Black Arrow Cyber Threat Intelligence Briefing 28 March 2025

30 Mar

Welcome to this week’s Black Arrow Cyber Threat Intelligence Briefing – a weekly digest, collated and curated by our cyber experts to provide senior and middle management with an easy to digest round up of the most notable threats, vulnerabilities, and cyber related news from the last week.

Summary

Our summary of threat intelligence this week highlights how attackers exploit your trust in third parties, well-known brands, or cloud collaboration platforms, including Dropbox, SharePoint and DocuSign, to gain access to your information or systems including in ransomware attacks. Criminals are innovating through new social engineering and phishing-as-a-service platforms, combined with voice-phishing and AI. Organisations can help reduce these risks through enhanced employee training and multi-factor-authentication (MFA), and stronger defences against ransomware.

Also this week, the UK’s Information Commissioner’s Office (ICO) imposed a fine of £3m on an IT provider who experienced a cyber incident because they did not have basic cyber security in place such as MFA and vulnerability management. The ICO has warned that it will impose higher fines for similar cases in future.

There has been a continued increase in cyber threats from both domestic and state-aligned actors, including criminal gangs now operating with the speed and sophistication of nation states. The UK government is expanding its cyber capabilities in response, but for organisations, the message is clear: the threat landscape is evolving faster than ever, and both vigilance and adaptability are essential.

Top Cyber Stories of the Last Week

Third-Party Security Issues Could Be the Biggest Threat Facing Your Business

New research has revealed that over a third (35%) of all breaches in 2024 were linked to third-party suppliers; a figure likely to be understated due to underreporting. The report highlights a shift in attack surfaces, with fewer breaches involving traditional technology products and services. More than two in five ransomware attacks now originate through third parties. Experts warn that organisations must move beyond periodic vendor assessments and adopt real-time monitoring to stay ahead of evolving third-party cyber security threats.

New Morphing Meerkat Phishing Kit Mimics 114 Brands

A new phishing-as-a-service platform, dubbed Morphing Meerkat, has been uncovered, targeting users across the globe by mimicking login pages for 114 well-known brands. The phishing kit uses victims’ mail exchange records to tailor fake login pages to their email providers, making the attack more convincing. Thousands of phishing emails have been distributed using compromised websites and advertising redirects to bypass security filters. The kit also supports over a dozen languages and includes anti-analysis features, making detection and investigation more difficult. Stolen credentials are exfiltrated using tools like Telegram, increasing the speed and scale of data theft.

NCA Warns of Sadistic Online “Com” Networks

The UK’s National Crime Agency has warned of a sharp rise in “Com” networks: online groups of sadistic teenage boys engaged in cyber attacks, fraud, extremism and serious abuse. Reports of these threats increased six-fold in the UK between 2022 and 2024. These English-speaking groups operate openly on mainstream platforms and have been linked to ransomware, phishing, SIM swapping and social engineering. While most threats still originate abroad, the NCA highlights a growing domestic risk. The groups target young girls in particular, often coercing them into serious self-harm, with motivations ranging from profit and notoriety to status within these networks.

Threat Actors Abuse Trust in Cloud Collaboration Platforms

Cofense Intelligence has reported a sharp rise in phishing attacks that abuse trusted online document platforms to bypass secure email gateways and steal credentials. In 2024, these platforms were linked to 8.8% of all credential phishing campaigns, with 79% aiming to harvest user credentials. Dropbox was the most exploited at 25%, followed by Adobe, SharePoint and DocuSign. Features like automatic email notifications and delayed takedowns help attackers evade detection. The report recommends organisations enhance user awareness, apply behavioural analysis tools, and adopt multi-factor authentication to better defend against these increasingly sophisticated phishing threats.

