Beginning in early 2025, the RaaS (ransomware-as-a-service) group, DragonForce has allegedly been working with affiliates Scattered Spider to aggressively target high-profile UK retailers including Marks & Spencer, Co-op, and Harrods.
In the Marks & Spencer incident, the affiliates reportedly used social-engineering attacks on service desks to gain initial access before unleashing DragonForce’s ransomware. By deploying this ransomware to encrypt networks, the threat actors have caused major disruptions to online orders and payment systems, and have threatened the publication of customer and employee data.
Specops Software has recently released three analyses on the Marks & Spencer attack, each diving into distinct aspects of the incident:
The Rise of Ransomware-as-a-Service (RaaS): Groups like DragonForce are operating on a franchise model, providing ransomware tools to affiliates, thereby lowering the technical barrier for launching attacks. This analysis covers DragonForce, its RaaS model, how it works, how it was used in the M&S attack, and the possible infighting that’s been occurring between DragonForce and RansomHub.
Service Desk Exploitation: Scattered Spider has demonstrated how easily service desks can be manipulated, emphasizing the need for stringent verification processes. This analysis discusses Scattered Spider’s alleged role in the M&S, Co-op, and Harrods attacks, the service desk M.O. that the group seems to employ, and how organizations can defend against these attacks.
Active Directory Vulnerabilities: The theft of NTDS.dit files, containing password hashes, highlights the critical importance of securing Active Directory environments. This final analysis explains the impact of service desk attacks on Active Directory data bases, as well as what organizations can do to protect their ADs.
All of these are worth reading if you are responsible for defending your organizations from threat actors.
Weiser Memorial Hospital in Idaho this week confirmed it notified 34,249 people of a September 2024 data breach that compromised names, SSNs, government-issued ID numbers, treatments and procedures, medical diagnoses, health insurance info, and DOBs. Ransomware gang Embargo claimed responsibility for the breach in September 2024, but Weiser has not yet verified this.
In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:
“Embargo is a ransomware gang that started claiming attacks in April 2024. The group operates a ransomware-as-a-service business in which affiliates pay Embargo to use its malware and infrastructure to launch attacks and collect ransoms.”
“Embargo has claimed 14 confirmed ransomware attacks since it began, compromising about 736,000 records. Another 10 unconfirmed claims haven’t been acknowledged by the targeted organizations.”
“Comparitech researchers logged 161 confirmed ransomware attacks on US hospitals, clinics, and other direct care providers in 2024, compromising 27.2 million records. In 2025 to date, we tracked 20 such attacks affecting nearly 1.6 million records. The average ransom across all attacks is about $1.03 million.”
“Ransomware attacks on US hospitals, clinics, and other care providers can cripple key systems and endanger the privacy and security of patients. Providers must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk of fraud. Hospitals and clinics might have to resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.”
The Embargo ransomware gang is new to me. Which illustrates how fast new ransomware gangs are popping up. That’s incredibly bad for all of us as there are more threat actors out there that can do harm to organizations. What needs to happen is the conditions need to exist to make ransomware less profitable so to speak, which in turn will reduce the number of threat actors making the world a bit safer.
This week, researchers at SOCRadar released their 2025 USA Threat Landscape Report. This report, based on data collected between April 2024 through March 2025, analyzes several aspects of the current US threat landscape including ransomware threats, stealer logs statistics, phishing breaches, and DDoS stats.
Key findings include:
Information services, finance, and public administration sectors are the most targeted industries, both in phishing and dark web threats.
Selling and sharing stolen data dominate dark web forums, representing over 93% of activities, signaling an active criminal marketplace.
Data and unauthorized access are the top commodities, with 57.46% of dark web posts related to stolen databases.
RansomHub, PLAY Ransomware, and Akira are leading ransomware groups targeting the US, but a diverse set of other actors make up the majority.
