The Breach News

Four Arrested in £440M Cyber Attack on Major Retailers Marks & Spencer, Co-op, and Harrods

 
Jul 10, 2025
Cybercrime / Ransomware

The U.K. National Crime Agency (NCA) announced on Thursday the arrest of four individuals linked to cyber attacks against prominent retailers including Marks & Spencer, Co-op, and Harrods. The suspects, consisting of two 19-year-old men, a 17-year-old male, and a 20-year-old woman, were apprehended in the West Midlands and London on charges relating to the Computer Misuse Act, blackmail, money laundering, and involvement in organized crime. All four were arrested at their residences, and their electronic devices have been confiscated for forensic examination. Their identities have not been released. Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, emphasized that “since these attacks occurred, our dedicated cybercrime investigators have been working swiftly, making this investigation a top priority.” He stated, “Today’s arrests mark a significant advancement in our efforts.”

Four Individuals Arrested in £440M Cyber Attack on Major UK Retailers On July 10, 2025, the U.K. National Crime Agency (NCA) announced the arrest of four individuals in connection with a substantial cyber attack that targeted prominent retailers, including Marks & Spencer, Co-op, and Harrods. The suspects, two 19-year-old men,…

Read More

Four Arrested in £440M Cyber Attack on Major Retailers Marks & Spencer, Co-op, and Harrods

 
Jul 10, 2025
Cybercrime / Ransomware

The U.K. National Crime Agency (NCA) announced on Thursday the arrest of four individuals linked to cyber attacks against prominent retailers including Marks & Spencer, Co-op, and Harrods. The suspects, consisting of two 19-year-old men, a 17-year-old male, and a 20-year-old woman, were apprehended in the West Midlands and London on charges relating to the Computer Misuse Act, blackmail, money laundering, and involvement in organized crime. All four were arrested at their residences, and their electronic devices have been confiscated for forensic examination. Their identities have not been released. Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, emphasized that “since these attacks occurred, our dedicated cybercrime investigators have been working swiftly, making this investigation a top priority.” He stated, “Today’s arrests mark a significant advancement in our efforts.”

Scattered Spider Deploys Ransomware on Compromised VMware Systems, Google Reports

In mid-2025, the Google Threat Intelligence Group (GTIG) unveiled a significant cyber threat stemming from a highly coordinated campaign linked to a financially motivated hacking collective known as Scattered Spider, also referred to as 0ktapus and UNC3944. This group has a history of targeting major industries, including retail, airlines, and…

Read MoreScattered Spider Deploys Ransomware on Compromised VMware Systems, Google Reports

Iran-Backed Pay2Key Ransomware Makes a Comeback with Increased 80% Profit Incentive for Cybercriminals

Jul 11, 2025
Cyber Warfare / Cybercrime

The Iranian-backed ransomware-as-a-service (RaaS), Pay2Key, has reemerged amid the escalating Israel-Iran-U.S. conflict, now offering larger financial rewards to cybercriminals targeting Israel and the U.S. Operating under the new name Pay2Key.I2P, this scheme is believed to be associated with the hacking group known as Fox Kitten (also referred to as Lemon Sandstorm). According to Morphisec security researcher Ilia Kulmin, “Pay2Key.I2P appears to be affiliated with the notorious Fox Kitten APT group and shares capabilities with the well-known Mimic ransomware.” The group has officially raised its profit share for affiliates supporting Iran or conducting attacks against its adversaries to 80%, up from 70%, highlighting their ideological motivations. Last year, the U.S. government identified the advanced persistent threat’s (APT) strategy of executing ransomware attacks through covert partnerships.