Report Reveals How Breaches Are Fuelling Hyper-Personalised Email Attacks

Fortra’s latest report highlights a sharp rise in highly personalised email attacks, with 99% of threats in 2024 involving social engineering or phishing without malware. Over 1 billion records were breached last year, enabling cyber criminals to combine stolen and publicly available data to make scams more convincing. Abuse of legitimate platforms surged by 200%, particularly targeting e-signature services like DocuSign and free developer tools. Hybrid vishing, combining phishing with phone-based deception, emerged as the most common scam, with one in three impersonating PayPal in late 2024. The report warns that generative AI will intensify these threats in 2025.

No MFA? Expect Hefty Fines, UK’s ICO Warns

The UK Information Commissioner’s Office (ICO) has warned that failing to implement basic cyber security measures like multi-factor authentication (MFA) could result in significant fines. This follows a £3.07m penalty issued to IT provider Advanced after a 2022 ransomware attack exposed sensitive data of over 79,000 individuals and severely disrupted NHS services. Hackers exploited a customer account without MFA, highlighting broader failings in patching and vulnerability management. While the fine was reduced from an initial £6.1m due to the firm’s cooperation, the ICO stressed that future penalties may be higher for similar incidents where fundamental protections are missing.

Mobsters Now Overlap with Cyber Crime Gangs and Use AI for Evil, Europol Warns

Europol’s latest threat assessment reveals that organised crime groups are increasingly adopting digital technologies, with AI now central to their operations. These networks are using AI to scale criminal activities, evade detection, and exploit digital platforms and illicit financial systems. Europol warns that organised crime is now deeply embedded online, with the internet serving as its primary arena and data becoming its most valuable asset. The report also highlights growing collaboration between criminal groups and state-aligned hybrid threat actors, amplifying the threat to the EU’s institutions and social cohesion through shared tools, expertise, and protection.

Ransomware Attacks Surge Despite Payments Being Down

Ontinue’s latest threat intelligence report reveals a 132% rise in ransomware attacks, despite ransom payments falling by 35%, indicating a shift in attacker tactics. Vishing (voice enabled phishing) attacks have surged by 1,633% in just one quarter, now fuelled by AI-powered voice cloning to impersonate trusted individuals. Adversary-in-the-Middle attacks are also on the rise, enabling cyber criminals to bypass multi-factor authentication. Meanwhile, the misuse of legitimate tools such as Microsoft Quick Assist and the targeting of Windows Hello authentication keys highlight an evolving threat landscape. The report urges firms to strengthen defences against ransomware, phishing, and credential theft.

High-Severity Cloud Security Alerts Tripled in 2024

Palo Alto Networks reported a 235% surge in high-severity cloud security alerts in 2024, contributing to a 388% overall rise in incidents across the year. Organisations now face an average of 20 serious daily alerts, with the most common linked to suspicious identity use and disabled data protections. Notably, suspicious large downloads rose by 305% and abnormal user activity by over 100%. The focus of cloud security is shifting from misconfigurations to threats occurring in real-time as systems operate, highlighting the growing need for runtime visibility to detect and respond to active threats more effectively.

If You Think You’re Immune to Phishing Attempts, You’re Wrong!

Cyber security expert Troy Hunt has publicly admitted falling victim to a convincing phishing attack that compromised his Mailchimp account and exposed the email addresses, IPs, and geolocation data of newsletter subscribers. Despite recognising warning signs in hindsight, Hunt’s experience highlights how sophisticated and automated such attacks have become. Notably, the attack bypassed two-factor authentication via one-time passcodes, underlining the limitations of commonly used security controls. Hunt stressed the importance of phishing-resistant authentication and the need for stronger default protections from service providers. His transparency serves as a timely reminder that no individual is immune, regardless of expertise.

UK Expanding Cyber Capabilities Amid US Pause

The UK government has reaffirmed its commitment to expanding cyber capabilities in response to the growing threat landscape and a shift in US policy on offensive cyber operations. Armed Forces Minister Luke Pollard confirmed increased investment in both defensive and offensive cyber forces, including a new direct entry pathway for cyber specialists. The 77th Brigade remains central to countering Russian disinformation in Eastern Europe. In 2024, the UK’s National Cyber Security Centre received 1,957 cyber attack reports, including 89 nationally significant incidents and 12 severe cases, underscoring the urgency of strengthening the UK’s cyber resilience.