Phishing attacks heavily target the Crypto/NFT, information services, and public sector, leveraging fake pages that increasingly use HTTPS (76.4%) to appear legitimate.
Stealer logs show massive credential exposure, with over 630,000 email/password pairs leaked, alongside credit card data and victim IP addresses.
Popular domains compromised include Reddit, Bing, Instagram, Facebook, and Amazon, highlighting the targeting of mainstream platforms.
It is being reported that fashion luxury brand House of Dior has had a cybersecurity incident which was discovered on May 7. The incident exposed customer information. From Bleeping Computer:
A spokesperson for the firm told BleepingComputer that the incident impacts Dior Fashion and Accessories customers. Currently, cybersecurity experts are investigating the incident to determine its scope.
“The House of Dior recently discovered that an unauthorized external party accessed some of the data we hold for our Dior Fashion and Accessories customers,” stated the spokesperson.
“We immediately took steps to contain this incident. The teams at Dior, supported by leading cybersecurity experts, continue to investigate and respond to the incident.”
Dior clarified to BleepingComputer that the incident did not expose account passwords or payment card information, as these were stored in a different database that remained unaffected.
“No passwords or payment information, including bank account or payment card information, were in the database affected in the incident.”
“We are working to notify relevant regulators and customers in line with applicable law.”
Javvad Malik, lead security awareness advocate at cybersecurity company KnowBe4, commented:
“Dior’s disclosure, while prompt, employs notably measured language regarding the scope of affected data. This careful phrasing “some of the data we hold” leaves considerable ambiguity about the true extent of the compromise, which is problematic from a transparency standpoint.
While the non-exposure of payment information and credentials provides some reassurance, the compromised personal data (names, contact details, purchase history) presents substantial risk. This combination of information creates a perfect foundation for highly targeted social engineering attacks against a particularly affluent customer base. The international dimension of this breach—affecting customers across multiple jurisdictions including South Korea and China—introduces complex regulatory compliance challenges. The reports from Korean media suggesting potential notification failures are particularly concerning, as timely and comprehensive regulatory notification have been a well-established compliance requirement for years.”
The fact that a high profile company such as Dior has been pwned shows that any organization is at risk. And by extension, every organization should take steps to make sure that their exposure to risk is a close to zero as possible.
UPDATE: I received a comment from Yotam Segev, Co-founder and CEO, Cyera:
“This breach appears to stem from a failure in data classification and access controls—Dior confirmed sensitive customer data was accessed, though financial data was not compromised. That points to a lack of centralized, real-time visibility into sensitive data and inconsistent protection policies. Luxury brands are often soft targets: they operate in complex, global environments but lack full data inventories and cohesive protections across markets. With regulatory implications across China and South Korea, this breach is a clear signal that data security posture management (DSPM) must become a boardroom and budget priority.”
Canadian businesses are walking a technology tightrope in 2025 – juggling cyber threats, economic uncertainty, data privacy, and an accelerating race towards AI adoption. These are among the key findings in the newly released 2025 IT Trends Report from NOVIPRO Group and Léger, an annual benchmark report of how business across Canada are navigating the evolving IT landscape.
The data, drawn from a survey of business decision makers across sectors and provinces, paints a picture of organizations under pressure – keen to modernize and stay competitive, yet often lacking the tools, budgets, skilled resources, or strategies to do so effectively.
Key takeaways from this year’s report include:
AI investment reaches critical mass: A staggering 81% of Canadian businesses are planning significant technology investments in the next two years, with AI leading the way with almost 1 in 3companies planning to invest in AI. Over half of these investments are driven by a clear objective: boosting productivity.
Rising cyberattacks and a flat-footed response: Reports of cyberattack have hit a five-year high (30%), yet 28% of companies still don’t train staff on cybersecurity, and just 27% carry cyber insurance.
Costs vs. Security: For the first time, security and budget are neck-and-neck as the top challenge to Canadian businesses – forcing companies to rethink IT spending amid economic uncertainty even as cyber threats become more sophisticated.
