Threat Analysis : Cyber News for Small Business

The Small Business Cyber Security Guy

Threat Analysis is the daily cyber security briefing for people who are tired of corporate fog, vendor panic, and security theatre dressed up as strategy. Hosted by Mauven MacLeod, it cuts through the noise around cyber threats, ransomware, data breaches, regulation, supply chain risk, and the latest bright idea from people who think a dashboard is the same thing as resilience. Every weekday, Mauven looks at what happened, why it matters, who should be paying attention, and what small and medium sized businesses should do before the mess arrives with a press statement and a very expensive consultant. This is not fear mongering. It is not a product pitch. It is not another cosy chat about awareness while the back door is hanging off its hinges. It is sharp, practical threat analysis with a dry edge, a raised eyebrow, and very little patience for nonsense. You will get clear context, useful actions, and the occasional reminder that cyber security is not magic. It is governance, discipline, evidence, and doing the basics before reality applies a boot to the backside. Threat Analysis is part of The Small Business Cyber Security Guy network.

  1. 16h ago

    Device Code Phishing, Avalon Ransomware, and the NetNut Botnet Takedown

    Device Code Phishing, Avalon Ransomware, and the NetNut Botnet Takedown This briefing examines three significant threats to UK small and medium businesses in July 2026. First, Cisco Talos’s analysis of ARToken, a phishing-as-a-service platform exploiting Microsoft 365 device code authentication flows to bypass multi-factor authentication. The technique, productised for affiliate use, requires immediate Conditional Access policy review. Second, Blackpoint Cyber’s documentation of Avalon, a multi-stage ransomware framework using spoofed legal documents, Proton Drive hosting, and memory-only execution to evade detection. Third, the NetNut botnet takedown by Google and the FBI, involving two million compromised residential devices used as proxy infrastructure. The operational implications extend beyond the headline: unpatched IoT devices and routers continue to provide access via vulnerabilities from 2017 and 2018. Each attack is designed to appear normal within legitimate business operations. The briefing provides three concrete actions: restrict device code authentication in Entra ID, establish verification procedures for password-protected archives, and audit firmware on internet-facing devices. These measures address the gap between assumed and actual security control effectiveness in small business environments. Chapters Introduction Mauven introduces three threat items for 3rd July 2026, prioritised by risk to UK SMBs. Two are active attack campaigns with direct exposure, one is a law enforcement action with under-reported operational implications. ARToken M365 Phishing Platform Analysis of ARToken, a phishing-as-a-service platform exploiting Microsoft device code authentication flows. The technique bypasses MFA by abusing legitimate authentication processes. Direct mitigation requires restricting device code flows through Conditional Access policies in Entra ID. Call to Action Listener engagement prompt encouraging follows and sharing. Avalon Ransomware Framework Blackpoint Cyber’s analysis of Avalon, a multi-stage attack framework using spoofed legal documents hosted on Proton Drive, password-protected ISO archives, and memory-only execution. Targets professional services with plausible social engineering. Requires staff training, behavioural endpoint detection, and ISO mounting restrictions. The NetNut Botnet Takedown Google and FBI action against NetNut residential proxy botnet involving two million compromised devices. Discusses how compromised devices provide cover for credential stuffing and fraud, and notes active propagation of similar botnets via vulnerabilities from 2017 and 2018. Emphasises firmware update and credential hygiene on internet-facing devices. Broader Pattern Note All three threats share a common characteristic: they are designed to appear normal within legitimate business operations. The security gap lies between assumed and actual control effectiveness, closed through visibility rather than additional tools. Outro Closing summary with practical question for IT providers regarding Conditional Access policies. Sign-off and production credit. Links https://blog.talosintelligence.com/artoken-phishing-as-a-service/ https://www.blackpointcyber.com/resources/blog/avalon-a-new-ransomware-framework/ https://www.theregister.com/2026/07/02/google_fbi_netnut_botnet/ https://www.ncsc.gov.uk/collection/device-security-guidance https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17215 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8007

