University College London Hospitals (UCLH) NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust have been hit by cyber attacks that compromised staff information. The breach stemmed from a vulnerability in Ivanti Endpoint Manager Mobile (EPMM)—a tool used to manage employee mobile devices. Ivanti patched the flaw on May 15, shortly after its discovery.
UCLH, with assistance from NHS England cybersecurity experts, confirmed no evidence of patient data exposure. The compromised system reportedly contained details like mobile numbers and IMEI codes, but no passwords or clinical records.
Sky News, which broke the story, cited security analysts at EclecticIQ, who uncovered additional global victims spanning the UK, Scandinavia, the US, Germany, Ireland, South Korea, and Japan. The attacks originated from a China-based IP address, though official attribution remains unclear.
This incident adds to a growing list of NHS-related breaches. In June 2024, a ransomware attack on Synnovis, a blood testing provider, disrupted thousands of procedures across London hospitals. Just months earlier, in November, Wirral University Teaching Hospital Trust also faced a major cybersecurity event.
Cybersecurity experts, including Dray Agha from Huntress, stressed the urgent need for stronger vendor risk management. “This breach, linked to third-party software, underscores the importance of securing the entire healthcare supply chain,” Agha noted. He emphasized the need for constant patching, vendor coordination, and rapid response strategies.
In response to escalating threats, the NHS recently introduced a cybersecurity charter that sets stricter requirements for suppliers. These include using multi-factor authentication, maintaining immutable backups, applying timely patches, and 24/7 threat monitoring—steps aimed at reinforcing digital resilience across all NHS-connected vendors.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
Threat actors are increasingly leveraging a variety of top-level domains (TLDs) to carry out phishing campaigns, with the .li extension emerging as the most malicious. A recent analysis reveals that 57.22% of all observed .li domains are flagged as harmful, making it the highest-risk TLD currently in circulation.
According to cybersecurity firm ANY.RUN, domains like .es, .sbs, .dev, .cfd, and .ru frequently appear in phishing attacks, often mimicking login portals or delivering fake documents to steal user credentials. These domains are central to evolving phishing methods that bypass traditional detection systems, prompting a renewed call for tighter domain monitoring within Security Operations Centers (SOCs).
.li Domains Act as Redirectors, Not Just Payload Hosts
While .li domains rank highest in terms of malicious activity, researchers emphasize that many don’t host malware directly. Instead, they serve as redirectors—guiding victims through multi-step attack chains to final phishing or malware destinations. Techniques such as PHP header() calls, JavaScript’s location.replace(), and HTML meta-refresh tags are commonly used to execute seamless redirections while masking the threat.
Cheap Domains Fuel Mass-Scale Phishing
Low-cost TLDs like .sbs, .cfd, and .icu are driving large-scale phishing operations. With domain registration costs as low as $1.54, attackers can easily purchase vast numbers of throwaway domains. Historical data from the Cybercrime Information Center shows 11,224 phishing domains registered under .sbs and 5,558 under .cfd. The .icu extension, promoted as “I see you,” also remains a preferred vector, linked to 3,171 malicious sites.
Cloudflare Services Targeted by Sophisticated Phishing Kits
Legitimate hosting services, including Cloudflare’s Pages.dev and Workers.dev, are being misused to host phishing pages that exploit the provider’s trusted reputation. Phishing incidents on Pages.dev surged by 198% between 2023 and 2024, jumping from 460 to 1,370 reported cases.
Among the most notable threats is the Tycoon 2FA phishing kit. This tool uses advanced evasion methods such as browser fingerprinting, CAPTCHA hurdles, and control server domain triangulation across TLDs like .ru, .es, .su, .com, .net, and .org. Many attacks begin with hijacked Amazon SES accounts and evolve through intricate redirect chains before capturing user credentials.
Call for Enhanced Monitoring and Sandbox Analysis
Experts stress the importance of real-time domain analysis using interactive sandbox environments to uncover indicators of compromise (IOCs). Implementing robust TLD monitoring protocols will help organizations strengthen their defenses and stay ahead of these increasingly sophisticated phishing operations.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com
On Demand Webinar
Microsoft Defender XDR: The Solution to Modern Cyberattacks
Webinar On Demand
Watch this webinar to learn how Microsoft Defender XDR can supercharge your SecOps team with a unified experience and automatic disruption of advanced cyberattacks.
In this webinar, we will:
- Explore how XDR differs from other security solutions
- Learn how automatic attack disruption and AI are changing the game and providing immediate value to customers today
- Get a hands-on demonstration of Microsoft Defender XDR in action, including Microsoft Copilot for Security
Featured Speakers:
Kim Kischel,
Director of Product Marketing, Cybersecurity
Scott Woodgate,
Senior Director, Microsoft Security Business
Other webinars
On Demand Webinar Watch Now From local development to production, 1Password SDKs are an easy and secure way to work with secrets in your application. The open source SDK libraries
On Demand Webinar Watch Now With regulations like GDPR, CCPA and HIPAA tightening the screws, staying compliant shouldn’t feel like a high-stakes juggling act. Meet CXone Interactions Hub, your AI-powered
On Demand Webinar Watch Now Discover how aligning your entire organization, from sales and marketing to support, on a single AI hyper-platform can accelerate results.Meet CXone Interactions Hub, your AI-powered
On Demand Webinar Watch Now In an era when customer expectations are skyrocketing and operational pressures are intensifying, traditional approaches to customer service aren’t holding up. Join Robin Gareiss, CEO
