Threat Actor’s Dark Patterns: Cui Bono?
6–11–2025 (Wednesday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Wednesday, June 11, 2025, and we’ve got some dark patterns emerging from the throat actor space that we should cover in terms of situational awareness.
Cui Bono?
CBS News has update on their story from April 2024 about the “Scattered Spider” group of attackers - now famous / infamous for hacking MGM. The part that stands out - and merits attention from 60 Minutes - is that these groups include young, Western (read US, UK) males collaborating with Russian groups to carry out these attacks using both technical capabilities from the Russian attackers, and Western cultural fluency to attack help desks.
At the same time, Google is publishing a report that similar mechanics are being seen by another related group called TheCom, targeting Salesforce data. These attackers are “impersonating IT personnel to break into companies’ Salesforce tools, using the access for data theft and extortion.”
We’ve seen this take down the UK retailers we covered a few weeks back - namely Coop and Marks & Spencer - and now the trend has made it to the United States.
Last week, Victoria’s Secret had to delay their earnings call due to a cybersecurity incident, and today we saw an 8-K filing (notice to the SEC of a material impact due to a cyber incident) from United Natural Foods - a distributor for grocery stores here in the US, who also coincidentally also just had their earnings call today.
So what?
Well, we’re seeing some patterns emerge here. First pattern is the continued use of softer areas of entry to gain compromise - namely attacking the help desks and using social engineering to gain legitimate access.
That’s one key difference here - these hackers aren’t breaking in, they’re logging in, after compromising a human to grant them access.
Second key difference is that they’re timing their attacks to exert maximum leverage against their victims (e.g. just before the earnings calls).
But there’s also a real human impact. The UNFI breach is leading to bare shelves at stores across the country, including here where we are. Tried to buy burgers for the end-of-year school BBQ and Costco was out, the Chefs Store only had a few left. Bought what we could and were glad to be able to.
Given all this - what should you do? A few things:
Review your authentication policies for remote support including password resets, phone or authentication changes, and focus especially on how elevated accounts (e.g. admins) are handled.
Harden authentication for third-party systems (e.g. Salesforce), and conduct an account review to ensure the accounts present are still required.
Review your ransomware preparedness. IR Plan, backups, monitored Endpoint Detection and Response, etc. You won’t be able to get it all done if you’ve got significant gaps, but make sure things are in place in a way that’s going to help you when you need them.
I know this show is mostly focused on the middle market - but we’re facing the same threats as these larger players, and should use the time we have now to make the security investments we’ll need. Threat actors and exploits almost always move down market, so make the most of this advanced warning.
Fundraising
From a fundraising perspective this week, absolutely massive week totaling more than $43B in newly committed capital, led by a blockbuster announcement by Thoma Bravo, who raised $34.4b for a trio of new funds:
$24.3b for its 16th flagship buyout fund;
$8.1b for its fifth midmarket fund; and
€1.8b for its first Europe-focused fund.
Not to be outdone, Neuberger Berman raised more than $4b for its second GP-led secondaries fund. Carlyle AlpInvest raised $4.1b for its ninth co-investment fund. Both, obviously, very big players in the space and significant funding amounts in their own right.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.sec.gov/ix?doc=/Archives/edgar/data/1020859/000102085925000021/unfi-20250605.htm