    15 min
  2. 2d ago

    Ransomware Group Defeats Endpoint Protection and Microsoft 365 Phishing Threat

    Ransomware Group Defeats Endpoint Protection and Microsoft 365 Phishing Threat The Gentlemen ransomware group has emerged as a top-ten global threat actor by deploying zero-day driver exploits to disable endpoint security tools before launching encryption attacks. Using a vulnerable Kontron driver and the Bring Your Own Vulnerable Driver technique, the group neutralises detection systems silently, often gaining hours of undetected access through compromised VPN and firewall appliances. Meanwhile, the ARToken phishing-as-a-service platform automates Microsoft 365 account takeover through device code phishing and Primary Refresh Token persistence. Standard multi-factor authentication does not prevent these attacks, as the OAuth authentication flows are legitimate. The platform includes automated email and SharePoint exfiltration, plus integrated business email compromise tooling that industrialises payment redirection fraud. UK small businesses using Microsoft 365 face direct exposure, particularly in professional services, accountancy, and financial sectors where client data and payment processes rely on email systems. The NCSC has published guidance on restricting device code flow and monitoring for these attacks, yet implementation remains inconsistent even in critical national infrastructure environments. Chapters Introduction Overview of two urgent threat developments: a ransomware group defeating endpoint security and an automated Microsoft 365 phishing platform bypassing multi-factor authentication. The Gentlemen Ransomware Group and Zero-Day Driver Exploits Analysis of The Gentlemen’s rise to top-ten threat status through Bring Your Own Vulnerable Driver techniques, their use of a Kontron driver zero-day to disable endpoint protection, and their systematic approach to network reconnaissance and ransomware deployment. Call to Action Encouragement to share the briefing and subscribe for daily updates. ARToken: Automated Microsoft 365 Account Takeover Detailed examination of the ARToken phishing-as-a-service platform, its device code phishing methodology, Primary Refresh Token persistence, automated data exfiltration, and integrated business email compromise workflows that bypass standard MFA. NCSC Penetration Testing Findings Brief discussion of persistent security gaps identified in critical national infrastructure, including default credentials, insufficient segmentation, and poor patch management. Closing Recommendations Summary of immediate actions: enable tamper protection, verify monitoring procedures, restrict device code flow in Microsoft 365, and implement out-of-band payment verification. Links https://securelist.com/the-gentlemen-ransomware-group/ https://expel.com/blog/ https://www.ncsc.gov.uk/guidance/bring-your-own-vulnerable-driver https://blog.talosintelligence.com/artoken-phishing-as-a-service/ https://www.ncsc.gov.uk/guidance/device-code-flow https://www.ncsc.gov.uk/blog-post/pen-testing-critical-national-infrastructure

