Black Arrow Cyber Threat Intelligence Briefing 13 June 2025

15 Jun

Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Executive Summary

This week’s review starts with evolving cyber attack techniques including the targeting of IT and managed service providers to gain access to multiple firms through a single compromise, while other techniques include exploiting end-user trust in messages appearing in browsers, attacks on smartphones, and increasingly complex DDoS attacks. We also reflect on the need for all organisations to proactively plan for a cyber incident, and the need to improve cyber-resilience of food supplies.

Our analysis of specialist and other media highlights the threats that organisations face in protecting their data, with high criminal demand and sensitive data being exposed to insecure and unverified AI tools. We also include information on penetration testing, which is one of the key ways for organisations to identify and address vulnerabilities that can be exploited by attackers.

Finally, we include articles on developments within the attacker community, including groups of teenagers and young adults as well as nation states, and insights into the impact of geo-political developments on cyber security for organisations.

At Black Arrow, we believe organisations achieve the most appropriate security by taking a proactive, cross-functional approach to cyber resilience. This starts with board engagement and threat-informed decision-making, including managing risks that are currently being exploited through third parties such as IT and managed service providers.

Top Cyber Stories of the Last Week

Scattered Spider Uses Tech Vendor Impersonation and Phishing Kits to Target Helpdesks

ReliaQuest has reported that the group behind recent cyber attacks on UK retailers, including Marks & Spencer and Harrods, is now using advanced impersonation tactics to breach organisations via their IT providers. Over 80% of associated domains mimic trusted technology vendors, enabling attacks on high-value targets such as CISOs and CFOs. The group combines phishing kits with social engineering to bypass multi-factor authentication and exploit help desks. Its use of ransomware-as-a-service partnerships allows access to powerful attack tools, expanding its reach. Attacks increasingly target managed service providers to access multiple organisations through a single compromise.

https://www.infosecurity-magazine.com/news/scattered-spider-tech-vendor/

An Emerging Phishing Technique Exploits Trust in Browser-based Messages

ClickFix is an emerging phishing technique exploiting user trust in browser-based messages to deliver malware, with attacks now observed across EMEA and the US. These campaigns trick users into executing PowerShell commands by mimicking familiar prompts, such as fake CAPTCHA checks, browser errors or job interview glitches. Unlike traditional phishing emails, these attacks unfold entirely within the browser, making detection and prevention more difficult. Threat actors are leveraging ClickFix to install a range of malware, from credential stealers to remote access tools, and the method’s adaptability is increasing its appeal. Organisations are advised to adopt phishing-resistant authentication and identity-focused defences.

https://www.darkreading.com/remote-workforce/cutting-edge-clickfix-snowball-phishing

Cyber Attacks on Smartphones Hit New High – Here’s How to Stay Safe

Kaspersky has reported a sharp rise in mobile cyber threats, with malware targeting Android users increasing by 27% in early 2025 compared to the previous quarter. Over 12 million users were affected, with banking trojans and data-stealing malware identified as the primary threats. Some infections were traced to preinstalled malware on new phones, highlighting supply chain risks. Notably active malware families included those capable of stealing credentials, intercepting messages and tampering with cryptocurrency transactions. The report warns that mobile devices are not inherently safer than desktops, and users should treat app downloads and device permissions with far greater caution.

https://www.techradar.com/pro/security/cyberattacks-on-smartphones-hit-new-high-heres-how-to-stay-safe

Distributed Denial of Service Attacks on Financial Sector Surge in Scale and Sophistication

FS-ISAC and Akamai have reported a sharp rise in both the volume and complexity of Distributed Denial of Service (DDoS) attacks targeting the financial sector. In October 2024 alone, nearly 350 separate DDoS events were recorded, with some comprising billions of malicious requests. The report highlights a 23% increase in application-layer attacks over the past year, affecting login portals and APIs. What was once seen as a nuisance is now considered a strategic threat, with attackers using adaptive, multi-vector techniques to bypass defences. This surge is fuelled by escalating geopolitical tensions, with hacktivist groups exploiting global events to launch targeted disruption campaigns.

https://www.infosecurity-magazine.com/news/ddos-financial-sector-surge/

Cyber Resilience Begins Before the Crisis

Microsoft’s Deputy CISO highlights the critical need for proactive planning and clear communication in cyber incident response. Many firms treat cyber attacks as isolated IT issues, yet the impact extends across legal, HR, communications and executive leadership. Two common misconceptions, assuming incidents are minor and viewing them as purely technical, undermine resilience. Effective preparation includes tested playbooks, decision frameworks, backup communications, and rehearsed messaging strategies. AI is emerging as a valuable support tool, enhancing detection and response coordination. Ultimately, cyber resilience is a leadership issue requiring cross-functional accountability, continuous refinement, and executive engagement.

https://www.microsoft.com/en-us/security/blog/2025/06/12/cyber-resilience-begins-before-the-crisis/

How Did Britain’s Food Supplies Become So Vulnerable?

