UK's NCSC warns of Russian-aligned hacktivist groups

Please, please, please upgrade your Metacurity subscription today.

Metacurity is one of the few independent media outlets delivering a daily round-up of the critical infosec developments you should know. For years, we have worked to scan thousands of sources to deliver you summarized and aggregated news to help you keep your organizations secure.

We value all of our readers, but the paid subscribers help us keep plugging away at our mission of ending infosec news overload. Please, please help keep Metacurity alive with a paid subscription. Thank you!

If you can't afford a paid subscription right now, please consider donating whatever you can. Thanks.

The UK government is warning of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the country in disruptive denial-of-service (DDoS) attacks.

The attacks are aimed at taking websites offline and disabling services, the UK's National Cyber Security Centre (NCSC) says in an alert today. Despite lacking sophistication, a DDoS attack can cause high costs for a targeted organization.

"Although DoS attacks are typically low in sophistication, a successful attack can disrupt entire systems, costing organisations significant time, money, and operational resilience by having to analyse, defend against, and recover from them," the cyber agency notes.

The NCSC refers to a particular DDoS threat actor, the infamous NoName057(16), known as a pro-Russian hacktivist group that has been active since March 2022.

The actor is operating the DDoSia project, a platform that allows volunteers to contribute computing resources to carry out crowdsourced DDoS attacks and receive monetary rewards or recognition from the community.

An international law enforcement operation dubbed "Operation Eastwood" disrupted NoName057(16)'s activity in mid-July 2025 by arresting two members of the group, issuing eight arrest warrants, and taking down 100 servers.

However, with the main operators of the group out of reach, believed to be residing in Russia, the cybercriminals were able to return to action, as corroborated by the NCSC’s latest bulletin. (Bill Toulas / Bleeping Computer)

Related: NCSC, NCSC, Industrial Cyber, Security Affairs, ITPro, Infosecurity Magazine, The Register, Digit

Sources say British and Chinese security officials established a forum, the Cyber Dialogue, to discuss cyberattacks following a spate of hacking accusations that soured relations between the two countries.

The deal is designed to improve communication, allow private discussion of deterrence measures, and help prevent escalation, the sources said. This means that for the first time, there is a single mechanism for the UK and China to discuss cyber incidents at a senior level, whereas previously lines of communication were often difficult to set up, they added.

The move comes at a sensitive time for UK-China relations ahead of an imminent decision by the UK government on approving China’s request for a new super-embassy in the capital, due by Jan. 20. Prime Minister Keir Starmer is then due to meet President Xi Jinping in Beijing at the end of the month. (Alex Wickham / Bloomberg)

Makina Finance, a non-custodial DeFi execution platform, has been hit by a major exploit that resulted in losses of roughly 1,299 ETH, valued at around $4.2 million.

The attack drained a key CurveStable pool, which triggered concerns about fund safety.

According to blockchainsecurity firm PeckShieldAlert, Makina Finance’s DUSD/USDC CurveStable pool was drained through an exploit. The attack targeted the non-custodial DeFi execution engine and led to losses of roughly 1,299 ETH, worth about $4.13 million at the time.

After draining the pool, the attacker quickly converted the stolen tokens into ETH, which offers higher liquidity and easier movement across wallets and the Ethereum network.

There has been no confirmation from Makina Finance about user impact, recovery efforts, or planned security fixes. (Rizwan Ansari / Coinpedia)

Related: The Block, Forklog, Yellow, Coinspeaker

​Information technology giant Ingram Micro has revealed that a ransomware attack on its systems in July 2025 led to a data breach affecting over 42,000 individuals.

In data breach notification letters filed with Maine's Attorney General and sent to those affected by the incident, the company said the attackers stole documents containing a wide range of personal information, including Social Security numbers.

"On July 3, 2025, we detected a cybersecurity incident involving some of our internal systems. We quickly launched an investigation into the nature and scope of the issue. Based on our investigation, we determined that an unauthorized third party took certain files from some of our internal file repositories between July 2 and 3, 2025," the IT giant revealed.

"The affected files include employment and job applicant records that contain personal information such as name, contact information, date of birth, government-issued identification numbers (for example, Social Security, driver's license, and passport numbers), and certain employment-related information (such as work-related evaluations)."

While Ingram Micro has yet to link the breach to a specific threat group, it confirmed that the attackers deployed ransomware on its systems after BleepingComputer first reported on July 5 that the SafePay ransomware gang was behind the attack.

The cybercrime group also claimed responsibility three weeks later, adding the tech giant to its dark web leak portal and stating that it had stolen 3.5TB of documents. (Sergiu Gatlan / Bleeping Computer)

Related: Maine Attorney General, Cyber Daily, Cybersecurity Insiders, Security Week, Computing, Security Affairs, Techzine

A breach in a Minnesota Department of Human Services system allowed inappropriate access to the private data of nearly 304,000 people.