Download and explore the full IT Trends Report at it-trends.ca
Cybernews researchers have uncovered a major data leak — HireClick, the recruitment platform for small to mid-sized businesses, exposed 5.7 million resumes containing sensitive personal details of job seekers.
With private information up for grabs, this leak is a goldmine for scammers. The leaked data could power everything from identity theft and impersonation to phishing campaigns, leaving desperate job seekers highly vulnerable.
What personal data HireClick leaked?
Full names
Home addresses
Email addresses
Phone numbers
Employment information
What are the dangers of this leak?
Attackers can easily craft convincing phishing emails, SMS scams, or impersonate recruiters.
Job seekers may be lured into sharing sensitive documents such as ID scans, Social Security numbers, or banking information under the pretense of job verification or setting up direct deposit.
Scammers could use the resumes to create fake identities or exploit employment verification systems.
The leak also enables doxxing, where personal data is exposed online to harass or intimidate individuals.
Posted in Commentary with tags Zoho on May 14, 2025 by itnerd
Zoho Corporation, a global technology company, today added deeper AI and work orchestration capabilities to its CX platform, all powered by Zia, Zoho’s in-house AI engine. These AI capabilities remove technological barriers to CRM adoption across groups of people working to serve the customer.
As of today, CRM For Everyone is generally available to global businesses. The platform enters the market having added deep Zia capabilities as well as two new features: Connected Records and Connected Workflows.
Deep Zia Capabilities
Report Creation with Ask Zia: Agentic capability wherein a user issues a prompt to create a report, which Zia builds on the user’s behalf. Zia creates the report according to that user’s permissions, and the user can visualize Zia’s build process in real time. The user can also interrupt Zia to make additional changes, then ask Zia to resume after the override. This is one of many use cases coming to Zoho’s agentic AI deployment.
Custom Module Creation: A no-code experience to use plain language to customize the CRM implementation, such as creating modules, modifying field types, and customizing permission configurations
Workflow Creation with Ask Zia: Utilize plain text prompts to create custom workflows. Zia, acting as an agent, performs tasks on the user’s behalf, such as creating requested workflows. Zia’s agentic capabilities make it easy for anyone to set up custom workflows using simple prompts.
Image to Canvas: An image-to-design capability allowing users to bring an image to life by adding a visual design layer to the system of record, which is CRM.
Improving Customer Experience with CRM For Everyone
CRM For Everyone expands on its innovative approach to CX with the addition of Connected Records, which automatically links work across team modules to ensure the smooth flow of context through the customer journey, and Connected Workflows, an orchestration engine and builder that automatically coordinates work across the many teams involved in delivering the customer experience. These features ensure that all teams across sales, marketing, onboarding, account management, finance, and legal have relevant access to all information, bringing a higher level of consistency to customer interaction at all points in the lifecycle.
Availability and Pricing
Unless explicitly stated otherwise, AI capabilities are included in license costs for customers. Under CRM For Everyone, Team user (non-sales CRM users) licenses start at CDN $14 per user per month on all paid editions of Zoho CRM.
Insights from the dark web reveal that the price cybercriminals need to pay to cause a devastating company data breach could be as low as $100
A cyberattack can cost companies millions as well as customers’ trust, which may have taken years to build. However, according to Vakaris Noreika, a cybersecurity expert at NordStellar, bad actors can buy leaked data that can cause a devastating, million-dollar security breach for as low as $100.
In 2024, the average data breach cost was $4.88M, an increase of 10% since 2023. As the financial ramifications of confidential information leaks have reached record highs since the height of the pandemic, Noreika says that businesses should be especially vigilant about the looming infostealer threat.
Infostealers are malware designed to infiltrate systems and devices and steal personal data. They can collect various information, including credentials, cookies, credit card details, and even miscellaneous files on a compromised device, like photos or documents.