A ransomware attack on chilled food distributor Peter Green Chilled left over £100,000 worth of meat products stranded, highlighting vulnerabilities in the UK's cold chain logistics. With around 50 per cent of all UK food moving through this network, any disruption can rapidly impact supermarket shelves. Industry experts warn that cyber attacks on supply chain providers are growing in sophistication, with attackers targeting warehouse systems and vehicle tracking to halt distribution. Despite the sector’s critical role in food and pharmaceutical delivery, it currently lacks formal Critical National Infrastructure recognition, limiting coordinated incident response planning at a national level.

https://www.telegraph.co.uk/news/2025/06/05/how-did-britains-food-supplies-become-so-vulnerable/

Europol Says Criminal Demand for Data is “Skyrocketing”

Europol’s latest assessment highlights a booming criminal underground economy fuelled by an insatiable demand for data. With personal and business information now a central commodity, cyber criminals are exploiting gaps in digital literacy and complex IT environments to steal, trade and weaponise data at scale. Stolen credentials are repeatedly used to fuel further breaches, while specialised marketplaces and encrypted channels facilitate widespread illicit trade. Europol warns this cycle is eroding public trust and undermining economic stability.

https://www.infosecurity-magazine.com/news/europol-criminal-demand-data/

AI Is a Data-Breach Time Bomb, Reveals New Report

Varonis has found that nearly every organisation is vulnerable to data exposure as a result of adopting AI without adequate controls. Analysis of 1,000 data risk assessments revealed 99% had sensitive data exposed to AI tools, and 90% had critical cloud data openly accessible. Shadow AI and unverified apps were present in 98% of cases, while 1 in 7 lacked multi-factor authentication. The report highlights how poor identity governance, excessive data access, and sprawling cloud environments are creating significant breach risks. It urges organisations to tighten access, monitor data use, and employ automation to safeguard information in the AI era.

https://www.bleepingcomputer.com/news/security/ai-is-a-data-breach-time-bomb-reveals-new-report/

What Is Penetration Testing? Types, Processes, Tools, and Why It’s All Worth It

Penetration testing is a controlled and authorised simulation of a cyber attack, designed to identify vulnerabilities that could be exploited by real-world threat actors. Ethical hackers emulate criminal tactics to test systems, infrastructure, and even staff behaviour. While automated scans help detect known flaws, penetration testing offers deeper insight by revealing how small issues can be combined into significant risks. It plays a critical role in strengthening cyber resilience, supporting regulatory compliance such as ISO 27001, and demonstrating due diligence. Organisations typically conduct pen tests one or more times a year, often alongside continuous automated scanning.

Black Arrow delivers tailored penetration testing services together with a range of selected partners to help uncover real-world risks through expert-led assessments.

https://blog.jetbrains.com/teamcity/2025/06/what-is-penetration-testing/

Internet Infamy Drives the Com’s Crime Sprees

A growing cyber criminal movement known as “The Com” is drawing in teenagers and young adults who are motivated more by notoriety than money. Their activities range from phishing and SIM swapping to swatting, sextortion and, in some cases, physical violence. Researchers estimate only a small core group is responsible for the most serious crimes, but the wider subculture is expanding rapidly. Law enforcement is now treating parts of the movement as a terrorism threat, with arrests increasing. Analysts warn that underlying socio-economic pressures are driving recruitment, particularly among minors who are seen as lower-risk by criminal gangs.

https://cyberscoop.com/the-com-subculture-infamy-crimes/

China-Linked Threat Actor Targeted +70 Orgs Worldwide, SentinelOne Warns

SentinelOne has uncovered a sustained cyber espionage campaign linked to China, affecting over 70 organisations globally between July 2024 and March 2025. Targets included government bodies, media outlets, and firms in sectors such as finance, manufacturing, and telecoms. The threat actor, dubbed PurpleHaze, used sophisticated techniques including obfuscated malware and dynamic relay networks to maintain stealth and persistence. Victims ranged from a South Asian government entity to a European media firm and even SentinelOne itself. The research highlights an ongoing trend of state-aligned groups targeting cyber security providers, underscoring the need for continuous monitoring and collective defence through intelligence sharing.

https://securityaffairs.com/178819/apt/china-linked-threat-actor-targeted-70-orgs-worldwide-sentinelone-warns.html

Here’s Why Ignoring Politics Is No Longer an Option for Cyber Defence

Flashpoint’s latest report underscores the growing overlap between global politics and cyber threats, with geopolitical tensions now seen as a key driver of cyber activity. Russian organisations, once largely avoided by cyber criminals, are increasingly targeted due to shifting allegiances following the Ukraine conflict. The SANS Institute found that nearly 500 professionals now view cyber security as a core business risk shaped by international events. Threat actors from countries such as North Korea, Iran, and China are deploying tactics including AI-generated deepfakes and disinformation to destabilise democratic processes and evade sanctions, highlighting the need for a broader geopolitical lens in threat assessments.

