What to look out for today
Three themes worth flagging to staff and suppliers today:
- Data-theft extortion (even without ransomware): organisations are being pressured to pay to stop stolen files being leaked.
- Malicious browser extensions and developer packages: attackers are publishing (and sometimes sneaking into) popular ecosystems to steal credentials and data.
- “Hidden” weaknesses in embedded devices: common components used inside cameras and other hardware may carry unpatched issues that are hard for end users to see or fix quickly.
Why this matters to smaller businesses
- Extortion risk isn’t just “we got encrypted” anymore: even if your systems keep running, stolen HR/finance/customer files can still trigger payment pressure, GDPR concerns, and reputational damage.
- Charities, schools, and professional services are attractive targets: you often hold sensitive personal data and can’t tolerate disruption.
- Supply-chain risk is real for SMEs: a single staff member installing a browser extension, or a supplier using compromised code packages, can create a foothold.
- IoT/embedded kit is everywhere: CCTV, access control, industrial controllers, and even specialist devices can become a backdoor if firmware is outdated or unsupported.
Warning signs
- Emails/calls claiming: “We have your files; pay to stop publication”, sometimes including screenshots or samples.
- Sudden account lockouts or unusual multi-factor authentication prompts staff didn’t initiate.
- Staff reporting a new browser extension “to help with PDF/AI/CRM/email” or requests to install developer tools they don’t normally use.
- Unusual outbound traffic from devices that aren’t PCs (e.g., CCTV recorder, access control box) or repeated login attempts to device admin pages.
- Supplier messages that feel urgent around access: “We need you to add this plugin / run this installer / approve this new app connection.”
How attackers may exploit the situation
- Extortion-only operations: attackers steal data (often via stolen credentials) and threaten to leak it, even if they never deploy ransomware.
- Malicious packages/extensions: attackers publish lookalike tools or compromise maintainer accounts so the “trusted” download becomes the trap.
- Embedded device blind spots: weaknesses in widely used device components can persist because firmware updates are slow, unclear, or not applied—leaving devices exposed for long periods.
What to do today
- Remind staff: don’t install browser extensions or “quick helper” software without approval (especially anything promising AI, productivity, document conversion, or account recovery).
- Check your most sensitive data stores: confirm who has access to shared drives, SharePoint/Google Drive folders, HR/payroll exports, and finance documents.
- Review MFA and admin access: ensure MFA is on for email, cloud storage, and admin accounts; remove old admin accounts and shared logins.
- Validate backups and recovery: make sure you can restore key file shares and cloud data, and that backup access is protected separately from everyday logins.
- Take an IoT inventory: list CCTV/NVRs, door entry systems, printers, NAS boxes and any “appliance” on your network; identify who supports each device and when it was last updated.
Ask your IT provider
- What monitoring do we have for data theft indicators (unusual downloads, mass file access, suspicious logins) in Microsoft 365/Google and file storage?
- Do we have an approved extensions/software list, and can we block unapproved browser extensions where possible?
- How do we manage firmware updates for CCTV/NVRs, door access, printers and other embedded devices—and which are currently out of support?
- If we receive an extortion email claiming they stole data, what is our incident process (preservation of evidence, account resets, comms, legal/regulatory triage)?
Patch watch - only one short paragraph, and only if relevant
One story highlights security issues in a common filesystem component used inside many embedded devices. For SMEs, the practical takeaway isn’t chasing technical details—it's ensuring you know which devices you run, who patches them, and whether they’re still supported. If your CCTV/access control/other appliances rarely receive updates, treat them as higher-risk and segregate them on the network where possible.
One action today
Send a same-day staff note: “Do not install browser extensions or ‘helper’ apps without approval; report any extortion emails or unexpected MFA prompts immediately.”
Related Actions On Cyber resource
Actions On Cyber: SME Phishing & Supplier Change Verification Checklist (payment/access requests)
Sources
- U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case (The Hacker News)
- North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign (The Hacker News)
- Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices (The Hacker News)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.