University College London Hospitals (UCLH) NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust have been hit by cyber attacks that compromised staff information. The breach stemmed from a vulnerability in Ivanti Endpoint Manager Mobile (EPMM)—a tool used to manage employee mobile devices. Ivanti patched the flaw on May 15, shortly after its discovery.
UCLH, with assistance from NHS England cybersecurity experts, confirmed no evidence of patient data exposure. The compromised system reportedly contained details like mobile numbers and IMEI codes, but no passwords or clinical records.
Sky News, which broke the story, cited security analysts at EclecticIQ, who uncovered additional global victims spanning the UK, Scandinavia, the US, Germany, Ireland, South Korea, and Japan. The attacks originated from a China-based IP address, though official attribution remains unclear.
This incident adds to a growing list of NHS-related breaches. In June 2024, a ransomware attack on Synnovis, a blood testing provider, disrupted thousands of procedures across London hospitals. Just months earlier, in November, Wirral University Teaching Hospital Trust also faced a major cybersecurity event.
Cybersecurity experts, including Dray Agha from Huntress, stressed the urgent need for stronger vendor risk management. “This breach, linked to third-party software, underscores the importance of securing the entire healthcare supply chain,” Agha noted. He emphasized the need for constant patching, vendor coordination, and rapid response strategies.
In response to escalating threats, the NHS recently introduced a cybersecurity charter that sets stricter requirements for suppliers. These include using multi-factor authentication, maintaining immutable backups, applying timely patches, and 24/7 threat monitoring—steps aimed at reinforcing digital resilience across all NHS-connected vendors.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: ITPro.com
Threat actors are increasingly leveraging a variety of top-level domains (TLDs) to carry out phishing campaigns, with the .li extension emerging as the most malicious. A recent analysis reveals that 57.22% of all observed .li domains are flagged as harmful, making it the highest-risk TLD currently in circulation.
According to cybersecurity firm ANY.RUN, domains like .es, .sbs, .dev, .cfd, and .ru frequently appear in phishing attacks, often mimicking login portals or delivering fake documents to steal user credentials. These domains are central to evolving phishing methods that bypass traditional detection systems, prompting a renewed call for tighter domain monitoring within Security Operations Centers (SOCs).
.li Domains Act as Redirectors, Not Just Payload Hosts
While .li domains rank highest in terms of malicious activity, researchers emphasize that many don’t host malware directly. Instead, they serve as redirectors—guiding victims through multi-step attack chains to final phishing or malware destinations. Techniques such as PHP header()
calls, JavaScript’s location.replace()
, and HTML meta-refresh tags are commonly used to execute seamless redirections while masking the threat.
Cheap Domains Fuel Mass-Scale Phishing
Low-cost TLDs like .sbs, .cfd, and .icu are driving large-scale phishing operations. With domain registration costs as low as $1.54, attackers can easily purchase vast numbers of throwaway domains. Historical data from the Cybercrime Information Center shows 11,224 phishing domains registered under .sbs and 5,558 under .cfd. The .icu extension, promoted as “I see you,” also remains a preferred vector, linked to 3,171 malicious sites.
Cloudflare Services Targeted by Sophisticated Phishing Kits
Legitimate hosting services, including Cloudflare’s Pages.dev and Workers.dev, are being misused to host phishing pages that exploit the provider’s trusted reputation. Phishing incidents on Pages.dev surged by 198% between 2023 and 2024, jumping from 460 to 1,370 reported cases.
Among the most notable threats is the Tycoon 2FA phishing kit. This tool uses advanced evasion methods such as browser fingerprinting, CAPTCHA hurdles, and control server domain triangulation across TLDs like .ru, .es, .su, .com, .net, and .org. Many attacks begin with hijacked Amazon SES accounts and evolve through intricate redirect chains before capturing user credentials.
Call for Enhanced Monitoring and Sandbox Analysis
Experts stress the importance of real-time domain analysis using interactive sandbox environments to uncover indicators of compromise (IOCs). Implementing robust TLD monitoring protocols will help organizations strengthen their defenses and stay ahead of these increasingly sophisticated phishing operations.
Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.
News Source: CybersecurityNews.com