https://cybernews.com/security/ignoring-politics-is-no-longer-an-option-for-cyber-pros/

UK to Join Up with Allies for Stronger Response to Putin’s ‘Grey Zone’ Warfare

The UK is strengthening cooperation with allies to deter and respond to so-called grey zone threats, including cyber attacks, sabotage of undersea infrastructure and disinformation operations. These sub-threshold activities, increasingly used by Russia, are designed to destabilise without triggering full-scale military conflict. The Government’s latest Strategic Defence Review highlights the need for joint crisis decision-making and improved readiness to counter such tactics. NATO has reaffirmed that cyber or hybrid attacks may justify a collective response under Article 5. The review also stresses the growing complexity of threats, particularly where state actors blur the lines between conventional, cyber and nuclear deterrence.

https://inews.co.uk/news/politics/uk-allies-putin-grey-zone-warfare-3735380

Governance, Risk and Compliance

Rising strategic role of the CISO | Deloitte Insights

Prep for Layoffs Before They Compromise Security

Docuseries Explores Mental, Physical Hardships of CISOs

Investor behaviour in the wake of cyber's 'black swan' moment | Computer Weekly

The Silent Cyber Crisis Alarming Global Economies and Why It's Time for Collective Action | IBTimes

Cyber resilience begins before the crisis | Microsoft Security Blog

Threats

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

EU Prepares for Transnational Cyberattacks - DataBreachToday

UK to join up with allies for stronger response to Putin's 'grey zone' warfare

Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group

What would break first if hackers hit US infrastructure? | Cybernews

Nation State Actors

Ignoring politics is no longer an option for cyber pros | Cybernews

Advanced Persistent Threats (APTs) - Detection and Defense Strategies

EU Prepares for Transnational Cyberattacks - DataBreachToday

OpenAI Bans ChatGPT Accounts Used by Russian, Iranian and Chinese Hacker Groups

China

China-linked threat actor targeted +70 orgs worldwide, SentinelOne warns

Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group

Chinese hackers broke into US telecom earlier than previously known, Bloomberg reports | Reuters

Chinese phone hacks, user lapses create 'mobile security crisis' | Fortune

Russian Spies Are Suspicious of China, Even as Putin and Xi Grow Close - The New York Times

SentinelOne shares new details on China-linked breach attempt

Experts found 4 billion user records online, the largest known leak of Chinese personal data from a single source

Over 4 billion user records leaked in "largest breach ever" - here's what you need to know | TechRadar

Russia

Eastern Europe’s Cyber Reckoning: Russia’s Digital Threat Is Forcing a Strategic Shift - Inkstick

UK to join up with allies for stronger response to Putin's 'grey zone' warfare

Russian Spies Are Suspicious of China, Even as Putin and Xi Grow Close - The New York Times

Why Russia Should Fear Ukraine’s Advanced Intelligence Network - The National Interest

'PathWiper' Attack Hits Critical Infrastructure In Ukraine

How The Times Obtained Secret Russian Intelligence Documents - The New York Times

US accuses Russian crypto entrepreneur of money laundering and sanctions evasion

LockBit panel data leak shows Chinese orgs among the most targeted - Help Net Security

'Librarian Ghouls' Cyberattackers Strike at Night

North Korea

US files to seize $7.7M laundered by North Korean IT workers • The Register

Tools and Controls

Enterprise SIEMs miss 79% of known MITRE ATT&CK techniques - Help Net Security

SIEMs Missing the Mark on MITRE ATT&CK Techniques

Next-Gen Developers Are a Cybersecurity Powder Keg

Cyber resilience begins before the crisis | Microsoft Security Blog

CISOs call for operational threat intelligence integration - Help Net Security

Nearly all CISOs struggle with threat intelligence barriers: report

Advanced Persistent Threats (APTs) - Detection and Defense Strategies

NIST Launches Updated Incident Response Guide - Security Boulevard

Cyber insurance demand is rising, but not 'evenly': Beazley cyber head | Insurance Business America

AI threats leave SecOps teams burned out and exposed - Help Net Security

The massive, no-good concerns around agentic AI cybersecurity - Tech Monitor

Study: 73% of founders can’t spot phishing emails | Cybernews

Prep for Layoffs Before They Compromise Security

Europe just launched DNS4EU, a public DNS resolver with privacy and security options - gHacks Tech News

Why Threat Agents Must be Included in Cyber Security Risk Assessments - Security Boulevard