“Infostealers have been a significant cybersecurity concern for years due to the impact of their attacks. They’re quick, easy to spread, and highly efficient, and anyone can become a target,” says Noreika. “Usually, their attacks are random, but in some instances, cybercriminals can also use infostealers for targeted strikes.”
The low cost of infostealers for cybercriminals
Noreika explains that infostealers are spread through phishing emails, malicious advertisements, and other scams that involve a victim accidentally downloading malware. Once the infostealer has access, it collects all available data and compiles it into a stealer log, which houses emails, passwords, credit card details, and other valuable information. These stealer logs are sold on the dark and deep web as well as Telegram channels.
“Dark web users can purchase stealer logs by subscribing to a private channel. The average price for a weekly subscription is around $81, and the monthly subscription is about $200,” explains Noreika. “Typically, cybercriminals can buy 16 gigabytes of personal information for just $1.”
How hackers use infostealers to target companies
According to Noreika, the stealer logs contain the personal information of all individuals compromised by infostealer attacks, indicating that the victims are a broad mix of users rather than specific individuals. Bad actors buy these stealer logs to commit identity theft, empty bank accounts, or use the obtained personal information to carry out more personalized scams against the victims for financial gain. However, finding credentials linked to a business is the ultimate hacker jackpot.
“If an employee’s credentials happen to end up in a stealer log, hackers can easily identify the company by checking the email domain and use those credentials to infiltrate an enterprise’s network,” says Noreika. “Once the cybercriminals are inside the network, they can steal more valuable data, like personal client information, company secrets, and other confidential documents, or shut down their operations and ask for hefty payouts to get them running again.”
Alternatively, hackers can purchase infostealers as a service. Instead of buying confidential information that was previously stolen by other infostealers, cybercriminals purchase notorious malware like RedLine or LummaC2 to use at their own disposal.
“The subscription fees for infostealers as a service vary — they can be as low as a couple of hundred dollars or cost over $1,000. The end price depends on the functionality, efficiency, and complexity of the infostealer,” says Noreika. “By purchasing infostealers as a service, cybercriminals gain full control over how and where the malware is deployed, enabling them to conduct highly targeted attacks. This poses a serious risk to businesses, which are much more attractive targets than individuals as successful attacks can lead to significantly higher financial gains.”
To safeguard against infostealers, Noreika suggests businesses focus on their first line of defense — their employees — and build a comprehensive cybersecurity strategy that can prevail if they make a mistake.
“It’s necessary to ensure that employees are aware of how infostealers are distributed and refrain from interacting with suspicious emails, visiting malicious websites, or downloading unauthorized files that can contain malware,” says Noreika. “However, some user error is inevitable. If an employee slips up, a strong cybersecurity foundation, consisting of an antivirus solution, multi-factor authentication, strict network segmentation policies, and active dark web monitoring for company or employee data leaks, will ensure the business stays protected.”
ABOUT NORDSTELLAR
NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. NordStellar offers visibility into how threat actors work and what they do with compromised data. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com.
Posted in Commentary with tags Zoho on May 14, 2025 by itnerd
Zoho Corporation, a global technology company, today announces Ulaa Enterprise, an enterprise-ready version of the company’s privacy-focused browser tailored specifically to the security and visibility needs of enterprise organizations. With Ulaa Enterprise, companies can prevent threats at the browser level while striking a balance between potent security, ease-of-use, and extensive control features, all without the complexity of third-party tools or virtual environments.
Security for the Modern Workplace
Modern browsers serve as enterprise workspaces, with employees performing critical operations across SaaS apps, handling corporate data, and managing transactions entirely through browser windows. Ulaa Enterprise is built with protection at its core, reducing reliance on external tools and ensuring tighter security without requiring extra layers, third-party integrations, significant IT overhead, or virtual desktop software prone to lag.
Ulaa Enterprise offers the following security features:
Centralized Policy Management: Admins can define access controls, restrict downloads, manage extensions, and govern user behavior through central policies applied across users and groups.
