@blog.checkpoint.com
//
Scattered Spider, a financially motivated cyber threat group, has significantly expanded its targeting, with recent intelligence highlighting a new focus on the aviation sector. Known for its aggressive social engineering tactics and identity-focused intrusions, the group has previously targeted telecommunications, SaaS, cloud, and financial services by hijacking user identities and exploiting authentication flows. The FBI has issued a warning, indicating that airlines are now directly in the crosshairs of Scattered Spider. Their methods often involve sophisticated techniques such as SIM swapping, impersonating helpdesk personnel, and employing adversary-in-the-middle (AiTM) phishing to obtain valid credentials and tokens, frequently bypassing multi-factor authentication (MFA). This broader targeting strategy underscores the evolving and increasingly pervasive threat posed by this group.
In a significant development that underscores the reach of Scattered Spider, UK authorities have arrested four individuals linked to a spree of cyberattacks that crippled major British retailers, including Marks & Spencer, Harrods, and the Co-op earlier this year. The arrests, which involved individuals aged 17 to 20, are a major step in a high-priority investigation. The National Crime Agency (NCA) confirmed the arrests, suspecting the individuals of Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime. These retail attacks caused substantial disruption, with Marks & Spencer estimating losses of around £300 million due to the incident. The methods employed in these attacks, which reportedly included gaining access through social engineering to deploy ransomware, align with Scattered Spider's known modus operandi.
The growing threat posed by Scattered Spider has prompted cybersecurity experts to issue alerts, particularly concerning their expansion into the aviation sector. The group's ability to effectively compromise user identities and bypass security measures like MFA makes them a formidable adversary. Their recent targeting of airlines, following major disruptions in the retail sector, signifies a dangerous escalation. Companies within the aviation industry, and indeed across all sectors, must remain vigilant and bolster their identity-centric defenses to counter the sophisticated tactics employed by Scattered Spider, which include advanced phishing kits, dynamic command and control infrastructure, and custom malware for persistent access.
Recommended read:
References :
- blog.checkpoint.com: Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation
- Resources-2: Tracking Scattered Spider Through Identity Attacks and Token Theft
- Cloud Security Alliance: Scattered Spider: The Group Behind Major ESXi Ransomware Attacks
- BrianKrebs: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
- infosec.exchange: 3 teenagers aged 17-19 and a 20-year-old woman arrested in the UK this morning in connection with cyber attacks on Marks & Spencer (M&S) and Co-op retail chains in April-May this year
- Zack Whittaker: New, by me: U.K. authorities have confirmed the arrest of four alleged hackers behind the recent U.K. retail hacking spree targeting Marks & Spencer, Harrods, and the Co-op earlier this year. The hackers are allegedly linked to Scattered Spider; one of the suspects is aged 17.
- techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
- SecureWorld News: 4 Arrested in U.K. for Cyberattacks on Retail Tied to Scattered Spider
- techcrunch.com: The U.K. National Crime Agency said the suspects are in custody in relation to the hacks targeting Marks & Spencer, Harrods, and the Co-op.
- www.nationalcrimeagency.gov.uk: Report on the arrests of four individuals linked to the Scattered Spider hacking group for the cyberattacks on UK retailers.
- The Register - Security: NCA arrests four in connection with UK retail ransomware attacks
- krebsonsecurity.com: You've probably read by now that British authorities this week arrested 4 people aged 17-20 in re an investigation into data ransom attacks from the cybercrime group Scattered Spider, which has been blamed in breaches at Marks & Spencer, Harrods, MGM Casinos and a bunch of airlines recently.
- thecyberexpress.com: UK NCA Arrests Four in Cyberattacks on M&S, Co-op, and Harrods
- HYPR Blog: Deconstructing the Gen-Z Hackers behind the £440M Cyber Attack on Marks & Spencer, Co-op, and Harrods
- cyberscoop.com: UK arrests four for cyberattacks on major British retailers
- Threats | CyberScoop: UK arrests four for cyberattacks on major British retailers
- WIRED: 4 Arrested Over Scattered Spider Hacking Spree
- blog.knowbe4.com: Alert from KnowBe4 about Scattered Spider targeting the aviation sector.
- Metacurity: UK's NCA arrested four people for M&S, Co-Op cyberattacks
- Risky.Biz: Four Key Players Drive Scattered Spider
- Talkback Resources: UK charges four in Scattered Spider ransom group
- TechInformed: Four people have been arrested as part of a National Crime Agency (NCA) investigation into cyberattacks targeting major UK retailers M&S, Harrods and Co-op.
- Help Net Security: The UK's National Crime Agency (NCA) arrested four individuals suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.
