|
'Disgruntled' British IT Worker Jailed for Hacking Employer After Being Suspended
Summary:
A British IT worker, Mohammed Umar Taj, has been jailed for seven months and 14 days after carrying out what police described as a deliberate cyberattack against his employer. The incident began in July 2022, when Taj was suspended from his job at an unidentified company with clients in the UK, Germany, and Bahrain. Within hours of his suspension, he accessed the company’s systems without authorization to alter login credentials and disrupt daily business operations.
The next day, Taj escalated his actions by changing the company’s access credentials and multi-factor authentication settings, making it harder for the firm to regain control. As a result, the company suffered significant operational disruption and financial losses of at least £200,000 (around $275,000). The attack also caused reputational harm, affecting relationships with clients abroad.
Investigators from West Yorkshire Police’s cybercrime team recovered recordings of Taj discussing his plans and documenting his activities. This evidence proved crucial in court. Taj pleaded guilty to an offense under the UK’s Computer Misuse Act and was sentenced on June 26 at Leeds Crown Court.
Analyst comments:
This is one instance of how dangerous it is when someone who has access to the secrets of a company chooses to use the information to cause harm. Mohammed Umar Taj was angered at being suspended, and he tried to get revenge on his company by hacking into their computer systems. Through this, the company lost a lot of money and credibility with their customers. It teaches us that companies need to protect their computers and data carefully, and that people should not use their skills to hurt others, even when they are upset or feel they are being treated unfairly. Cybersecurity is very important today because so much depends on technology.
Mitigation:
Detective Sergeant Lindsey Brants, who led the investigation, stated that Taj had abused his privileged access to the company’s IT systems to take revenge, causing a ripple effect of disruption that extended far beyond the UK. She emphasized that the case highlights the importance for all businesses to protect their networks, prevent data loss, and maintain trust with clients and stakeholders.
Source:
https://therecord.media/uk-it-worker-jailed-hacking-former-employer
_______________________________________________________________________
Criminals Posing as Legitimate Health Insurers and Fraud Investigators to Commit Health Care Fraud
Summary:
The FBI has issued a warning to the public about a rising scam involving criminals who impersonate legitimate health insurance companies and their investigative teams. These fraudsters are targeting both patients and healthcare providers by sending deceptive emails and text messages that appear to be from trusted medical organizations. The messages often use urgent or official language to create pressure and gain the recipient’s trust. Victims are then manipulated into disclosing sensitive information, including protected health data, personal medical records, and financial details. In some cases, the scammers request payments by falsely claiming there were service overpayments or charges for non-covered procedures.
Analyst comments:
The impact of these scams can have over lasting consequences. Falling victim to such lures can lead to identity theft, financial loss, and the misuse of private medical information. With access to protected health data and personal medical record, actors can use this data to file false insurance claims or commit other types of fraud. Healthcare providers may also face reputational damage and legal consequences if patient data is compromised. The FBI emphasizes the importance of verifying communications before sharing any personal or financial information and encourages reporting suspicious activity to authorities.
Mitigation:
- Be suspicious of unsolicited messages emails, texts, and calls requesting personal information.
- Never click on links that are included in suspicious and/or unsolicited emails.
- Use strong passwords and enable Multi-Factor Authentication for all accounts.
- Keep operating system software updated and use antivirus software on all devices.
- Always contact your health insurance provider directly to verify the legitimacy of any messages before sharing personal or health care information.
Source:
https://www.ic3.gov/PSA/2025/PSA250627
_______________________________________________________________________
Adversary-in-the-Middle Attacks that Target Microsoft 365
Summary:
Adversary-in-the-Middle attacks are an advanced evolution of man-in-the-middle techniques, exploiting weaknesses in credential-based security and legacy MFA systems by intercepting and relaying traffic between victims and legitimate services. Unlike standard phishing that only steals credentials, AiTM allows attackers to capture real-time session cookies, enabling them to bypass MFA prompts entirely and maintain persistent access. A notable example is the Tycoon 2FA phishing-as-a-service platform, which automates the deployment of realistic phishing pages that closely mimic Microsoft 365 login flows, including organization-specific Entra ID branding, tricking users into entering both passwords and MFA codes.