The department said in a statement that its Office of Inspector General has been monitoring billing information to identify whether the data was used to commit fraud.

The breach comes as federal prosecutors have been examining allegations of widespread fraud in numerous state social services programs, which have landed Minnesota in the national spotlight.

For nearly a month starting in late August, a user affiliated with a licensed health care provider accessed data in the state MnCHOICES system without authorization, the notification letter states. Counties, tribes, and others use the MnCHOICES system to do assessments and planning for Minnesotans who need long-term services and supports.

The user accessed people’s names, sex, date of birth, phone number, address, Medicaid ID, and the last four digits of their social security number. They got additional data for 1,206 people, including demographic information, such as their ethnicity, birth record, physical traits, education, income, and benefits.

The user who got the data was authorized to access limited information in the MnCHOICES system but “accessed more data than was reasonably necessary to perform work assignments,” the state’s letter says. The user hasn’t had access to the system since Oct. 30.

The state asked people affected by the breach to review their health care statements and credit reports and flag anything suspicious. (Jessie Van Berkel / The Minnesota Star Tribune)

Related: Red Lake Nation News, The Daily Gazette

Korea's SK Telecom (SKT) filed an administrative lawsuit challenging the record-breaking 134.8 billion won ($91 million) fine imposed on the telecommunications company over a massive data breach last year.

The telecommunication company filed a complaint with the Seoul Administrative Court a day before the 90-day deadline to appeal the decision made by the Personal Information Protection Commission (PIPC).

The privacy watchdog reported Aug. 28 that the personal data of 23.2 million subscribers was leaked, including phone numbers, SIM authentication keys, and subscriber identification numbers. Twenty-five different types of data were leaked, according to the PIPC.

The PIPC imposed the record 134.79 billion fine, citing SKT's negligence in protecting consumer data, higher than the 100 billion fine imposed on Google and Meta in 2022. It is the highest fine imposed since the committee was formed in 2020.

SKT said its 1.2 trillion won package, intended to compensate consumers and invest in security, alongside the absence of reported financial incidents, should be accounted for when calculating the fine.

SKT offered to replace SIM cards for all its subscribers, discounted monthly bills, and provided 50 gigabytes of free data until the end of 2025.

"We are seeking a detailed judicial review of whether the PIPC's penalty is appropriate," the telecommunication company said. (Cho Yong-Jun / Korea JoongAng Daily)

Related: Total Telecom, Mobile World Live, Tech in Asia, Yonhap News

Researchers at Huntress report that a malvertising campaign is using a fake ad-blocking Chrome and Edge extension named NexShield that intentionally crashes the browser in preparation for ClickFix attacks.

They spotted the attacks earlier this month and delivered a new Python-based remote access tool called ModeloRAT that is deployed in corporate environments.

The NexShield extension, which has been removed from the Chrome Web Store, was promoted as a privacy-first, high-performance, lightweight ad blocker created by Raymond Hill, the original developer of the legitimate uBlock Origin ad blocker with more than 14 million users.

Huntress says that NexShield creates a denial-of-service (DoS) condition in the browser by creating 'chrome.runtime' port connections in an infinite loop and exhausting its memory resources.

This results in frozen tabs, elevated CPU usage in the Chrome process, increased RAM usage, and general browser unresponsiveness. Eventually, Chrome/Edge hangs or crashes, forcing a kill via the Windows Task Manager.

Because of this, Huntress refers to these attacks as a variant of ClickFix that they named 'CrashFix'. (Bill Toulas / Bleeping Computer)

Related: Huntress, Help Net Security, CyberPress, GBHackers, Cyber Security News, Security Week

In order to emphasize the insecurity of Net-NTLMv1, security researchers at Mandiant have made it dramatically easier to break into systems protected by the ancient Microsoft authentication protocol.

Mandiant published is what security professionals call a rainbow table—essentially a massive lookup dictionary that matches encrypted password hashes to their original plaintext values. NTLMv1 makes such tables particularly effective because its limited keyspace dramatically reduces the number of possible password combinations.

Rainbow tables targeting NTLMv1 aren’t new. They’ve existed for roughly twenty years. What makes Mandiant’s release significant is accessibility. Previous versions demanded expensive hardware or required uploading sensitive data to third-party services. This one runs on a $600 consumer PC and lives on Google Cloud.

“By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1,” the company stated. “While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys.” (Alius Noreika / Technology.org)

Related: Google Cloud, CSO Online, Ars Technica

Best Thing of the Day: Those Green Eyeshades Really Help

Accountants and auditors can serve as a surprising first line of defense against cyberattacks.

Worst Thing of the Day: Can't Imagine How the Math Works Out for Giant Corporations

Researchers at Imperva report that 1 out of 50 employees could be a malicious insider.

Closing Thought