- hackread.com: UK Arrests Woman and Three Men for Cyberattacks on M&S Co-op and Harrods
- securityaffairs.com: UK NCA arrested four people over M&S, Co-op cyberattacks
- BleepingComputer: The UK's National Crime Agency (NCA) arrested four people suspected of being involved in cyberattacks on major retailers in the country, including Marks & Spencer, Co-op, and Harrods.
rulesbot@community.emergingthreats.net
//
Emerging Threats has released a significant ruleset update, v10950, aimed at bolstering network security and threat detection. The update includes 73 new open rules and 136 new pro rules, totaling 209 enhancements to the existing security framework. These rules are designed to address a wide spectrum of threats, ranging from general malware to web application-specific vulnerabilities and hunting activities, enabling organizations to strengthen their defenses against an evolving threat landscape. The release date for this update is June 13, 2025.
Among the key targets of this update is the Predator spyware, which remains a persistent threat despite US sanctions. The ruleset includes specific signatures to detect DNS queries associated with Predator spyware domains, such as gilfonts .com, zipzone .io, and numerous others. This highlights the ongoing efforts to identify and neutralize the infrastructure used by Intellexa, the maker of Predator, even as they attempt to evade detection through new servers and domains. This focus underscores the importance of continuous monitoring and adaptation in the face of sophisticated surveillance tools.
In addition to addressing the Predator spyware, the ruleset update also tackles a critical vulnerability in Fortinet Admin APIs, specifically a Stack-based Buffer Overflow in the AuthHash Cookie, identified as CVE-2025-32756. This rule aims to protect against potential exploits targeting this weakness in Fortinet systems. Furthermore, the update incorporates rules for hunting SQL Database Version Discovery, enhancing the ability to proactively identify and address potential vulnerabilities within network environments. This comprehensive approach ensures a multi-layered defense against various attack vectors.
Recommended read:
Pierluigi Paganini@securityaffairs.com
//
OpenAI is actively combating the misuse of its AI tools, including ChatGPT, by malicious groups from countries like China, Russia, and Iran. The company recently banned multiple ChatGPT accounts linked to these threat actors, who were exploiting the platform for illicit activities. These banned accounts were involved in assisting with malware development, automating social media activities to spread disinformation, and conducting research on sensitive topics such as U.S. satellite communications technologies.
OpenAI's actions highlight the diverse ways in which malicious actors are attempting to leverage AI for their campaigns. Chinese groups used AI to generate fake comments and articles on platforms like TikTok and X, posing as real users to spread disinformation and influence public opinion. North Korean actors used AI to craft fake resumes and job applications in an attempt to secure remote IT jobs and potentially steal data. Russian groups employed AI to develop malware and plan cyberattacks, aiming to compromise systems and exfiltrate sensitive information.
The report also details specific operations like ScopeCreep, where a Russian-speaking threat actor used ChatGPT to develop and refine Windows malware. They also use AI to debug code in multiple languages and setup their command and control infrastructure. This malware was designed to escalate privileges, establish stealthy persistence, and exfiltrate sensitive data while evading detection. OpenAI's swift response and the details revealed in its report demonstrate the ongoing battle against the misuse of AI and the proactive measures being taken to safeguard its platforms.
Recommended read:
References :
- securityaffairs.com: OpenAI bans ChatGPT accounts linked to Russian, Chinese cyber ops
- The Hacker News: OpenAI has revealed that it banned a set of ChatGPT accounts that were likely operated by Russian-speaking threat actors and two Chinese nation-state hacking groups to assist with malware development, social media automation, and research about U.S. satellite communications technologies, among other things.
- Tech Monitor: OpenAI highlights exploitative use of ChatGPT by Chinese entities
- gbhackers.com: OpenAI Shuts Down ChatGPT Accounts Linked to Russian, Iranian & Chinese Cyber
- iHLS: AI Tools Exploited in Covert Influence and Cyber Ops, OpenAI Warns
- The Register - Security: OpenAI boots accounts linked to 10 malicious campaigns
- hackread.com: OpenAI, a leading artificial intelligence company, has revealed it is actively fighting widespread misuse of its AI tools…
- Metacurity: OpenAI banned ChatGPT accounts tied to Russian and Chinese hackers using the tool for malware, social media abuse, and U.S.
