All news with #scattered spider tag

📰 Jaguar Land Rover reported a cyberattack cost of £196 million ($220 million) for the July–September quarter after the incident forced production shutdowns and staff to be sent home. The breach, announced on 2 September 2025, involved confirmed data theft and was claimed on Telegram by the group Scattered Lapsus$ Hunters. Following a UK government-backed £1.5 billion loan guarantee, JLR says operations, wholesale and supplier financing have been restored and production has resumed under a phased restart.

🔐 Researchers at S-RM report a surge in activity by the Qilin ransomware-as-a-service operation, which leverages unpatched VPNs, single-factor remote access and exposed management interfaces to gain initial access. While some high-profile incidents hit healthcare, most victims are small-to-medium businesses in construction, healthcare and finance. S-RM also observed affiliates from Scattered Spider using Qilin’s platform, and noted new extortion channels including Telegram and public leak sites. The firm urges routine patching, widespread MFA adoption, network segmentation and proactive monitoring.

🕸 The nascent Scattered LAPSUS$ Hunters (SLH) collective — a merging of Scattered Spider, LAPSUS$, and ShinyHunters — has repeatedly recreated its Telegram presence, cycling channels at least 16 times since August 8, 2025. The group markets an extortion-as-a-service offering to affiliates, targets organizations including those using Salesforce, and has teased a custom ransomware family called Sh1nySp1d3r. Trustwave SpiderLabs assesses SLH as blending financially motivated crime with attention-seeking hacktivism and sophisticated brand management.

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.

🔍 Palo Alto Networks' Unit 42 reports monitoring a Scattered LAPSUS$ Hunters Telegram channel since early October 2025, noting a tactical shift toward an extortion-as-a-service (EaaS) offering that omits file encryption. Researchers also observed posts mentioning a potential new ransomware, SHINYSP1D3R, though its development and the profitability of EaaS remain uncertain. Unit 42 found the group's data leak site apparently defaced and confirmed leaked records tied to at least six firms; the actors had set an Oct 10 ransom deadline but later stated on Oct 11 that "nothing else will be leaked."

🚨 Unit 42 observed renewed activity from Scattered LAPSUS$ Hunters in early October 2025, including leaked data claims, a defaced clearnet leak site, and announcements of an extortion-as-a-service offering. The actors set a self-imposed ransom deadline of Oct. 10, 2025 and claimed to have released data allegedly from six victim companies across aviation, energy and retail. Unit 42 recommends organizations prepare EaaS incident playbooks and engage third-party responders.

🔒 Salesforce confirmed it will not engage with or pay extortion demands after a large-scale theft of customer data this year. Threat actors calling themselves Scattered Lapsus$ Hunters published a data-leak site to extort 39 companies, claiming nearly one billion records stolen. The breaches stemmed from two campaigns: late-2024 social engineering using malicious OAuth apps and an August 2025 campaign abusing stolen SalesLoft/Drift tokens to exfiltrate CRM and support-ticket data. The leak site appears to have been shut down and its domain redirected to nameservers previously associated with law enforcement seizures.

🔓 An extortion group claiming affiliation with ShinyHunters, Scattered Spider, and Lapsus$ has launched a public data leak site listing 39 companies allegedly compromised via Salesforce breaches. The site publishes sample records and urges victims to pay before an October 10 deadline, while also demanding that Salesforce pay to prevent disclosure of roughly 1 billion records. The attackers say they used OAuth-based voice-phishing and stolen tokens to access customer data. Victims named include FedEx, Disney/Hulu, Google, Cisco, and many other major brands.

⚠️Recent cyberattacks forced production halts at Jaguar Land Rover and Asahi, underscoring that operational disruption is now a primary objective for threat actors. JLR paused production after an August 31 compromise attributed to the Scattered Lapsus$ Hunters group, reportedly using vishing to obtain credentials, while Asahi halted orders and shipments following a systems failure. Experts emphasize that attackers exploit phishing, unpatched systems, and supply‑chain weaknesses, and urge layered defenses such as zero trust, MFA, PAM, micro‑segmentation, continuous monitoring, and air‑gapped backups to preserve business continuity.

🔒 Harrods has confirmed a new data breach after a compromise at a third-party supplier exposed 430,000 e-commerce customer records. The disclosed information primarily comprises names, contact details and internal marketing tags, while account passwords, payment information and order histories were not included. The retailer says this incident is separate from the May attack attributed to Scattered Spider and that the threat actor has contacted them, apparently seeking extortion. Harrods has notified affected customers and authorities and urges vigilance against phishing and social engineering.

