MITRE ATT&CK SME Edition ● Live

MITRE-Lite Threat Dashboard

The full MITRE ATT&CK framework covers thousands of attack techniques used by nation-states and sophisticated criminal groups. This dashboard cuts it down to the techniques that are actually being used against UK SMEs and financial services firms — right now — in plain English.

█ Last updated: 23 June 2026  ·  Week 26 / 2026

NCSC feed: current CISA KEV: current Actor profiles: weekly review

Refreshed every Monday. Next update: 30 June 2026.

Active Threat Actors Targeting UK Financial Services

7
Active Threat Actor Groups
Confirmed targeting UK fin. services SMEs
14
Techniques in Active Use
From SME-relevant ATT&CK subset
1
New Techniques This Week
Credential stuffing at scale — Fortinet/FortiGate perimeter devices
1
CISA KEV Entries
SME-relevant — Cisco Catalyst SD-WAN file overwrite vulnerability
What is MITRE ATT&CK? It's a publicly-maintained library of every known attack technique used by criminal groups and state-sponsored hackers — think of it as a documented playbook of everything attackers try. This dashboard filters it down to the techniques that realistically threaten businesses like yours: small financial services firms, insurance brokers, and professional services companies in the UK.
Actor / Group Origin Primary Method Active Techniques (ATT&CK IDs) SME Risk
Scattered Spider
aka UNC3944, Octo Tempest
CYBERCRIME SIM-swapping and social engineering to bypass MFA; targets IT helpdesks to gain access. T1078 T1566.001 T1621 HIGH
ALPHV / BlackCat
Ransomware-as-a-Service group
CYBERCRIME Ransomware deployment following stolen credentials and VPN exploitation. Known to target professional services firms. T1486 T1190 T1657 HIGH
APT29 / Cozy Bear
SVR, Russian Foreign Intelligence
RUSSIA / STATE Spearphishing and supply chain compromise. Primarily targets government and finance. Sophisticated, long-dwell operations. T1566.002 T1195 T1071.001 MEDIUM
APT40 / BRONZE MOHAWK
Chinese MSS-linked group
CHINA / STATE Exploitation of internet-facing services and VPNs. Actively targeting financial data and intellectual property. T1190 T1133 T1041 MEDIUM
MuddyWater
STATIC KITTEN, Iranian MOIS
IRAN / STATE Phishing and exploitation of web frameworks (Laravel, Zimbra). Targeting professional services and finance for espionage. T1566.001 T1190 T1059 MEDIUM
LockBit 3.0 Affiliates
Ransomware-as-a-Service network
CYBERCRIME Access brokers sell network entry to affiliates who then deploy LockBit ransomware. SMEs frequently targeted as easier entry points. T1486 T1078 T1083 HIGH
TA4903 (BEC Specialists)
Business Email Compromise group
CYBERCRIME Impersonation of senior staff, solicitors, and payment processors to redirect bank transfers. Primary threat vector for insurance brokers. T1566.002 T1534 T1078 HIGH

How Much of This Does GET-IT Cover?

9
Techniques Covered
GET-IT stack addresses these directly
64%
Coverage Rate
Of the 14 active techniques this week — unchanged
5
Uncovered Techniques
Honest gap — not covered by current stack
Partial
Exfiltration Coverage
Monitoring detects data movement; cannot always block it
We show you the gaps honestly. No security provider covers everything. The 5 uncovered techniques below include areas where mitigations depend on human behaviour (staff training) or third-party dependencies (your cloud provider, your line-of-business software vendor). We flag them so you know what to ask about — and so you can factor them into cyber insurance conversations.

Coverage by Tactic

Initial Access
75% 3 of 4 techs
Execution
80% 4 of 5 techs
Persistence
67% 2 of 3 techs
Lateral Movement
50% 1 of 2 techs
Exfiltration
33% 1 of 3 techs
Impact
100% 3 of 3 techs
Exfiltration gap — what this means for your insurance: If an attacker reaches your data and moves it slowly out via legitimate cloud services (Microsoft OneDrive, SharePoint, or email), detection requires behavioural monitoring that goes beyond standard endpoint protection. Many cyber insurance policies include data exfiltration in their coverage — but only where you can demonstrate attempted prevention. Speak to us if this concerns you.

Techniques in Use Against UK SMEs This Week

T1566.001 · T1566.002
Phishing — Email & Link-based
Attackers send fake emails pretending to be HMRC, your bank, a solicitor, or a trusted supplier. The email contains a malicious attachment or a link to a fake login page designed to steal your password.
T1190
Exploit Public-Facing Application
Attackers search for unpatched software on your internet-facing systems — VPNs, firewalls, web apps — and exploit known security holes to get in. This is the entry point for many ransomware campaigns. This week: Palo Alto PAN-OS VPN bypass (CVE-2026-0257) confirmed actively exploited.
T1078
Valid Accounts (Stolen Credentials)
An attacker who has obtained a username and password (from a previous breach, phishing, or the dark web) simply logs in using legitimate credentials. No hacking required — they look like a real user.
T1059
Command-Line Scripting (PowerShell / cmd)
Once inside, attackers use built-in Windows tools (PowerShell, command prompt) to run malicious commands without installing suspicious software. This makes them harder to detect because they're using your own tools against you.
T1621
MFA Fatigue Attack
An attacker who has your password sends dozens of multi-factor authentication (MFA) push notifications to your phone, hoping you'll accidentally approve one — or approve it just to make the alerts stop. This bypasses MFA entirely.
T1598.003
Messaging App Targeting (Spearphishing via Service)
Attackers harvest WhatsApp, Signal, and LinkedIn accounts of senior staff to build social engineering profiles — then impersonate trusted contacts to extract credentials or authorise fraudulent payments. NCSC issued a specific warning this week.
T1133
External Remote Services (VPN Abuse)
Attackers exploit or abuse your VPN, remote desktop (RDP), or remote access tools to maintain persistent access — often long after the initial breach is discovered. They effectively install a back door.
T1534
Internal Spearphishing
Having compromised one email account, attackers use it to send convincing phishing emails to other staff internally. A message appearing to come from your MD or finance director asking to approve an urgent payment.
T1041 · T1567
Data Exfiltration via Cloud Services
Attackers copy your files out through legitimate cloud services — SharePoint, OneDrive, Dropbox, Google Drive — because this traffic looks normal to most security tools. Data is gone before anyone notices.
T1486
Data Encryption for Ransom
The final step in most ransomware attacks — all your files are encrypted and you're locked out of your own systems. A ransom demand follows. UK SMEs paid an average of £47,000 per incident in 2025, with recovery taking 3–4 weeks.
T1657
Financial Theft (Business Email Compromise)
An attacker with access to a business email account monitors payment conversations and intercepts at the right moment — substituting their own bank account details. The #1 financial loss vector for UK insurance brokers and professional services firms.

