May 06, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
May 6, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

UK Defence Contractors Warn Staff Against Chinese EVs
UK defence firms, including Lockheed Martin and Thales, have advised staff against connecting mobile phones to Chinese-made electric vehicles (EVs) due to concerns over potential espionage and data theft. These vehicles, equipped with cameras, microphones, and internet connectivity, could be exploited by hostile states to collect sensitive information.

Public POC Released for Two Older SonicWall Vulnerabilities
Watchtwr has released a technical breakdown two critical vulnerabilities in SonicWall's SMA100 appliance. These vulnerabilities can be combined to gain administrative control over the appliance, and have already been used in attacks. Update SonicWall devices to avoid active exploitation.

02:45 [CAMPAIGN] Attacks on UK Retail by KTA243 (Scattered Spider)
Key Takeaways

  • UK Retailers Marks and Spencer, the Co-operative group and Harrods have suffered cyber security incidents.
  • The incident at Marks and Spencer is thought by some sources to be a ransomware attack performed by KTA243 (AKA Scattered Spider).
  • The incident has impacted Marks and Spencer’s website sales, in store purchasing and distribution centres.
  • Some sources believe that the incident might be ongoing since as early as February with claims of the exfiltration of Marks and Spencer's NTDS.dit file
  • DRAGONFORCE is the ransomware suspected to have been used to encrypt VMware ESXi virtual machines

10:54 [VULNERABILITY] AirBorne — Critical Vulnerabilities Discovered in Apple AirPlay Protocol and SDK
Oligo Security Research has disclosed a major set of vulnerabilities in Apple's AirPlay Protocol and SDK, now collectively referred to as AirBorne. These flaws impact not only native Apple devices but also a wide range of third-party products that integrate AirPlay functionality.
Investigations continue into the threat group behind the backdoor.

13:40 [RANSOMWARE ROUNDUP] DRAGONFORCE (KTA276)'s New Cartel Model
Key Takeaways

  • DragonForce rebrands as a “ransomware cartel”, moving beyond traditional RaaS.
  • Offers white-label services: affiliates use DragonForce tools but operate under their own brand.
  • Provides infrastructure: includes negotiation platforms, stolen data storage, and 24/7 monitoring.
  • Charges a flat 20% commission on ransom payments, lower than typical RaaS models.
  • Appeals to less technical cybercriminals—reduces barrier to entry.
  • Claims to follow a “moral compass” by avoiding certain healthcare targets (e.g., cancer patients).

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.