Pierluigi Paganini@securityaffairs.com
//
OpenAI is facing scrutiny over its ChatGPT user logs due to a recent court order mandating the indefinite retention of all chat data, including deleted conversations. This directive stems from a lawsuit filed by The New York Times and other news organizations, who allege that ChatGPT has been used to generate copyrighted news articles. The plaintiffs believe that even deleted chats could contain evidence of infringing outputs. OpenAI, while complying with the order, is appealing the decision, citing concerns about user privacy and potential conflicts with data privacy regulations like the EU's GDPR. The company emphasizes that this retention policy does not affect ChatGPT Enterprise or ChatGPT Edu customers, nor users with a Zero Data Retention agreement.
Sam Altman, CEO of OpenAI, has advocated for what he terms "AI privilege," suggesting that interactions with AI should be afforded the same privacy protections as communications with professionals like lawyers or doctors. This stance comes as OpenAI faces criticism for not disclosing to users that deleted and temporary chat logs were being preserved since mid-May in response to the court order. Altman argues that retaining user chats compromises their privacy, which OpenAI considers a core principle. He fears that this legal precedent could lead to a future where all AI conversations are recorded and accessible, potentially chilling free expression and innovation.
In addition to privacy concerns, OpenAI has identified and addressed malicious campaigns leveraging ChatGPT for nefarious purposes. These activities include the creation of fake IT worker resumes, the dissemination of misinformation, and assistance in cyber operations. OpenAI has banned accounts linked to ten such campaigns, including those potentially associated with North Korean IT worker schemes, Beijing-backed cyber operatives, and Russian malware distributors. These malicious actors utilized ChatGPT to craft application materials, auto-generate resumes, and even develop multi-stage malware. OpenAI is actively working to combat these abuses and safeguard its platform from being exploited for malicious activities.
Recommended read:
References :
- chatgptiseatingtheworld.com: After filing an objection with Judge Stein, OpenAI took to the court of public opinion to seek the reversal of Magistrate Judge Wang’s broad order requiring OpenAI to preserve all ChatGPT logs of people’s chats.
- Reclaim The Net: Private prompts once thought ephemeral could now live forever, thanks for demands from the New York Times.
- Digital Information World: If you’ve ever used ChatGPT’s temporary chat feature thinking your conversation would vanish after closing the window — well, it turns out that wasn’t exactly the case.
- iHLS: AI Tools Exploited in Covert Influence and Cyber Ops, OpenAI Warns
- Schneier on Security: Report on the Malicious Uses of AI
- The Register - Security: ChatGPT used for evil: Fake IT worker resumes, misinfo, and cyber-op assist
- Jon Greig: Russians are using ChatGPT to incrementally improve malware. Chinese groups are using it to mass create fake social media comments. North Koreans are using it to refine fake resumes is likely only catching a fraction of nation-state use
- Jon Greig: Russians are using ChatGPT to incrementally improve malware. Chinese groups are using it to mass create fake social media comments. North Koreans are using it to refine fake resumes is likely only catching a fraction of nation-state use
- Latest news: How global threat actors are weaponizing AI now, according to OpenAI
- The Hacker News: OpenAI has revealed that it banned a set of ChatGPT accounts that were likely operated by Russian-speaking threat actors and two Chinese nation-state hacking groups to assist with malware development, social media automation, and research about U.S. satellite communications technologies, among other things.
- securityaffairs.com: OpenAI bans ChatGPT accounts linked to Russian, Chinese cyber ops
- therecord.media: Russians are using ChatGPT to incrementally improve malware. Chinese groups are using it to mass create fake social media comments. North Koreans are using it to refine fake resumes is likely only catching a fraction of nation-state use
- siliconangle.com: OpenAI to retain deleted ChatGPT conversations following court order
- eWEEK: ‘An Inappropriate Request’: OpenAI Appeals ChatGPT Data Retention Court Order in NYT Case
- gbhackers.com: OpenAI Shuts Down ChatGPT Accounts Linked to Russian, Iranian & Chinese Cyber
- Policy ? Ars Technica: OpenAI is retaining all ChatGPT logs “indefinitely.†Here’s who’s affected.
- AI News | VentureBeat: Sam Altman calls for ‘AI privilege’ as OpenAI clarifies court order to retain temporary and deleted ChatGPT sessions
- www.techradar.com: Sam Altman says AI chats should be as private as ‘talking to a lawyer or a doctor’, but OpenAI could soon be forced to keep your ChatGPT conversations forever
- aithority.com: New Relic Report Shows OpenAI’s ChatGPT Dominates Among AI Developers
- the-decoder.com: ChatGPT scams range from silly money-making ploys to calculated political meddling
- hackread.com: OpenAI Shuts Down 10 Malicious AI Ops Linked to China, Russia, N. Korea
- Tech Monitor: OpenAI highlights exploitative use of ChatGPT by Chinese entities
Brian Fagioli@BetaNews
//
Microsoft is significantly expanding its cybersecurity support for European governments, providing a free security program specifically designed to combat AI-based cyberattacks. This initiative reflects Microsoft's commitment to bolstering the digital defenses of European nations. Furthermore, the company is actively addressing concerns related to competition within the European market, demonstrating a willingness to adapt to regulatory requirements and user preferences.