NIST Publishes New Zero Trust Implementation Guidance - Infosecurity Magazine

MSSPs, MSPs See Growing Strategic Role in Cyber Insurance | MSSP Alert

Inside the Mind of the Adversary: Why More Security Leaders Are Selecting AEV

Your Android phone is getting new security protections - and it's a big deal for enterprises | ZDNET

Microsoft Outlook to block more risky attachments used in attacks

ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Other News

Cyber criminals love this ancient Windows tool, but a little-known CLI utility is their new secret weapon | TechRadar

Europe just launched DNS4EU, a public DNS resolver with privacy and security options - gHacks Tech News

Investor behaviour in the wake of cyber's 'black swan' moment | Computer Weekly

What Held the Internet Together for 20 Years and Why It’s Now at Risk - Internet Society

EU Updates Cyber Crisis Blueprint to Strengthen Regional Response | MSSP Alert

EU to ‘step up’ on cyber security as dependence on US laid bare

What would break first if hackers hit US infrastructure? | Cybernews

Surge in Cyber Attacks Targeting Journalists: Cloudflare - SecurityWeek

Brussels Parliament hit by cyber-attack – DataBreaches.Net

Vulnerability Management

Security flaws in government apps go unpatched for years - Help Net Security

Vulnerabilities

Microsoft June 2025 Patch Tuesday fixes exploited zero-day, 66 flaws

Adobe Releases Patch Fixing 254 Vulnerabilities, Closing High-Severity Security Gaps

APT Hackers Exploited Windows WebDAV 0-Day RCE Vulnerability in the Wild to Deploy Malware

Multiple Chrome Vulnerabilities Allow Attackers to Execute Malicious Code Remotely

Attackers exploit Fortinet flaws to deploy Qilin ransomware

Over 84,000 Roundcube instances vulnerable to actively exploited flaw

Ivanti Workspace Control hardcoded key flaws expose SQL credentials

Zero Day Initiative — The June 2025 Security Update Review

Palo Alto Networks Patches Privilege Escalation Vulnerabilities - SecurityWeek

Fortinet, Ivanti Patch High-Severity Vulnerabilities - SecurityWeek

Chrome, Firefox Updates Resolve High-Severity Memory Bugs - SecurityWeek

Trend Micro fixes critical vulnerabilities in multiple products

ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Google patched bug leaking phone numbers tied to accounts

SAP June 2025 Security Patch Day fixed critical NetWeaver bug

Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks

PayU Plugin Flaw Allows Account Takeover on 5000 WordPress Sites - Infosecurity Magazine

Five Zero-Days, 15 Misconfigurations Found in Salesforce Industry Cloud - SecurityWeek

Sector Specific

Industry specific threat intelligence reports are available.

· Automotive

· Construction

· Critical National Infrastructure (CNI)

· Defence & Space

· Education & Academia

· Energy & Utilities

· Estate Agencies

· Financial Services

· FinTech

· Food & Agriculture

· Gaming & Gambling

· Government & Public Sector (including Law Enforcement)

· Health/Medical/Pharma

· Hotels & Hospitality

· Insurance

· Legal

· Manufacturing

· Maritime & Shipping

· Oil, Gas & Mining

· OT, ICS, IIoT, SCADA & Cyber-Physical Systems

· Retail & eCommerce

· Small and Medium Sized Businesses (SMBs)

· Startups

· Telecoms

· Third Sector & Charities

· Transport & Aviation

· Web3

Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

Black Arrow Admin

Black Arrow Cyber Threat Intelligence Briefing 13 June 2025

Executive Summary

Top Cyber Stories of the Last Week

Scattered Spider Uses Tech Vendor Impersonation and Phishing Kits to Target Helpdesks

An Emerging Phishing Technique Exploits Trust in Browser-based Messages

Cyber Attacks on Smartphones Hit New High – Here’s How to Stay Safe

Distributed Denial of Service Attacks on Financial Sector Surge in Scale and Sophistication

Cyber Resilience Begins Before the Crisis

How Did Britain’s Food Supplies Become So Vulnerable?

Europol Says Criminal Demand for Data is “Skyrocketing”

AI Is a Data-Breach Time Bomb, Reveals New Report

What Is Penetration Testing? Types, Processes, Tools, and Why It’s All Worth It

Internet Infamy Drives the Com’s Crime Sprees

China-Linked Threat Actor Targeted +70 Orgs Worldwide, SentinelOne Warns

Here’s Why Ignoring Politics Is No Longer an Option for Cyber Defence

UK to Join Up with Allies for Stronger Response to Putin’s ‘Grey Zone’ Warfare

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Business Email Compromise (BEC)/Email Account Compromise (EAC)

Other Social Engineering

Fraud, Scams and Financial Crime

Artificial Intelligence

Malware

Bots/Botnets

Mobile

Denial of Service/DoS/DDoS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Outages

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Regulations, Fines and Legislation

Models, Frameworks and Standards

Data Protection

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda