Weekly Cyber Briefing 11.08.2025
Taxpayers of the Canadian city of Hamilton, Ontario, are responsible for covering the entire costs of an CAD 18.3 million (GBP 10 million) ransomware attack after the city’s insurance provider denied its claim.
Powered by S-RM, the Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends, and indicators, curated by intelligence specialists.
Taxpayers of the Canadian city of Hamilton, Ontario, are responsible for covering the entire costs of an CAD 18.3 million (GBP 10 million) ransomware attack after the city’s insurance provider denied its claim. The insurer refused to reimburse CAD 5 million (GBP 2.7 million) of the costs on the grounds that multi-factor authentication had not been fully implemented at the time of the attack.
[Researcher: Lester Lim, S-RM]
Why do we think the insurer didn’t pay out? There are two possible reasons:
The attack began with an exploited internet-facing server and missing MFA, impacting 80% of the network. Containment was achieved within two days, with critical services maintained throughout. Attempts to destroy backups failed, and most systems were restored directly from available backups.
Authorities have not linked the incident to any criminal group or malware variant, nor disclosed details of remote access use or lateral movement. These details are likely withheld due to the ongoing investigation. Key lessons from the known facts include:
And finally, the transparency of the incident is wholly refreshing and undoubtably helped the public perception of Hamilton City. Their thorough PR: updates, include costs, enhancements with more details really dwell on customer-focus and improvements, not cyber. By turning the messaging of the incident away from cyber tooling and technical speak, into an issue of service, they’ve made it more relatable and engaging for the people they serve.
Google, Pandora, KLM, and Air France have all confirmed data breaches resulting from a series of attacks on third party customer databases. At present, only Google has confirmed Salesforce as the source of its breach. The cyber criminal group ShinyHunter is suspected to be responsible for these attacks.
[Researcher: Lena Krummeich S-RM]
The attack appears to impersonate IT to trick internal staff into installing a fake version of Data Loader (a legitimate SalesForce) app, with which they gain the ability to access, query, and systematically exfiltrate sensitive information. Other common tactics include using Mullvad VPN services for accessing victim networks and the deployment of Okta phishing panels.
If this comes up, we recommend:
mullvad.exe or OpenVPN/WireGuard clients running
TUN/TAP interfaces being created
Large .csv/.json/.xml file uploads to cloud shares (OneDrive, Dropbox).
Non-standard versions of Data Loader (or similar exfiltration tools like DBeaver, Jitterbit, Boomi).
api.mullvad.net, mullvad.net, or WireGuard config endpoints.API calls to Bulk, QueryAll, or Retrieve with more than typical volume or frequency.
login.salesforce.com but not matching known user behavior.Salesforce-Specific Controls:
View All Data, Modify All Data, API Enabled from unnecessary users.
Blogs & Opinions 07.08.2025
How to cut waste, save costs and salvage cybersecurity’s reputation
Features 05.08.2025
North Korean IT workers are laying down virtual roots in the West.
Weekly Cyber Briefing 04.08.2025
At least 400 organisations are reported to have fallen victim to a zero-day vulnerability in Microsoft SharePoint, including US government departments and described as one of the most rapid transitions from proof-of-concept to mass exploitation.