    14 min
  3. 3d ago

    Windows Defender Flaw Hits Commodity Ransomware; RMM Tools Under Attack

    Windows Defender Flaw Hits Commodity Ransomware; RMM Tools Under Attack Two critical threats demand immediate attention from UK small businesses today. First, the BlueHammer vulnerability in Microsoft Defender has transitioned from targeted zero-day attacks to commodity ransomware operations, a shift that dramatically expands the pool of threat actors capable of exploiting it. CISA’s addition of BlueHammer to its Known Exploited Vulnerabilities catalogue confirms active exploitation in the wild, with the flaw enabling attackers to escalate privileges to SYSTEM level and deploy ransomware across entire networks. Second, Blackpoint Cyber has documented an active intrusion chain exploiting CVE-2026-48558, an authentication bypass in SimpleHelp remote monitoring and management software. This attack vector is particularly concerning because it targets the tools IT providers use to manage client systems, turning the trust relationship between businesses and their managed service providers into an attack surface. The operational implication is clear: attackers are systematically exploiting the privileged access that IT management tools provide, bypassing direct targeting in favour of supply chain compromise. Patches exist for both vulnerabilities. The gap between availability and deployment is where ransomware operators operate. UK SMBs should contact their IT providers today to confirm patching status and ask specific questions about RMM tool security. This briefing provides actionable guidance on exactly what to ask and why it matters. Chapters Introduction Mauven introduces today’s two threat stories: the BlueHammer vulnerability in Windows Defender crossing into commodity ransomware operations, and an attack targeting remote management tools used by IT providers. BlueHammer: From Zero-Day to Ransomware Commodity Analysis of CISA’s KEV addition for BlueHammer, a privilege escalation flaw in Microsoft Defender now exploited in commodity ransomware operations. Covers the transition from targeted attacks to volume-based campaigns, the operational playbook of ransomware-as-a-service groups, and the practical patching actions UK SMBs must take immediately. CTA Brief call to action encouraging listeners to follow the show and share it with business owners and operations managers who need actionable threat intelligence. SimpleHelp RMM: The Attack That Comes Through Your IT Provider Detailed examination of CVE-2026-48558, an authentication bypass in SimpleHelp remote monitoring and management software. Explains how attackers exploit RMM tools to gain technician-level access to managed client systems, the malware deployed (TaskWeaver and Djinn Stealer), and the supply chain risk this represents for UK SMBs. What UK SMBs Should Do Today Direct, actionable guidance for UK small businesses: specific questions to ask IT providers about BlueHammer patching, SimpleHelp vulnerability status, RMM access log reviews, and incident disclosure processes. Outro Closing summary emphasising the gap between patch availability and deployment, urging businesses to actively verify patching status with their IT providers rather than assume it has been handled. Links https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://securelist.com/gentlemen-raas-h1-2026/ https://www.blackpoint.io/blog/simplehelp-rmm-exploitation-cve-2026-48558

    13 min
  4. 4d ago

    Oracle EBS Exploitation and DriveSurge Campaign Active in the Wild

    Oracle EBS Exploitation and DriveSurge Campaign Active in the Wild Oracle E-Business Suite vulnerability CVE-2026-46817 is under active exploitation, with confirmed activity from threat intelligence firm Defused. Nissan’s recent breach of its Oracle PeopleSoft instance underscores the broader risk to Oracle’s enterprise portfolio. UK small businesses face exposure through supply chain relationships with payroll bureaus, accountancy firms, and manufacturers running Oracle systems. Meanwhile, newly documented threat actor DriveSurge operates a pay-per-install initial access broker model, compromising legitimate websites to deliver malware through fake browser updates and ClickFix social engineering. The campaign bypasses email security controls entirely, infecting users through normal web browsing. Additional concerns include active exploitation of Langflow (CVE-2026-55255) and the Miasma Mini Shai-Hulud supply chain campaign now targeting Backstage npm packages. Today’s briefing provides specific, actionable steps: verify Oracle patch status with suppliers, implement web filtering against zTDS infrastructure, brief staff on fake browser update prompts, and audit dependencies in development pipelines. These are email-and-call actions, not budget-heavy projects. Chapters Introduction Mauven opens with two active threat stories: exploitation of Oracle E-Business Suite and a drive-by attack campaign bypassing email controls through compromised websites. Both pose immediate risks to UK small businesses through supply chain and web browsing vectors. Oracle EBS Active Exploitation CVE-2026-46817 in Oracle E-Business Suite is under confirmed exploitation. Nissan’s PeopleSoft breach demonstrates sustained threat actor attention to Oracle’s enterprise platforms. UK small businesses face exposure through payroll bureaus, accountancy firms, and manufacturers. Practical steps include verifying patch status directly with suppliers and documenting responses in writing. Mid-Roll Call to Action Brief listener prompt to follow the show and share the briefing with relevant contacts. DriveSurge Drive-By Campaign DriveSurge, a newly documented initial access broker, compromises legitimate websites to deliver malware via fake browser updates and ClickFix prompts. The campaign uses zTDS traffic distribution and bypasses standard email security. Recommended defences include web filtering against zTDS infrastructure and staff briefing on fake update prompts. Langflow and Miasma Mini Shai-Hulud Updates CVE-2026-55255 in Langflow is under active exploitation, with lower-scored CVE-2026-33017 seeing wider use due to easier exploitation. The Miasma Mini Shai-Hulud campaign now targets Backstage npm packages. Organisations using AI frameworks or modern CI/CD pipelines should audit patch status and dependencies. Closing Summary Mauven summarises practical actions in order of urgency: verify Oracle patch status with suppliers, brief staff on fake browser updates, confirm web filtering covers zTDS, and audit development dependencies. All actions require communication and follow-up, not significant budget. Links https://www.cisa.gov/known-exploited-vulnerabilities-catalog https://www.ncsc.gov.uk/collection/supply-chain-security https://www.oracle.com/security-alerts/cpujun2026.html https://silentpush.com/blog/drivesurge-campaign https://sysdig.com/blog/langflow-cve-exploitation https://socket.dev/blog/miasma-mini-shai-hulud-backstage