Sources:

https://www.techradar.com/pro/security/third-party-security-issues-could-be-the-biggest-threat-facing-your-business

https://thehackernews.com/2025/03/new-morphing-meerkat-phishing-kit.html

https://www.infosecurity-magazine.com/news/nca-warns-of-sadistic-online-com/

https://www.infosecurity-magazine.com/news/threat-actors-abuse-cloud-platforms/

https://informationsecuritybuzz.com/fortra-report-reveals-how-breaches/

https://www.infosecurity-magazine.com/news/mfa-expect-hefty-fines-uk-ico/

https://www.theregister.com/2025/03/24/modern_mafiosos_wield_ai/

https://betanews.com/2025/03/25/ransomware-attacks-surge-despite-payments-being-down/

https://www.darkreading.com/cyber-risk/high-severity-cloud-security-alerts-tripled-2024

https://www.helpnetsecurity.com/2025/03/26/troy-hunt-mailchimp-phishing-email/

https://ukdefencejournal.org.uk/uk-expanding-cyber-capabilities-amid-us-pause/

Governance, Risk and Compliance

Half of firms have been hit by a cyber attack - Digital Journal

Cyber security spending set to jump 12.2% in 2025 - Help Net Security

Threats

Nation State Actors, Advanced Persistent Threats (APTs), Cyber Warfare, Cyber Espionage and Geopolitical Threats/Activity

Cyber Warfare and Cyber Espionage

RedCurl cyber spies create ransomware to encrypt Hyper-V servers

'We are in a state of war': The UK needs to prepare for a future without Nato

Nation State Actors

Threat of state-sponsored cyber attacks could make UK terror insurer ‘obsolete’

Will your supply chain stand up to a nation-state hack? • The Register

China

Chinese hackers are getting bigger, better and stealthier

China, Beijing's ties with Russia main threats to US: intel report - Digital Journal

US Intelligence identifies China as top military, cyber threat

China's FamousSparrow flies back, breaches US org • The Register

Chinese APT Weaver Ant infiltrated a telco for over four years

Despite Rip-and-Replace Efforts, FCC Suspects Banned Chinese Telecom Providers Still Active in US - SecurityWeek

Cyber Threats Jeopardize US Military Mobility, Report Warns

Chinese Hacker Group Tracked Back to iSoon APT Operation

China poses biggest military threat to US: intel report - Digital Journal

US Cyber Security Weakness Benefits China – Foreign Policy

China bans facial recognition in hotels, bathrooms • The Register

Commerce limits 19 Chinese, Taiwanese companies from buying U.S. tech | CyberScoop

Chinese Hackers Exploit Unpatched Servers in Taiwan

Russia

UK expanding cyber capabilities amid US pause

Analysis: ‘We’re Choosing to Blind Ourselves’ – US Backs Off Russian Threats, PART I

Analysis: Cyber Security as a Bargaining Chip in Ukraine Talks – US Backs Off Russian Threats, PART II

Russian Espionage Group Using Ransomware in Attacks - SecurityWeek

China, Beijing's ties with Russia main threats to US: intel report - Digital Journal

US Intelligence identifies China as top military, cyber threat

Our Leaders Don't Take Information Security Seriously | National Review

What CISA's Red Team Disarray Means for US Cyber Defences

Proof of Concept: Is the US Losing Its Cyber Grip?

