This Week in Cyber 4th April 2025

Analyst Insight

This week in cyber, we have seen articles relating to the ongoing challenges in data protection, shown by an NHS supplier facing a hefty £3 million fine for a 2022 breach that exposed personal data of nearly 80,000 people; Highlighting the importance of keeping customer data secure. Meanwhile, a legacy Microsoft Stream domain was hijacked to promote a scam casino, disrupting organisations SharePoint services. Coordinated attacks against Palo Alto PAN-OS GlobalProtect portals. Over 1,500 PostgreSQL servers being targeted by threat actors to deliver cryptomining payloads. Lastly, Royal Mail is investigating a major 140GB data leak affecting their 3rd party software supplier.

NHS Software Supplier Fined £3m by ICO After Data Breach 

This week “The Advanced Computer Software Group” a software supplier for the NHS, has been fined £3 million by the Information Commissioner’s Office (ICO) for a data breach in August 2022. The breach exposed the personal data of 79,404 people, including phone numbers and medical records through a customer's account. The regulator stated that the supplier had inadequate security measures in place before the incident. Advanced confirmed in 2022 that the incident impacting their software was a ransomware attack, no threat actor was identified.

Legacy Microsoft Stream Domain Hijacked to Promote Scam Casino

A legacy domain for Microsoft Stream “microsoftstream[.]com” was hijacked to display a spam page for an online casino which is impersonating the Amazon homepage. First reported by BleepingComputer, the hijacked domain affects any content hosted on the legacy domain, appearing on organisations SharePoint services. Microsoft warned organisations to migrate their Microsoft Stream videos to their new platform by April 2024. The domain has since been shut down, preventing the spam page from appearing in SharePoint.

24,000 Unique IPs Actively Targeting Palo Alto PAN-OS GlobalProtect Portals

Security researchers at GreyNoise have observed 24,000 unique IP addresses attempting to access Palo Alto PAN-OS GlobalProtect portals over the last 30 days. The pattern indicates a coordinated attempt to test network defences and find exposed or vulnerable systems, possibly as a precursor to targeted attacks. The surge started on March 17, 2025, steadily peaking at almost 20,000 unique IPs per day before petering off March 26th. “Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” said Bob Rudis, VP of Data Science at GreyNoise.

Fileless Cryptominer Campaign Compromises Over 1.5k PostgreSQL Servers

Security researchers at Wiz Threat Research have discovered a campaign targeting PostgreSQl instances with fileless cryptominer payloads. The threat actor tracked as JINX-0126 exploits PostgreSQL servers configured with weak credentials to gain initial access. Once the threat actor has access, an XMRig-C3 payload is deployed allowing the threat actor to mine cryptocurrencies on the target system. The campaign so far has likely claimed over 1,500 victims to date.

Royal Mail Investigates Data Leak Claims

Royal Mail is currently investigating claims of a significant data breach after a threat actor leaked over 144GB of data allegedly stolen from the company's systems, sharing a sample of the compromised data on BreachForums. The leaked data reportedly includes personal information, confidential documents, and internal communications.  The data breach impacted Spectos, a software supplier for Royal Mail. Royal Mail has assured customers that their operations remain unaffected.