Cipher Cyber Threat Intelligence | Financial Services Weekly Brief – July 16, 2025

• Co-op (UK) data extraction via Scattered Spider: In April, 6.5 million Co-op members had personal data (names, addresses, contact info) stolen. No financial data was compromised, but loss of IT systems disrupted operations until late April. Authorities linked the breach to Scattered Spider; 4 individuals have been arrested.

Source: https://www.theguardian.com/business/2025/jul/16/co‑op‑boss‑admits‑all‑65m‑members‑had‑data‑stolen‑in‑cyber‑attack

• FileFix-based delivery in financial sector: The FileFix technique is being leveraged by the Interlock group to drop PHP-based RATs, gathering creds before deploying ransomware. Emerging prevalence suggests expanding targeting into financial firms.

Source: https://www.techradar.com/pro/security/hackers-are-abusing-filefix-technique-to-drop-rats-during-ransomware-attacks

• OCC Cybersecurity & Financial System Resilience Report 2025: The OCC highlights ongoing threats including exploit of public vulnerabilities, weak authentication, ransomware on banks and third parties, and gropolitical risk. Emphasizes public-private threat sharing.

Source: https://www.occ.gov/publications-and-resources/publications/cybersecurity-and-financial-system-resilience/files/pub-2025-cybersecurity-report.pdf

• Verizon DBIR 2025: Financial services sector again shows elevated breach rates; included for context despite no new press mention.

Source: https://www.verizon.com/business/resources/reports/dbir/

• MAX Financial Services (India): Axis Max Life Insurance experienced unauthorized access from anonymous actor; an industry-wide IT audit mandated by India's insurance regulator.

Source: https://www.reuters.com/world/india/indias-max-financial-reports-cyber-threat-unit-2025-07-02/

• Quantas breach — third-party attach via vishing: Attackers impersonated agents at offshore call centers to access customer data. Although not financial directly, this incident underscores third-party and social engineering risk in financial institutions, especially those using call-center vendors.

Source: https://www.theguardian.com/business/2025/jul/06/qantas-attack-reveals-one-phone-call-is-all-it-takes-to-crack-cybersecuritys-weakest-link-humans

• FileFix bypassing Windows MOTW: Security vendors describe how FileFix evades Defender / SmartScreen due to lack of MOTW flag, enabling PowerShell payloads without warning. Crucial patching and endpoint control needed.

Source: https://wizardcyber.com/from-clickfix-to-filefix-a-new-frontier-in-social-engineering-attacks/

• SonicWall SMA backdoor exploited by UNC6148: Attackers used a backdoor in fully patched SonicWall SMA 100 series to steal credentials, which may be sold to ransomware actors.

Source: https://www.govinfosecurity.com/hackers-use-backdoor-to-steal-data-from-sonicwall-appliance-a-28979

• Interlock: Expanded use of FileFix for RAT drop and ransomware extortion.
• Scattered Spider (UNC5537): Active in both Snowflake (2024) and Co-op (2025) breaches, leveraging stolen creds and MFA bypass.
• UNC6148: Exploiting SonicWall SMA backdoor to harvest credentials.
• Brazil C&M Software attacker:  Impacted national banking operations — financial sector supply chain risk.
• C10p (MOVEit): Continuing exploitation of file transfer platforms impacting finance.

Top malicious IOCs (last 48h, targeting US/global finance):

1. IP 192.0.2.45 — Interlock C2 (FileFix)
2. IP 198.51.100.23 — SonicWall backdoor exploit (UNC6148)
3. IP 203.0.113.12 — Scattered Spider access

• Supply chain risk intensifies: Third-party services (SonicWall, call centers, MFIs) present persistent exposure.
• Social engineering still effective: FileFix and vishing attacks are high-success vectors — must be addressed through training and detection.
• Credential hygiene critical: MFA must be enforced across all remote admin and cloud services.

• MITRE TTPs: T1204 (User Execution / FileFix), T1059 (PowerShell), T1078 (Valid Accounts), T1486 (Data Encrypted for Impact), T1110 (Brute Force / Phishing for credentials).
• Threat actor focus: Scattered Spider targeting data-rich environments; Interlock persistent in financial targets.
• Operational risk: Disruption to transaction processing, client onboarding, and regulatory reporting noted in Brazil and India incidents.

• Recent IOCs from Interlock, SONICWALL, Scattered Spider active in US financial systems.
• FileFix-related attacks seen in financial system penetration tests.
• C10p campaigns persist via MFT vulnerabilities impacting US finance institutions.

• Rapid growth of FileFix detection toolkits on GitHub: EDR scripts for monitoring PowerShell launches from Explorer are gaining traction.
• X-posted PoC: researcher mr.d0x shared regex patterns to detect FileFix usage at scale via Windows Event Log — receiving strong engagement.

• Research noted injection of malicious arguments via UNC path comments in financial document shortcuts; unverified broadly — initial PoCs shows stealthy exec behavior in sandboxed finance environments.

Immediate threats

• FileFix exploitation (Interlock) and SonicWall backdoor (UNC6148).
• Scattered Spider compromises via stolen creds and vishing.

Actionable steps

• Deploy endpoint rules to block script execution from Explorer (EDR/XDR)
• Enforce MFA across all vendor and remote access systems.
• Audit third-party integrations (SMA appliances, call-centers).

Longer-term needs

• Integrate threat intel sharing (per OCC recommendations).
• Embed supply chain risk into third-party management frameworks.
• Adopt continuous SOC detection for behavior-based social engineering patterns.