Ex-NSA boss: Election security focus helped dissuade Russia • The Register

Ukraine to establish national cyber attack response system

Ukrainian Railways Faced Massive Cyber Attack Over the Weekend

Top Trump aide in Signal chat was in Russia while the text stream was active—but denies he had personal or government-issued phone with him | Fortune

Russian hackers shut down major Belgian websites | Cybernews

Kaspersky Links Head Mare to Twelve, Targeting Russian Entities via Shared C2 Servers

Poland raises defences against cyber attacks before the vote | Stars and Stripes

Widespread Keenetic Router Data Breach Uncovered | MSSP Alert

Russia subjected to suspected joint Head Mare, Twelve attacks | SC Media

Iran

Iran's MOIS-Linked APT34 Spies on Allies Iraq & Yemen

North Korea

U.S. Treasury Lifts Tornado Cash Sanctions Amid North Korea Money Laundering Probe

North Korea launches new unit with a focus on AI hacking, per report | TechCrunch

Other Nation State Actors, Hacktivism, Extremism, Terrorism and Other Geopolitical Threat Intelligence

Russia subjected to suspected joint Head Mare, Twelve attacks | SC Media

Furry Hackers Fear Leader Raided by FBI

Tools and Controls

Cloud providers aren’t delivering on security promises - Help Net Security

Cyber security spending set to jump 12.2% in 2025 - Help Net Security

Cyber criminals Exploit CheckPoint Driver Flaws in Malicious Campaign - Infosecurity Magazine

Prepping for post-quantum: a beginner’s guide to lattice cryptography

How to Balance Password Security Against User Experience

Data Protection: Top Trends In Backup And Recovery

Spring clean your security data: The case for cyber security data hygiene - Help Net Security

10 Critical Network Pentest Findings IT Teams Overlook

Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks

Ransomware Groups Increasingly Adopting EDR Killer Tools - SecurityWeek

What is Infrastructure Intelligence? - Security Boulevard

Threat Intelligence: Are UK Organisations Flying Blind? | SC Media UK

8 Expert Tips and Resources to Stay Ahead of Security Threats - DevX

How Cyber Security Pros Stay Ahead of the Curve – Insights from Experts - DevX

Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates

The hidden costs of security tool bloat and how to fix it - Help Net Security

53% of security teams lack continuous and up-to-date visibility - Help Net Security

The rise of identity and access management: How IAM evolved to being the new perimeter of cyber security - Security Boulevard

AI vs. Cyber Criminals: Who Wins the Race in Next-Gen Threat Detection? - Security Boulevard

Dark Web Intelligence: A Critical Layer in Modern Cyber Security Strategy | MSSP Alert

Russian zero-day seller is offering up to $4 million for Telegram exploits | TechCrunch

Cyber security specialists are drowning in a sea of software vulnerabilities. AI may be able to help | Fortune

Other News

UK CNI’s Overconfidence Puts National Security At Risk

Security experts warn of ‘contradictory confidence’ over critical infrastructure threats | ITPro

Estonia’s bold approach to cyber security: a holistic model for Europe - e-Estonia

Threat of war and disease means Europeans need 3 days’ supplies, Commission to warn – POLITICO

UK NCSC offers security guidance for domain and DNS registrars - Help Net Security

We take our energy security for granted. Our adversaries do not: Heather Exner Pirot and David McConkey in National Newswatch | Macdonald-Laurier Institute

UK says security ties with US are as strong as ever | Reuters

'We are in a state of war': The UK needs to prepare for a future without Nato

How governments can strengthen cyber security in the age of AI and hybrid threats - e-Estonia

Healthcare's alarming cyber security reality - Help Net Security

OT systems are strategic targets in global power struggles - Help Net Security

Single points of failure for our national infrastructure, like Heathrow, can no longer be tolerated

Dozens of solar inverter flaws could be exploited to attack power grids

Is the Middle East's Race to Digitize a Threat?

Cyber attack causes delays for South Africa’s largest chicken producer | The Record from Recorded Future News

Cyber attack threat not taken seriously by food and beverage

ENISA Probes Space Threat Landscape in New Report - Infosecurity Magazine

Vulnerability Management

Despite challenges, the CVE program is a public-private partnership that has shown resilience | CyberScoop

NIST Still Struggling to Clear Vulnerability Submissions Backlog in NVD - SecurityWeek

Cyber security Gaps Leave Doors Wide Open

Chinese Hackers Exploit Unpatched Servers in Taiwan

Cyber security specialists are drowning in a sea of software vulnerabilities. AI may be able to help | Fortune

Vulnerabilities

It's time to update Chrome ASAP - again! - to fix this critical flaw | ZDNET

Cyber Criminals Exploit CheckPoint Driver Flaws in Malicious Campaign - Infosecurity Magazine

Russian Ransomware Gang Exploited Windows Zero-Day Before Patch - SecurityWeek

VMware Vulnerabilities Exploited Actively to Deploy Ransomware

CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) - Help Net Security

Top 3 MS Office Exploits Hackers Use in 2025 – Stay Alert!

