Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Ransomware Groups Evolve ‘Cartel’ like Business Models
(TLP: CLEAR) Recent intelligence reporting has highlighted that, amidst global law enforcement efforts to dismantle ransomware operations, hacker groups like DragonForce and Anubis have evolved their operational strategies, adopting innovative affiliate models to sustain their malicious activities and expand their operational scope. DragonForce, originally a ransomware-as-a-service (RaaS) provider, has restructured itself into what it calls a “cartel,” implementing a distributed affiliate branding model that empowers its partners to develop their own ransomware brands while relying on DragonForce’s robust infrastructure. Security investigators have indicated that this new infrastructure provides a suite of tools for administration, encryption, ransom negotiations, and a Tor-based leak site, enabling both novice and seasoned cybercriminals to operate without the burden of managing their own backend systems. Security investigators state that while this approach enhances flexibility, broadens the affiliate network, and boosts potential profits, it introduces a notable vulnerability: a compromise of one affiliate could potentially expose the shared infrastructure, endangering the entire network. Anubis on the other hand has introduced a sophisticated three-tiered extortion framework that caters to a diverse array of cybercriminals by offering varied operational models. Affiliates can opt for a conventional RaaS approach involving file encryption, a data ransom strategy that focuses on exposing sensitive information to the public, or an “accesses monetization” service designed to exploit already-breached victims. Each model comes with distinct revenue-sharing structures and levels of engagement, making Anubis an attractive platform for a wide spectrum of threat actors. Additionally, to heighten pressure on ransomware victims, Anubis employs a particularly aggressive tactic, threatening to report data breaches to regulatory authorities such as the UK’s Information Commissioner’s Office (ICO), the U.S. Department of Health and Human Services (HHS), and the European Data Protection Board, thereby leveraging legal consequences to coerce payment.
(TLP: CLEAR) Comments: The rise of ransomware affiliate models, exemplified by DragonForce’s cartel-style branding and Anubis’s multi-tiered extortion strategies, marks a pivotal evolution in the ransomware ecosystem, rendering attacks more accessible, scalable, and challenging to trace. By reducing technical barriers and providing diverse monetization avenues, these models draw in a wider pool of cybercriminals, driving a surge in ransomware incidents worldwide. Furthermore, the decentralized nature of these operations hinders law enforcement efforts, as their modular structure mitigates the impact of takedowns and facilitates rapid recovery or rebranding.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed. An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. The deployed anti-malware solution(s):
- Detects all known types of malware.
- Removes, blocks, or contains all known types of malware.
Any system components that are not at risk for malware are evaluated periodically to include the following:
- A documented list of all system components not at risk for malware.
- Identification and evaluation of evolving malware threats for those system components.
- Confirmation whether such system components continue to not require anti-malware protection.
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.
Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://www.techradar.com/pro/security/dragonforce-ransomware-group-evolves-new-cartel-business-model
Inside the Marks & Spencer Cyber-attack Chaos
(TLP: CLEAR) In late April 2025, the British retailer Marks & Spencer (M&S) fell victim to a devastating cyberattack that disrupted various aspects of its daily operations. The attack led to the suspension of online orders, disruptions in contactless payments, and issues with order collections. Additionally, in-store operations were equally affected, with contactless payments disrupted, order collections halted, and gift card usage rendered nonfunctional, leaving customers frustrated and shelves empty due to stock shortages. M&S’s supply chain took a hit as well, with deliveries of packaged food items to Ocado, a co-owned entity, paused, further compounding the operational chaos. To prevent additional compromise, M&S took precautionary measures and removed various systems offline, which further exacerbated the disruptions by halting recruitment efforts, pulling all job postings from its website, and instructing around 200 warehouse workers to stay home. Furthermore, according to intelligence reporting, the attack was attributed to the notorious hacking group Scattered Spider, a hacking group known for its English-speaking members, which conducts convincing social engineering attacks, such as impersonating employees to gain unauthorized access. The group has previously targeted major organizations, including MGM Resorts and Caesars Entertainment.
(TLP: CLEAR) Comments: The M&S cyberattacks cascading effects on M&S highlight the vulnerabilities of even large enterprises to sophisticated threat actors like Scattered Spider, whose ability to combine social engineering with ransomware deployment poses a significant risk to operational continuity and financial stability. The incident underscores the need for robust cybersecurity measures, including enhanced employee training to combat social engineering, stronger network segmentation to limit lateral movement, and proactive monitoring to detect early signs of compromise, such as the initial breach that occurred months before the ransomware deployment.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:
- The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
- The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
- The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
- The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.