Data Loss Prevention (DLP): Ulaa enforces DLP at the browser layer, blocking unauthorized uploads, copy-paste actions, screen captures, and downloads of sensitive data.
Complete Visibility and Granular Control: IT teams can monitor risks, view detailed audit logs, and enforce security policies with precision at the browser level, reducing or eliminating the need for reactivity.
Enhanced by AI Zia
Zoho’s AI-driven automation and insights agent, is fully integrated with Ulaa Enterprise and offers enhancements that allow IT teams to maintain control while ensuring efficient and secure operations:
ZeroPhish (powered by Zia): Detects phishing attempts before users click, analyzing URLs and page behavior to block evolving threats in real-time.
Smart Web Categorization: Zia automatically categorizes websites and blocks unsafe content, ensuring secure browsing.
Tab Organization: Zia organizes tabs based on user behavior, improving productivity and browser management.
Usable by IT and Others
Ulaa Enterprise provides a simplified user experience for both general employees and IT teams in the following ways:
Low IT Overhead: Ulaa does not require heavy virtualization or complex infrastructure. Deployment is straightforward, management is lightweight, and policy changes propagate instantly without introducing performance overhead for end-users.
Intelligent Monitoring: Ulaa supports ethical, targeted security monitoring, without turning into invasive surveillance, to build employee trust.
Familiarity: Ulaa Enterprise combines Chromium’s familiarity with built-in security, ensuring a seamless experience while enforcing local security checks for speed and protection.
Cross-platform Support: Ulaa works across all major desktop and mobile platforms, including Android and iOS.
The release of Ulaa Enterprise accompanies a period of tremendous growth for Ulaa, whose download numbers and monthly active user counts have increased by 2.5x since 2023.
Pricing and Availability
Ulaa Enterprise is currently available starting at $1/month per device or $10/year per device. For more information around pricing, please visit: http://ulaa.com/enterprise/pricing.
Posted in Commentary with tags CIRA on May 14, 2025 by itnerd
Today, CIRA announces the premiere of the third season of its award-winning podcast, What’s up with the internet? centred around the rise of online misinformation. Returning fresh off a win for ‘Best Technology Series’ at the fifth annual Canadian Podcast Awards, this season of What’s up with the internet? is an eye-opening investigation to uncover the truth behind online lies.
Across six episodes, season three of What’s up with the internet? reveals the sources behind online misinformation, how it spreads, along with deep insight into the harm it does. Host Takara Small also walks listeners through a fact-checking toolkit with guest Matthew Johnson, Director of Education for MediaSmarts, so that more Canadians can feel equipped with ways to identify fact from fiction and verify what they see online.
This season features ongoing commentary and guest interviews from technology experts, media researchers and more. Guests for season three include journalist and business executive Sue Gardner, professor and author Timothy Caulfield, Michael Kropveld, Founder and Executive Director of Info-Cult/Info-Sect and more. Listeners can learn more at cira.ca/podcast and follow What’s up with the internet? on all major podcast platforms, including Apple Podcasts and Spotify.
Major UK retail hacks arising from sophisticated service desk social engineering says Specops
Posted in Commentary with tags Hacked on May 14, 2025 by itnerdBeginning in early 2025, the RaaS (ransomware-as-a-service) group, DragonForce has allegedly been working with affiliates Scattered Spider to aggressively target high-profile UK retailers including Marks & Spencer, Co-op, and Harrods.
In the Marks & Spencer incident, the affiliates reportedly used social-engineering attacks on service desks to gain initial access before unleashing DragonForce’s ransomware. By deploying this ransomware to encrypt networks, the threat actors have caused major disruptions to online orders and payment systems, and have threatened the publication of customer and employee data.
Specops Software has recently released three analyses on the Marks & Spencer attack, each diving into distinct aspects of the incident:
All of these are worth reading if you are responsible for defending your organizations from threat actors.
Leave a comment »