U.S. DoJ along with other authorities Seize 4 domains supporting cyber crime crypting services in global operation

The U.S Department of Justice in partnership with the Dutch and Finnish authorities has seized four domains and their associated server facilitates the crypting service on the 27th May 2025. These include AvCheck[.]net, Cryptor[.]biz, Cryptor[.]live, and Crypt[.]guru, all of which now display a seizure notice.
Other countries that participated in the effort include France, Germany, Denmark, Portugal, and Ukraine. This comes alongside the multinational law enforcement operation which has resulted in the takedown of these online cybercrime organisations that offer services to cyber criminals which offered malicious software that went undetected from security software’s.
The FBI Houston Field Office conducting investigation – agent Douglas Williams has said the following the statement “By leveraging counter antivirus services, malicious actors refine their weapons against the world’s toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims’ systems. As part of a decisive international operation, FBI Houston helped cripple a global cyber syndicate, seize their most lethal tools, and neutralize the threat they posed to millions around the world.”
Over the past few years multinational authorities including the UK have been working together to take-down cyber criminal operations such as Ransomware groups most notably Lockbit2.0 and Black Basta, along with hidden servers which host botnets and other cyber crime services.

FBI: Play ransomware breached 900 victims, including critical organisations.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) are releasing this joint advisory to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as January 2025CISA warns of ConnectWise ScreenConnect bug exploited in attacks
An update from 4th June 2025 on the CISA government advisories website has noted that, as of May approximately 900 organisations had been breached by the ransomware actors Play.
The update also includes that within each attack the ransomware group was recompiling malware in every attack, making it more difficult for security software’s to detect and block it. Additionally, some victims were also contacted by the ransomware group with threats of their stolen data being leaked online if they did not pay the ransom fee.
The CISA has updated its advisory with new tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) in order for organisations to assist organisations with protecting against the ransomware group, as well as effective threat hunting for cyber security teams. 
As noted by the CISA, Play ransomware group in 2024 was among the most active ransomware. The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions; rather, victims are instructed to contact the threat actors via email.

CISA adds ConnectWise bug exploited in attacks to known exploited vulnerabilities catalog – tracked as CVE-2025-3935

CISA is alerting federal agencies in the U.S. of hackers exploiting a recently patched ScreenConnect vulnerability that could lead to executing remote code on the server.

This follows on from the recent suspected state sponsored ConnectWise breach within their environment and impacted a limited number of ScreenConenct customers.

In the latest ConnectWise advisory, which was released on 28^th May 2025, released the following statement “ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers.” This statement was released alongside working with a cybersecurity firm that is conducting the investigation.

ConnectWise had released a patch for on-premise ScreenConnect customers for vulnerability tracked as CVE-2025-3925 which could be exploited for a ViewState code injection attack. ConnectWise notes that “According to Microsoft, ASP.NET Web Forms utilize ViewState to maintain page and control state, storing data in a hidden field encoded with Base64.” Which means that if an attacker with privileged access compromised machine keys, that they could trigger remote code execution on the server through a malicious payload.

ConnectWise has since reached out all affected customers from the breach. The CISA has since added the vulnerability to its known exploited vulnerabilities catalog on their website.

Cartier, Victoria’s Secret & North Face hit with cyber-attack, Cartier customers personal information exposed

Following the increase in retailer based cyber-attacks, Cartier, Victoria’s secret as well as North Face have all revealed that they have also been subjected to a cyber-attack. This comes a week after German sportswear giant Adidas had also revealed that they had been breached and some of its customer data had been exposed following by breaching a customer service provider.

Luxury fashion brand Cartier has warned its customers that it has suffered a data breach which exposed customers personal information after its systems were compromised. A social media post on X (formerly twitter) has shown the email sent out to customers in regards to the breach, mentions that “limited client information” had been obtained by the threat actors and this did not include information such as passwords, credit card details or other banking information. The email also highlights that customers remain vigilant about unsolicited communications they may receive following this breach.

"Given the nature of the data, we recommend that you remain alert for any unsolicited communications or any other suspicious correspondence," the company added.

Cartier says it has informed law enforcement about the incident and is working with an external cyber security company to remediate the breach.

North Face have also warned its customers that their personal information was stolen in a credential stuffing attack targeting the company’s website back in April. They have also communicated with customers with the following “On April 23, 2025, we discovered unusual activity involving our website, thenorthface.com, which we investigated immediately. Following a careful and prompt investigation, we concluded that an attacker had launched a small-scale credential stuffing attack against our Website on April 23, 2025.”

North Face have also communicated that based on their investigation, the threat actors had obtained email addresses and passwords and may have accessed the information stored on the users account on their website such as shipping address, first and last name, date of birth and telephone number.

These attacks follow a pattern of recent rising threats against global retailers, which are linked to the DragonForce ransomware operation and Scattered Spider threat actors. Who have targeted retailers across the UK, including Harrods, Co-op, and Marks & Spencer.

Interlock Ransomware gang behind Kettering Health Data breach, gang claims alleged 941GB of Data

The non-profit organisation Kettering Health that operated 14 medical centres in Ohio, was forced to cancel and reschedule all patient procedures following a cyberattack which caused a system-wide outage. This took place on the 20th May 2025 at 10:37 , in which 13 minutes later the organisation confirmed that they were currently experiencing a cyber attack resulting from unauthorised access to their network. CEO Mike Gentry released a statement on the 23rd May 2025 with the following “Patient appointments where IT applications are a necessary part of care plans are being rescheduled. In healthcare, these events often range from 10 to 20 days in duration.”
Two weeks on from this incident, the Interlock ransomware gang has claimed responsibility behind the recent cyber attack on the Kettering Healthcare network. The ransomware gang has leaked data allegedly stolen from breached systems by publishing samples of the alleged stolen data. The ransomware group claims they stole 941 GB of data, including over 20,000 folders containing 732,489 documents with sensitive information.
The alleged stolen data includes bank statements, payroll records, patient records including their passports. 
Since the incident Kettering Health have launched the core components of its Epic electronic health record (EHR) systems. Which marks a significant step forward in their system-wide restoration.
Interlock is a fairly new ransomware gang that was first observed in September 2024 and are currently known for their double extortion campaigns and big game hunting, meaning that the gang targets high-earning organisation across industries. Interlock so far in 2025 have claimed 29 victims on their data leak website.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.