Iranian-Supported Pay2Key Ransomware Emerges Again, Promising Increased Profits for Cybercriminals July 11, 2025 Cyber Warfare / Cybercrime The ransomware-as-a-service (RaaS) model known as Pay2Key, linked to Iranian interests, has resurfaced amid escalating tensions in the ongoing conflict between Israel, Iran, and the United States. The revamped operation, now identified as…

Read More

Iran-Backed Pay2Key Ransomware Makes a Comeback with Increased 80% Profit Incentive for Cybercriminals

Jul 11, 2025
Cyber Warfare / Cybercrime

The Iranian-backed ransomware-as-a-service (RaaS), Pay2Key, has reemerged amid the escalating Israel-Iran-U.S. conflict, now offering larger financial rewards to cybercriminals targeting Israel and the U.S. Operating under the new name Pay2Key.I2P, this scheme is believed to be associated with the hacking group known as Fox Kitten (also referred to as Lemon Sandstorm). According to Morphisec security researcher Ilia Kulmin, “Pay2Key.I2P appears to be affiliated with the notorious Fox Kitten APT group and shares capabilities with the well-known Mimic ransomware.” The group has officially raised its profit share for affiliates supporting Iran or conducting attacks against its adversaries to 80%, up from 70%, highlighting their ideological motivations. Last year, the U.S. government identified the advanced persistent threat’s (APT) strategy of executing ransomware attacks through covert partnerships.

GLOBAL GROUP Ransomware Alleges Breach of Media Conglomerate Albavisión

The ransomware collective known as GLOBAL GROUP has claimed responsibility for a significant security breach at Albavisión, a prominent Spanish-language media conglomerate headquartered in Miami, Florida. According to the group, they have successfully extracted 400 GB of sensitive data from the company. Having emerged in early June 2025, GLOBAL GROUP…

Read MoreGLOBAL GROUP Ransomware Alleges Breach of Media Conglomerate Albavisión

Corelight Leverages Generative AI for Enhanced Threat Detection

Artificial Intelligence & Machine Learning, Network Detection & Response, Next-Generation Technologies & Secure Development Enhancements in SaaS Target Network Detection and Response for Smaller Security Teams Michael Novinson (@MichaelNovinson) • July 28, 2025 Brian Dye, CEO of Corelight (Image: Corelight) In a recent address, Corelight CEO Brian Dye highlighted the…

Read MoreCorelight Leverages Generative AI for Enhanced Threat Detection

Severe Vulnerability in Wing FTP Server (CVE-2025-47812) Under Active Exploitation

July 11, 2025
Cyber Attack / Vulnerability Alert

A recently uncovered critical security vulnerability affecting Wing FTP Server is currently being exploited, as reported by Huntress. Known as CVE-2025-47812 (CVSS score: 10.0), this flaw involves improper handling of null (‘\0’) bytes within the server’s web interface, leading to potential remote code execution. The issue has been resolved in version 7.4.4. According to CVE.org’s advisory, “The user and admin web interfaces mishandle ‘\0’ bytes, allowing for the injection of arbitrary Lua code into user session files.” This can enable the execution of arbitrary system commands with the privileges of the FTP service, which defaults to root or SYSTEM. Alarmingly, the vulnerability can also be exploited through anonymous FTP accounts. A detailed analysis of this security issue became public in late June 2025, thanks to RCE Security researcher Julien Ahrens.

Critical Security Flaw in Wing FTP Server Under Active Attack On July 11, 2025, cybersecurity firm Huntress reported that a serious vulnerability in the Wing FTP Server, classified as CVE-2025-47812, is currently being exploited in the wild. This flaw bears a maximum CVSS score of 10.0, indicating its critical nature,…

Read More

Severe Vulnerability in Wing FTP Server (CVE-2025-47812) Under Active Exploitation

July 11, 2025
Cyber Attack / Vulnerability Alert

A recently uncovered critical security vulnerability affecting Wing FTP Server is currently being exploited, as reported by Huntress. Known as CVE-2025-47812 (CVSS score: 10.0), this flaw involves improper handling of null (‘\0’) bytes within the server’s web interface, leading to potential remote code execution. The issue has been resolved in version 7.4.4. According to CVE.org’s advisory, “The user and admin web interfaces mishandle ‘\0’ bytes, allowing for the injection of arbitrary Lua code into user session files.” This can enable the execution of arbitrary system commands with the privileges of the FTP service, which defaults to root or SYSTEM. Alarmingly, the vulnerability can also be exploited through anonymous FTP accounts. A detailed analysis of this security issue became public in late June 2025, thanks to RCE Security researcher Julien Ahrens.