companies primarily in the transportation and manufacturing sectors, and APT33, responsible for attacks on at least three U.S. entities. Other groups such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were also observed conducting attacks against U.S. companies in these critical industries.

The resurfacing of the Iranian-backed Pay2Key ransomware, now operating as Pay2Key.I2P, further highlights the evolving threat landscape. This ransomware-as-a-service operation, linked to the Fox Kitten APT group, is reportedly offering an 80% profit share to affiliates targeting Iran's adversaries, including the U.S. and Israel. This financially motivated scheme has also demonstrated an ideological commitment, with claims of over 51 successful ransom payouts, netting substantial profits. The use of the Invisible Internet Project (I2P) for its infrastructure represents a notable shift in RaaS operations, potentially enhancing its evasiveness.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • securityaffairs.com: Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates
  • www.morphisec.com: Reporting on Iranian CyberWarfare
  • newsinterpretation.com: Iranian ransomware gang Pay2Key/I2P returns, offers huge rewards for attacks on U.S. and Israel.
  • Matthew Rosenquist: Iran sponsored Pay2Key Ransomware-as-a-Service (RaaS)
  • securityonline.info: Iranian Ransomware “Pay2Key.I2P†Resurfaces on I2P Network, Offering 80% Profit for Targeting Western Enemies
  • The Hacker News: Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
  • cyberpress.org: CyberPress: Iranian APTs Launch Active Cyberattacks on Transportation and Manufacturing Industries
  • industrialcyber.co: Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
  • gbhackers.com: gbhackers: Iranian APT Hackers Targeting Transportation and Manufacturing Sectors in Active Attacks
Classification:
@blog.checkpoint.com //
Scattered Spider, a financially motivated cyber threat group, has significantly expanded its targeting, with recent intelligence highlighting a new focus on the aviation sector. Known for its aggressive social engineering tactics and identity-focused intrusions, the group has previously targeted telecommunications, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. The FBI has issued a warning, indicating that airlines are now directly in the crosshairs of Scattered Spider. Their methods often involve sophisticated techniques such as SIM swapping, impersonating helpdesk personnel, and employing adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, frequently bypassing multi-factor authentication (MFA). This broader targeting strategy underscores the evolving and increasingly pervasive threat posed by this group.

In a significant development that underscores the reach of Scattered Spider, UK authorities have arrested four individuals linked to a spree of cyberattacks that crippled major British retailers, including Marks & Spencer, Harrods, and the Co-op earlier this year. The arrests, which involved individuals aged 17 to 20, are a major step in a high-priority investigation. The National Crime Agency (NCA) confirmed the arrests, suspecting the individuals of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime. These retail attacks caused substantial disruption, with Marks & Spencer estimating losses of around £300 million due to the incident. The methods employed in these attacks, which reportedly included gaining access through social engineering to deploy ransomware, align with Scattered Spider's known modus operandi.

The growing threat posed by Scattered Spider has prompted cybersecurity experts to issue alerts, particularly concerning their expansion into the aviation sector. The group's ability to effectively compromise user identities and bypass security measures like MFA makes them a formidable adversary. Their recent targeting of airlines, following major disruptions in the retail sector, signifies a dangerous escalation. Companies within the aviation industry, and indeed across all sectors, must remain vigilant and bolster their identity-centric defenses to counter the sophisticated tactics employed by Scattered Spider, which include advanced phishing kits, dynamic command and control infrastructure, and custom malware for persistent access.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • blog.checkpoint.com: Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation
  • Resources-2: Tracking Scattered Spider Through Identity Attacks and Token Theft
  • Cloud Security Alliance: Scattered Spider: The Group Behind Major ESXi Ransomware Attacks
  • BrianKrebs: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • infosec.exchange: 3 teenagers aged 17-19 and a 20-year-old woman arrested in the UK this morning in connection with cyber attacks on Marks & Spencer (M&S) and Co-op retail chains in April-May this year
  • Zack Whittaker: New, by me: U.K. authorities have confirmed the arrest of four alleged hackers behind the recent U.K. retail hacking spree targeting Marks & Spencer, Harrods, and the Co-op earlier this year. The hackers are allegedly linked to Scattered Spider; one of the suspects is aged 17.
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • SecureWorld News: 4 Arrested in U.K. for Cyberattacks on Retail Tied to Scattered Spider
  • techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
  • www.nationalcrimeagency.gov.uk: Report on the arrests of four individuals linked to the Scattered Spider hacking group for the cyberattacks on UK retailers.
  • The Register - Security: NCA arrests four in connection with UK retail ransomware attacks
  • krebsonsecurity.com: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
  • thecyberexpress.com: UK NCA Arrests Four in Cyberattacks on M&S, Co-op, and Harrods
  • HYPR Blog: Deconstructing the Gen-Z Hackers behind the £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
  • cyberscoop.com: UK arrests four for cyberattacks on major British retailers
  • Threats | CyberScoop: UK arrests four for cyberattacks on major British retailers
  • WIRED: 4 Arrested Over Scattered Spider Hacking Spree
  • blog.knowbe4.com: Alert from KnowBe4 about Scattered Spider targeting the aviation sector.
  • Metacurity: UK's NCA arrested four people for M&S, Co-Op cyberattacks
  • Risky.Biz: Four Key Players Drive Scattered Spider
  • Talkback Resources: UK charges four in Scattered Spider ransom group
  • TechInformed: Four people have been arrested as part of a National Crime Agency (NCA) investigation into cyberattacks targeting major UK retailers M&S, Harrods and Co-op.
  • Help Net Security: The UK's National Crime Agency (NCA) arrested four individuals suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.
  • hackread.com: UK Arrests Woman and Three Men for Cyberattacks on M&S Co-op and Harrods
  • securityaffairs.com: UK NCA arrested four people over M&S, Co-op cyberattacks
  • BleepingComputer: The UK's National Crime Agency (NCA) arrested four people suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.
Classification:
  • HashTags: #scatteredspider #socialengineering #identitytheft
  • Company: Pic Security
  • Target: telecom, SaaS, cloud, financial services, and aviation
  • Attacker: Scattered Spider
  • Product: telecom services
  • Feature: social engineering
  • Malware: AiTM phishing
  • Type: Hack
  • Severity: Major