Source: https://www.theguardian.com/business/2025/may/03/inside-the-marks-and-spencer-cyber-attack-chaos
Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
(TLP: CLEAR) In 2024, the Google Threat Intelligence Group documented 75 zero-day vulnerabilities actively exploited in the wild, highlighting a modest increase in such incidents despite a minor dip from the prior year’s figures, as detailed in their annual report on zero-day trends. A notable trend emerged with a pronounced shift toward targeting enterprise-specific technologies, including security software, networking appliances, and cloud infrastructure, which comprised 44% of all zero-day exploits, a rise from 37% in 2023. These enterprise solutions, targeted by threat actors for their centralized control over expansive IT environments and the limited visibility provided by conventional Endpoint Detection and Response tools, which often struggle to monitor such systems effectively, have become prime targets. In contrast, attacks on traditional end-user platforms like web browsers and mobile devices saw a decline, a shift attributed to robust vendor-driven security enhancements and increasingly challenging exploitation conditions. Operating systems, however, particularly Microsoft Windows, continued to be a staple target due to their ubiquitous presence across global systems. Further investigation has identified the perpetrators behind these zero-day exploits were predominantly state-sponsored groups focused on cyber espionage, with actors from the People’s Republic of China (PRC) and North Korea at the forefront. PRC-affiliated groups concentrated exclusively on enterprise security and networking devices, leveraging their strategic importance to infiltrate high-value targets, while North Korean actors pursued a dual agenda of espionage and financial gain, targeting vulnerabilities in both Chrome and Windows systems. Commercial surveillance vendors also emerged as significant players, supplying exploit capabilities to both governmental and private clients, with several attacks necessitating physical access to mobile devices for execution. Meanwhile, non-state actors driven by financial motives, such as the FIN11 group, exploited zero-days to facilitate extortion and data theft, frequently using file transfer software as an attack vector. The exploits typically aimed for remote code execution or privilege escalation, exploiting vulnerabilities like use-after-free errors, command injections, and cross-site scripting flaws, often delivered through sophisticated methods such as exploit chains, malicious advertisements, or watering-hole attacks designed to compromise specific user groups.
(TLP: CLEAR) Comments: Threat actors have honed their TTPs (tactics, techniques, and procedures) in discovering and leveraging zero-day vulnerabilities, allowing them to circumvent traditional security defenses and secure unauthorized, often stealthy access to vital systems, networks, and confidential data. In enterprise environments, the targeting of security or networking appliances creates a dangerous entry point, enabling attackers to orchestrate widespread intrusions, move laterally across systems, exfiltrate sensitive information, and disrupt operations. The escalating participation of state-sponsored groups and commercial surveillance vendors amplifies the danger, particularly for targeted espionage and geopolitical tensions, as these actors exploit zero-days to advance strategic objectives.
(TLP: CLEAR) Recommended best practices/regulations: Threat Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:
- Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
- Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
- Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
- Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends
Pro-Russia Hacktivists Target Dutch Public Orgs with DDoS Attacks
(TLP: CLEAR) In early May 2025, a wave of coordinated distributed denial-of-service (DDoS) attacks targeted both Romanian and Dutch public and private sector organizations, revealing a calculated escalation of cyber aggression by the pro-Russian hacktivist group NoName057(16), driven by geopolitical tensions over military support for Ukraine. n May 4, 2025, during Romania’s presidential election rerun, the Romanian National Directorate for Cyber Security reported that NoName057(16) launched DDoS attacks against several state websites, including those of the Ministry of Foreign Affairs and the Constitutional Court. The attacks, which overwhelmed servers with excessive traffic to render them inaccessible, were a direct response to Romania’s continued support for Ukraine, particularly following its agreement on June 20, 2024, to supply a Patriot missile system, a move that had already sparked earlier DDoS campaigns against Romanian entities. Despite the disruptions, all affected Romanian websites were swiftly restored, though the timing of the attack on election day suggests an intent to destabilize democratic processes and amplify political interference concerns. Simultaneously, between April 30 and May 1, 2025, NoName057(16) unleashed a barrage of DDoS attacks on over 50 Dutch organizations, marking the largest such assault on the Netherlands in two years, as reported by the National Cyber Security Centre (NCSC) under the Dutch Ministry of Justice. The attacks disrupted services across multiple provinces, including Groningen, Noord-Holland, Zeeland, Drenthe, Overijssel, and Noord-Brabant, as well as cities like Apeldoorn, Breda, Nijmegen, and Tilburg, targeting both public entities and private companies. The NCSC noted that while these attacks caused netowrk access issues and service disruptions, they did not involve data breaches or system compromises, focusing instead on operational disruption.
(TLP: CLEAR) Comments: This dual-front assault on Romania and the Netherlands highlights NoName057(16)’s continued focus on symbolic, high-visibility disruptions to maximize media attention and political impact, rather than pursuing data theft or long-term compromise. The group’s choice of targets, government and election-related websites in Romania, and a broad swath of public and private entities in the Netherlands, demonstrates an intent to exploit geopolitical flashpoints, such as Romania’s election and the Netherlands’ military aid commitments, to sow chaos and challenge Western solidarity with Ukraine. Organizations in both nations must prioritize robust DDoS mitigation strategies, such as AI-driven traffic filtering and resilient system architectures, while also preparing for potential escalations, as NoName057(16)’s actions could inspire further hacktivist or state-aligned campaigns amid the intensifying Russia-Ukraine conflict.
(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer internet circuit and mitigation service are high). Always-on can provide instant protection, but agencies should always validate time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.”
(TLP: CLEAR) Vercara: Vercara’s UltraDDoS solution, Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://www.bleepingcomputer.com/news/security/pro-russia-hacktivists-bombard-dutch-public-orgs-with-ddos-attacks/