In April 2025, Proofpoint detected a significant spike in global AiTM campaigns leveraging Tycoon’s platform, targeting thousands of organizations across multiple sectors, including healthcare, finance, and education. These campaigns employed advanced evasion tactics such as invisible Unicode characters embedded in URLs, custom CAPTCHAs to defeat automation, and anti-debugging scripts to slow analysis and bypass traditional email security gateways.
The typical attack chain began with phishing emails containing links to a fake Microsoft 365 login page designed to appear identical to legitimate portals, often including the target’s organizational logos and colors. Once victims entered their credentials, the fake page prompted for MFA tokens, capturing them in real time alongside session cookies via a reverse proxy setup, allowing attackers to authenticate as the user without triggering additional MFA challenges. This session hijacking enabled attackers to access sensitive services, exfiltrate data, and establish persistent footholds within victim environments.
Analyst comments:
Notably, Proofpoint observed these attacks successfully bypassing the defenses of six other major email security vendors, including three recognized as Leaders in the 2024 Gartner Magic Quadrant, underscoring the sophistication and effectiveness of these campaigns. Proofpoint identified the use of “precision-validated phishing,” where attackers validate the user’s existence or activity before executing the attack, enhancing the likelihood of success while narrowing the target scope.
Mitigation:
To safeguard against threats like the one described in this post, here’s what we recommend:
-
Use enhanced authentication methods. MFA remains a key defense, but it’s not foolproof. Consider implementing additional authentication methods, such as hardware tokens, like FIDO2. These methods are resistant to session cookie theft and are harder for attackers to bypass.
-
Educate users. Training employees to recognize phishing emails is crucial. Users should learn how to carefully inspect URLs in email messages. And they should be taught to verify the authenticity of login pages, especially those with custom branding.
-
Improve your email filtering. Advanced email security solutions can detect suspicious behavior. They can also identify the use of uncommon domains that are used, unusual sender information, and other indicators of a phishing attack.
-
Get advanced threat detection. The use of advanced threat detection tools is critical for defending against AiTM and other identity-based attacks. These tools not only prevent attackers from stealing credentials, but they also stop them from moving laterally across your environment and escalating the privileges of stolen accounts.
Source:
https://www.proofpoint.com/us/blog/email-and-cloud-threats/aitm-phishing-attacks-evolving-threat-microsoft-365
_______________________________________________________________________
Scattered Spider Hackers Shift Focus to Aviation, Transportation Firms
Summary:
Hackers associated with Scattered Spider” have expanded from targeting insurance and retail sectors to now attacking aviation and transportation industries in North America. Previously, the group focused on retail companies such as M&S and Co-op in the UK and US before shifting to insurance firms, including Aflac, Erie Insurance, and Philadelphia Insurance Companies, where they leveraged social engineering and identity attacks to gain access to corporate networks.
On June 12, Canada’s second-largest airline, WestJet, suffered a cyberattack attributed to Scattered Spider. The attackers reportedly gained access by performing a self-service password reset for an employee, registering their own MFA, and accessing the network through Citrix. This aligns with the group's well-known tactics of targeting help desks and MFA infrastructure to bypass defenses. Following the breach, Palo Alto Networks and Microsoft assisted in the response efforts.
Shortly after, Hawaiian Airlines disclosed it had also been attacked, with sources indicating Scattered Spider was likely responsible, although the airline did not officially confirm the attribution. Currently, American Airlines is facing an IT outage, but it remains unclear if this is related to Scattered Spider activity.
Analyst comments:
Experts from Palo Alto Networks’ Unit 42 and Mandiant (Google Cloud) have confirmed that Scattered Spider has shifted focus to the aviation and transportation sectors, with Mandiant urging organizations to tighten identity verification processes, protect self-service password reset platforms, and limit help desk actions that can facilitate unauthorized MFA changes. Organizations are also advised to monitor for suspicious MFA reset requests, new device registrations, and identity-related changes that could signal intrusion attempts. Scattered Spider, also tracked as UNC3944, 0ktapus, and Octo Tempest, is not a single group but a loose network of young, English-speaking threat actors using overlapping tactics including phishing, SIM swapping, MFA fatigue attacks, and real-time social engineering via help desks to compromise large organizations. They often frequent Telegram channels, hacker forums, and Discord servers to coordinate attacks and have a history of partnering with Russian-speaking ransomware groups such as BlackCat, RansomHub, Qilin, and DragonForce for extortion operations.