    14 min
  5. Jun 26

    Understanding Mini Shai-Hulud and Cisco's Zero-Day Vulnerabilities

    Understanding Mini Shai-Hulud and Cisco’s Zero-Day Vulnerabilities In today’s episode of Threat Analysis, Mauven MacLeod delves into two significant cybersecurity threats impacting UK small and medium businesses. The Mini Shai-Hulud supply chain attack targets the development community by exploiting npm packages, risking developers’ credentials and threatening software integrity. Microsoft emphasises the importance of rigorous dependency audits to prevent malicious exploitation. Additionally, a zero-day vulnerability CVE-2026-20245 in Cisco’s Catalyst SD-WAN Manager is discussed. This allows attackers to escalate privileges through default passwords, compromising network security. The necessity of proactive cybersecurity measures, including multi-factor authentication and robust monitoring systems, is highlighted to safeguard businesses from these threats. Chapters Intro Mauven introduces the episode, highlighting critical threats for UK businesses. Mini Shai-Hulud Supply Chain Attack Discusses how Mini Shai-Hulud uses npm packages to access developer credentials, emphasising the need for vigilant software audits. CTA Encourages listeners to follow the show for updates and share with peers. CVE-2026-20245: Cisco’s Zero-Day Explores the Cisco vulnerability, stressing the dangers of default passwords and the importance of intrusion detection systems. Outro Reiterates the importance of proactive cybersecurity measures and invites listeners to return for future episodes. Links https://www.microsoft.com/security/blog https://www.cisco.com/security/advisories https://blog.npmjs.org

    6 min
  6. Jun 25

    Emerging Cyber Threats to UK SMEs

    Emerging Cyber Threats to UK SMEs In this episode of Threat Analysis, Mauven MacLeod dives into two pressing cybersecurity threats affecting UK small and medium businesses. The first is the Mistic backdoor, linked to the notorious Woodgnat, which employs the cunning technique of sideloading. This method uses legitimate software to conceal malicious activity, posing significant risks such as data leaks and financial loss. Mauven discusses the importance of a robust security posture and offers practical advice on staying protected. The second threat is the widespread FortiBleed campaign targeting Fortinet FortiGate devices through advanced techniques like credential stuffing and password spraying. The campaign highlights vulnerabilities found in legacy systems and underscores the need for up-to-date device management and strong authentication protocols. Listeners are encouraged to assess and fortify their cybersecurity defences actively. The episode closes with a reminder: awareness is key, but proactive measures are essential to safeguarding your business. Chapters Intro Mauven introduces today’s cybersecurity topics, focusing on threats to UK businesses. Mistic Backdoor Unveiled Discussion on the Mistic backdoor’s impact, sideloading techniques, and security recommendations. CTA Listeners are encouraged to follow the podcast and share it with others. FortiGate Under Siege Analysis of the FortiBleed campaign targeting Fortinet devices, with tips to enhance network security. Outro Recap of the threats discussed and a call to take proactive security measures. Links https://arcticwolf.com/resources/blogs https://www.fortiguardlabs.com https://www.ncsc.gov.uk