🔒 Harrods has disclosed that some e-commerce customer data was stolen via a breach at a third-party provider, with the retailer notifying affected customers on Friday. The company says the exposed information is limited to basic personal identifiers such as names and contact details and does not include account passwords, payment details or order history. Harrods also said it was contacted by a threat actor but refused to engage, and that this incident is separate from attempts to access Harrods systems in May. Reports indicate as many as 430,000 customer records may have been impacted, in a broader environment of rising retail ransomware and supply-chain risk linked to groups such as Scattered Spider.

🔒 The Co-operative Group reported an £80 million operating profit loss in H1 2025 after an April cyberattack disrupted systems and trading. Management attributed the shortfall to £20 million of one‑off remediation costs and £60 million in lost sales while systems were offline, and said revenue fell by £206 million. The breach, linked to DragonForce and affiliates of Scattered Spider, exposed personal data for all 6.5 million members; four suspects have since been arrested. Despite the impact, Co-op reported £800 million of available liquidity and no immediate funding concerns.

🔒 A 17-year-old hacker who surrendered on charges tied to sophisticated cyber intrusions against Las Vegas casinos between August and October 2023 has been released into his parents' custody under family court supervision. Authorities link the incidents to the Scattered Spider group and the deployment of BlackCat/ALPHV ransomware that disrupted operations and exposed staff and customer data. The judge imposed strict conditions including residence at a registered parental address, prohibition on leaving Clark County, internet use limited to educational purposes, and restrictions on phones and electronics, with immediate detention for violations. Prosecutors say the suspect may still control about $1.8 million in Bitcoin and are seeking additional charges and to try him as an adult.

🛒 The Co-op revealed a £206m revenue shortfall resulting from a “malicious” cyber-attack in April after it temporarily shut down multiple systems to contain the threat. The retailer recorded an overall six-month loss of £80m to 5 July 2025 and said sales disruption is likely to continue into H2 2025. No remediation breakdown was provided, although a one-off non-underlying cost of £20m was logged. The intrusion has been linked to Scattered Spider, and UK authorities have made several arrests related to this and similar retail attacks.

🔒 U.S. prosecutors have charged 19‑year‑old Thalha Jubair as a core member of Scattered Spider, alleging the group extorted at least $115 million from victims. Jubair and an alleged co‑conspirator, 18‑year‑old Owen Flowers, appeared in London court facing accusations tied to high‑profile attacks on retailers, public transit and U.S. healthcare providers. Authorities say the complaint links Jubair to a network of SIM‑swapping, SMS phishing and ransomware operations and to cryptocurrency servers used to launder proceeds.

🔐 Organizations should urgently update defenses to counter the Scattered Spider collective, experts warned at the Gartner Security & Risk Management Summit 2025. The group used social engineering, helpdesk vishing, and push notification fatigue to bypass MFA and abuse SSO, compromising accounts like Okta and stealing tokens from LastPass. Firms are advised to implement stronger identity protections, number-matching MFA, stricter password-reset procedures, and tighter third-party vendor monitoring to reduce exposure.

🔒 UK law enforcement has arrested two teenagers allegedly tied to the Scattered Spider hacking group over an August 2024 cyberattack on Transport for London (TfL). Nineteen-year-old Thalha Jubair and 18-year-old Owen Flowers were detained; authorities say Jubair faces U.S. charges for dozens of intrusions, extortion and money laundering while Flowers faces additional charges linked to U.S. healthcare targets. Prosecutors allege the group extorted at least $115 million in ransoms and that law enforcement previously seized roughly $36 million in cryptocurrency tied to Jubair.

🔒 US and UK authorities have charged two UK-based teenagers linked to the Scattered Spider cybercrime group in connection with multiple high-profile intrusions. Thalha Jubair, 19, and Owen Flowers, 18, face US and UK charges including conspiracy to commit computer fraud, wire fraud, money laundering and offences under the UK Computer Misuse Act. Authorities allege extensive social engineering, ransomware extortion and transfers of victim cryptocurrency, with investigators attributing at least $115m in ransom payments to the group. The arrests follow a multinational probe and earlier detentions of other alleged members.

🚨 Two teenagers have been arrested in the UK on suspicion of involvement in the August 2024 cyberattack against Transport for London; authorities say the suspects are believed to be members of the Scattered Spider collective. The National Crime Agency is prosecuting both on computer misuse and fraud-related charges, while U.S. prosecutors also filed charges against one suspect tied to multiple intrusions and extortion schemes. TfL reported that the breach disrupted internal systems and later confirmed customer data, including names and contact details, was compromised, causing operational disruption and financial losses.

🔍 Cyber threat group Scattered Spider has been linked to a new campaign targeting financial services, according to ReliaQuest. The attackers gained access by socially engineering an executive and abusing Azure AD self-service password reset, then moved laterally via Citrix and VPN to compromise VMware ESXi. They escalated privileges by resetting a Veeam service account, assigning Azure Global Administrator rights, and attempted data extraction from Snowflake and AWS. The activity contradicts the group's retirement claims and suggests regrouping or rebranding.