Microsoft is collaborating with CrowdStrike to harmonize cyber threat attribution. This partnership aims to establish a unified system for identifying and tracking cyber threat actors across different security platforms, which is designed to accelerate response times and strengthen global cyber defenses. The collaborative effort seeks to bridge the gaps created by differing naming systems for threat actors, creating a "Rosetta Stone" for cyber threat intelligence. This mapping will allow security teams to make informed decisions more quickly, correlate threat intelligence across sources, and disrupt malicious activity before it inflicts damage.
In response to Europe’s Digital Markets Act (DMA), Microsoft is making changes to the user experience within the European Economic Area. The company will reduce the frequency with which it prompts users to switch to Edge as their default browser. This change is intended to address complaints from rival browser makers and others who felt that Microsoft was unfairly pushing its own products. Europeans will also find it easier to uninstall the Windows Store and sideline Bing, offering greater control over their digital environment and aligning with the principles of the DMA, which aims to promote competition and user choice in the digital market.
Recommended read:
References :
- bsky.app: While they will not switch to a single threat actor taxonomy, Microsoft and CrowdStrike analysts have already linked more than 80 overlapping threat groups.
- BetaNews: In cybersecurity, every second counts. But when the same hacking group goes by half a dozen different names depending on which company you ask, defenders are left wasting time instead of stopping attacks.
- @VMblog: CrowdStrike and Microsoft announced a collaboration to bring clarity and coordination to how cyber threat actors are identified and tracked across...
- BleepingComputer: Microsoft and CrowdStrike announced today that they've partnered to connect the aliases used for specific threat groups without actually using a single naming standard.
- SecureWorld News: CrowdStrike and Microsoft Join Forces on Naming Threat Actors
- www.cybersecuritydive.com: Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy
- Source: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies to help security professionals connect insights faster. The post appeared first on .
- MSSP feed for Latest: Microsoft and CrowdStrike Align on Threat Actor Mapping to Support Faster, Unified Defense
- Catalin Cimpanu: Microsoft and CrowdStrike are teaming up to create alignment across our individual threat actor taxonomies
- betanews.com: In cybersecurity, every second counts. But when the same hacking group goes by half a dozen different names depending on which company you ask, defenders are left wasting time instead of stopping attacks. Now, Microsoft and CrowdStrike are teaming up to clean up the mess they helped create. The two companies just announced a joint effort to map their threat actor naming systems to each other.
- www.crowdstrike.com: Cybersecurity writers, rejoice! The alliance will help the industry better correlate threat actor aliases without imposing a single naming standard. It will grow in the future to include other organizations that also practice the art of attribution.
- www.microsoft.com: Announcing a new strategic collaboration to bring clarity to threat actor naming
- www.scworld.com: Microsoft, CrowdStrike pitch giving threat groups the same name
- www.cxoinsightme.com: CrowdStrike and Microsoft collaborate to harmonise cyber threat attribution
- CIO Dive - Latest News: Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy
- The Hacker News: Microsoft and CrowdStrike are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping.
- www.csoonline.com: The partnership creates a shared mapping system that aligns threat actor attribution across both companies’ intelligence ecosystems.
- aboutdfir.com: Microsoft and CrowdStrike finally fix the stupidest problem in cybersecurityÂ
- cyberscoop.com: CrowdStrike, Microsoft aim to eliminate confusion in threat group attribution
- www.itpro.com: Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change that
- aboutdfir.com: Microsoft and CrowdStrike finally fix the stupidest problem in cybersecurity
- Threats | CyberScoop: Wild variances in naming taxonomies aren’t going away, but a new initiative from the security vendors aims to more publicly address obvious overlap in threat group attribution.
- www.techradar.com: Microsoft is looking to save precious seconds during cyberattacks by unifying threat actor naming.
- ComputerWeekly.com: Microsoft outlines three-pronged European cyber strategy
- CXO Insight Middle East: CrowdStrike and Microsoft collaborate to harmonise cyber threat attribution
- www.microsoft.com: Meet the Deputy CISOs who help shape Microsoft’s approach to cybersecurity: Part 3
- Thomas Roccia :verified:: Microsoft and CrowdStrike announced a collaboration to cross-ref their threat actor naming conventions.
- TechHQ: Microsoft rolls out free cybersecurity support for European governments.
|
|
FlagThis - #threatintelligence