    5 min
  7. Jun 24

    Understanding the Mistic Backdoor Threat to UK SMBs

    Understanding the Mistic Backdoor Threat to UK SMBs In this episode of Threat Analysis, Mauven MacLeod explores the emerging threat landscape for UK small and medium businesses, focusing on the Mistic backdoor. This malware, linked to the ransomware access broker KongTuke, poses significant risks to crucial sectors such as insurance, education, IT, and professional services. The discussion highlights how Mistic operates stealthily within compromised systems, bypassing many traditional security measures and exacerbating vulnerabilities in supply chains. Additionally, the episode delves into broader cybersecurity concerns, including the critical vulnerability CVE-2026-20230 in Cisco Unified Communications Manager and privacy issues arising from London’s use of live facial recognition technology. Mauven provides actionable steps for SMBs to strengthen their defences, emphasising the importance of robust vendor audits, advanced threat detection, and well-prepared incident response plans, aligning with guidance from the National Cyber Security Centre. Chapters Intro Mauven introduces the focus on the Mistic backdoor and its relevance to UK SMBs. Mistic Backdoor Threat Exploration of the Mistic backdoor’s tactics, connection to KongTuke, and its impact on key sectors. The Broader Context Discussion on Cisco’s vulnerability and the implications of facial recognition technology in London. What Should You Do? Actionable cybersecurity measures for SMBs, including vendor audits and threat detection enhancements. CTA Encouragement to follow the show and share it with others needing the briefing. Outro Summary of today’s insights and the importance of proactive cybersecurity strategies. Links https://www.bleepingcomputer.com https://theregister.com

    7 min
  8. Jun 23

    Klue Supply Chain Breach and AI Cybersecurity Warnings

    Klue Supply Chain Breach and AI Cybersecurity Warnings In this episode of Threat Analysis, Mauven MacLeod explores a pressing supply chain attack that targets Salesforce environments through Klue’s backend systems. The breach, executed by the Icarus threat group, highlights the vulnerabilities of OAuth tokens and the implications for UK small businesses. Mauven discusses the importance of reviewing security practices to prevent data exposure. The episode also features a warning from the Five Eyes alliance about the potential risks associated with AI in cybersecurity. As AI technology evolves, safeguarding against its misuse becomes crucial. Tune in for essential insights and strategies to navigate these challenges. Chapters Intro Mauven introduces the focus on a crucial supply chain attack and AI-related cybersecurity threats. Klue Supply Chain Attack Hits Salesforce Environments Details the Icarus group’s attack on Klue, impacting Salesforce and the importance of OAuth token security. CTA Encourages listeners to follow the show for regular updates on cybersecurity threats. Five Eyes Warn of AI Escalating Cybersecurity Threats Highlights the Five Eyes alliance’s warning on AI exacerbating cybersecurity threats and the need for robust oversight. Outro Concludes with the interconnected nature of modern business threats and the importance of enhanced security measures. Links https://www.salesforce.com/news/stories/understanding-oauth-security/ https://www.techradar.com/news/lastpass-breach-what-you-need-to-know https://www.cisa.gov/news/five-eyes-cybersecurity

    2 min

About

Threat Analysis is the daily cyber security briefing for people who are tired of corporate fog, vendor panic, and security theatre dressed up as strategy. Hosted by Mauven MacLeod, it cuts through the noise around cyber threats, ransomware, data breaches, regulation, supply chain risk, and the latest bright idea from people who think a dashboard is the same thing as resilience. Every weekday, Mauven looks at what happened, why it matters, who should be paying attention, and what small and medium sized businesses should do before the mess arrives with a press statement and a very expensive consultant. This is not fear mongering. It is not a product pitch. It is not another cosy chat about awareness while the back door is hanging off its hinges. It is sharp, practical threat analysis with a dry edge, a raised eyebrow, and very little patience for nonsense. You will get clear context, useful actions, and the occasional reminder that cyber security is not magic. It is governance, discipline, evidence, and doing the basics before reality applies a boot to the backside. Threat Analysis is part of The Small Business Cyber Security Guy network.