String of defects in popular Kubernetes component puts 40% of cloud environments at risk | CyberScoop

Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) - Help Net Security

Public-facing Kubernetes clusters at risk of total takeover • The Register

Mozilla warns Windows users of critical Firefox sandbox escape flaw

VSCode extensions found downloading early-stage ransomware

Russian zero-day seller is offering up to $4 million for Telegram exploits | TechCrunch

Sector Specific

Industry specific threat intelligence reports are available.

· Automotive

· Construction

· Critical National Infrastructure (CNI)

· Defence & Space

· Education & Academia

· Energy & Utilities

· Estate Agencies

· Financial Services

· FinTech

· Food & Agriculture

· Gaming & Gambling

· Government & Public Sector (including Law Enforcement)

· Health/Medical/Pharma

· Hotels & Hospitality

· Insurance

· Legal

· Manufacturing

· Maritime & Shipping

· Oil, Gas & Mining

· OT, ICS, IIoT, SCADA & Cyber-Physical Systems

· Retail & eCommerce

· Small and Medium Sized Businesses (SMBs)

· Startups

· Telecoms

· Third Sector & Charities

· Transport & Aviation

· Web3

Contact us to help assess where your risks lie and to ensure you are doing all you can do to keep you and your business secure.

Look out for our ‘Cyber Tip Tuesday’ video blog and on our YouTube channel.

You can also follow us on Facebook, Twitter and LinkedIn.

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.

E&OE

Black Arrow Admin

Black Arrow Cyber Threat Intelligence Briefing 28 March 2025

Summary

Top Cyber Stories of the Last Week

Third-Party Security Issues Could Be the Biggest Threat Facing Your Business

New Morphing Meerkat Phishing Kit Mimics 114 Brands

NCA Warns of Sadistic Online “Com” Networks

Threat Actors Abuse Trust in Cloud Collaboration Platforms

Report Reveals How Breaches Are Fuelling Hyper-Personalised Email Attacks

No MFA? Expect Hefty Fines, UK’s ICO Warns

Mobsters Now Overlap with Cyber Crime Gangs and Use AI for Evil, Europol Warns

Ransomware Attacks Surge Despite Payments Being Down

High-Severity Cloud Security Alerts Tripled in 2024

If You Think You’re Immune to Phishing Attempts, You’re Wrong!

UK Expanding Cyber Capabilities Amid US Pause

Sources:

Governance, Risk and Compliance

Threats

Ransomware, Extortion and Destructive Attacks

Ransomware Victims

Phishing & Email Based Attacks

Business Email Compromise (BEC)/Email Account Compromise (EAC)

Other Social Engineering

Artificial Intelligence

2FA/MFA

Malware

Mobile

Denial of Service/DoS/DDoS

Internet of Things – IoT

Data Breaches/Leaks

Organised Crime & Criminal Actors

Cryptocurrency/Cryptomining/Cryptojacking/NFTs/Blockchain

Insider Risk and Insider Threats

Insurance

Supply Chain and Third Parties

Cloud/SaaS

Outages

Identity and Access Management

Encryption

Linux and Open Source

Passwords, Credential Stuffing & Brute Force Attacks

Social Media

Malvertising

Training, Education and Awareness

Regulations, Fines and Legislation

Models, Frameworks and Standards

Backup and Recovery

Careers, Working in Cyber and Information Security

Law Enforcement Action and Take Downs

Misinformation, Disinformation and Propaganda