Mitigation:
To defend against these threats, Google Threat Intelligence Group and Palo Alto Networks recommend organizations secure identity and MFA platforms, implement strict help desk protocols, ensure logging and monitoring of identity-related activities, and provide user training to recognize social engineering attempts. Given Scattered Spider’s expanding focus on critical sectors, the aviation and transportation industries are urged to adopt these mitigation steps promptly to reduce the risk of compromise and operational disruptions.
Source:
https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/
_______________________________________________________________________
Odyssey Stealer: The Rebrand of Poseidon Stealer
Summary:
A formidable threat, Odyssey Stealer (rebranded from Poseidon Stealer, which was forked from AMOS Stealer), has emerged within the macOS-targeting malware landscape, specifically targeting users in Western nations while avoiding CIS nations, through highly deceptive social engineering tactics. Leveraging fake App Store prompts and expertly crafted typosquatted domains, Odyssey Stealer employs a "Clickfix" technique to trick users into executing malicious AppleScripts. This sophisticated infostealer is designed to surreptitiously exfiltrate a comprehensive array of sensitive data, including browser cookies, password credentials, cryptocurrency wallet keys, private keys, session tokens, and various common document types. It achieves this by displaying fake password prompts, copying macOS keychain files, and targeting popular cryptocurrency wallet applications and browser extensions. The stolen data is then meticulously zipped and exfiltrated to a C2 server, with built-in retry mechanisms for persistence. Operated via a sophisticated web-based command-and-control panel, Odyssey Stealer is a direct descendant of AMOS Stealer, representing a continuous evolution in macOS-specific MaaS offerings, with its author, "Rodrigo," reportedly still actively involved.
Analyst comments:
The discovery of campaigns utilizing Odyssey Stealer signifies a notable increase in the sophistication and targeting of macOS malware. Its reliance on human-factor vulnerabilities through "Clickfix" social engineering, particularly the instruction to paste terminal commands from seemingly legitimate CAPTCHA pages, highlights the persistent efficacy of user manipulation in breaching security perimeters. The breadth of data exfiltration, encompassing not only standard credentials but also cryptocurrency wallet files, seed phrases, and session tokens, clearly indicates a financially motivated actor with a highly focused target demographic. The avoidance of victims in CIS nations underscores the likelihood of this malware being associated with Russia-aligned threat groups. The re-emergence of codebases from AMOS Stealer and the suspected continued involvement of "Rodrigo" points to a maturing macOS malware-as-a-service ecosystem where established developers are continuously iterating and rebranding their offerings with enhanced capabilities. This professionalization, exhibited by the advanced C2 panel capabilities like "Google Cookies Restore," underscores their shift from opportunistic attacks to well-orchestrated and well-resourced long-term espionage campaigns.
Mitigation:
IOCs are available here.
CYFIRMA recommendations:
- Implement threat intelligence to proactively counter the threats associated with the Odyssey stealer.
- To protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection, such as an Anti-malware security suite and a host-based intrusion prevention system.
- Continuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block suspicious activity provides comprehensive protection from compromise due to encrypted payloads.
- Configure firewalls to block outbound communication to known malicious IP addresses and domains associated with Odyssey stealer command and control servers.
- Implement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to make unauthorized network connections.
- Employ application whitelisting to allow only approved applications to run on endpoints, preventing the execution of unauthorized or malicious executables.
- Only install apps from the official Mac App Store or verified developer sites.
- Block osascript execution unless explicitly required for business operations.
- The use of security benchmarks to create baseline security procedures and organizational security policies is also recommended.
- Develop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including isolating affected systems and notifying relevant stakeholders.
- Security awareness and training programs help to protect from security incidents such as social engineering attacks. Organizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by the Odyssey Stealer malware.
Source:
https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/
| 