Current Risk Status for UK Financial Services SMEs

█ THREAT LEVEL: HIGH

NCSC-Confirmed Active Campaign — Fortinet Firewalls and VPN Gateways

NCSC issued a specific alert on 18 June 2026 following the global FortiBleed credential harvesting campaign targeting Fortinet FortiGate firewalls and SSL VPN gateways. An estimated 73,932 Fortinet instances across 194 countries have had administrator credentials exposed — many of which remain valid. This is an active, ongoing campaign using credential stuffing, hash cracking, and automated scanning rather than a new zero-day vulnerability. Organisations using Fortinet perimeter equipment should treat this as a priority action item this week, not a scheduled maintenance task. RAG status raised to HIGH for this edition.

► Highest Severity Active Technique — Week 26 / 2026

Credential Stuffing / Valid Account Abuse (T1078) — FortiBleed: 73,932 Fortinet Instances Compromised

NCSC issued a formal alert on 18 June 2026 confirming active global targeting of Fortinet FortiGate firewalls and SSL VPN gateways. The "FortiBleed" dataset contains administrator credentials for approximately 73,932 Fortinet instances across 194 countries — with security researchers estimating this represents roughly half of all internet-facing FortiGate devices discoverable via Shodan. Critically, many of these credentials are believed to remain valid. The attack method is not a new zero-day: attackers are using credential stuffing from prior breach databases, infostealer logs, and interception of SSL VPN authentication hashes from active sessions — which are then cracked offline using GPU clusters. Fortinet migrated to PBKDF2 password hashing in newer FortiOS releases, but documentation confirms that existing passwords retain the older SHA-256 format until users log in post-upgrade or explicitly reset credentials. This means patched systems are not necessarily safe if passwords have not been rotated. The NCSC CEO separately confirmed this week that hostile states are linked to three-quarters of cyber attacks affecting UK critical systems — and that Russian state activity against UK targets is increasing. The Cisco Catalyst SD-WAN directory traversal vulnerability (CVE-2026-20262) added to CISA KEV this week provides a secondary attack vector for network infrastructure compromise.

🔒
█ Ransomware Activity Indicator

ACTIVE — LockBit 3.0 Affiliates and ALPHV/BlackCat Successors Operational

Both ransomware-as-a-service ecosystems remain active with affiliate networks continuing to acquire access from initial access brokers. UK professional services firms make up approximately 18% of confirmed UK ransomware victims in Q1 2026 (NCSC data). Offline backups, patching cadence, and tested recovery plans are the three most effective mitigations at this level.

Live Source Summary

■ NCSC UK Alerts
3
Three NCSC advisories this week. Key alert: formal NCSC warning on global targeting of Fortinet firewalls and VPN gateways (18 June 2026). NCSC CEO confirmed hostile states linked to three-quarters of attacks on UK critical systems. Vibe coding / AI-assisted development guidance also published.
Latest: 18 June 2026  →  NCSC Fortinet Alert →
■ CISA KEV Entries (SME-Relevant)
1
Cisco Catalyst SD-WAN Manager directory traversal (CVE-2026-20262) — authenticated remote attacker can create or overwrite any file on the filesystem. Supporting entries: Splunk Enterprise, Joomla Content Editor, LiteSpeed cPanel Plugin.
Latest: 18 June 2026  →  View CISA KEV →
■ Top Sector Affected This Week
Finance & Professional Services
FortiBleed affects organisations across all sectors including finance and professional services. Named victims include major enterprises and public sector entities across 194 countries. Credential reuse into AD/RADIUS/VPN makes lateral movement a primary post-compromise risk for regulated firms.
No new FCA items this week  →  FCA ScamSmart →
Full Advisory Detail
For full advisory detail, vulnerability write-ups, and CISA KEV entries see the Threat Advisory page →
Has Your Email Been Breached?
Check whether your business email appears in known breach databases — Free check →

Does Your Security Stack Cover These Techniques?

64% coverage of active techniques is a starting point. If you'd like to understand exactly where your gaps are — and what it would cost to close them — book a resilience scan.

Book a Resilience Scan →

Intelligence sourced from NCSC UK, the CISA Known Exploited Vulnerabilities Catalog, FCA ScamSmart, and the MITRE ATT&CK framework (licensed under CC BY 4.0). Technique descriptions are plain-English interpretations for SME audiences and are not verbatim reproductions of MITRE documentation. Coverage assessments reflect the GET-IT stack as configured for a typical SME client — actual coverage depends on your specific environment. This dashboard is updated weekly; data may not reflect events in the 24–48 hours prior to the last refresh date. GET-IT Solutions Ltd is not responsible for inaccuracies in third-party source data.