Alright team, it's been a pretty packed 24 hours in the cyber world! We've got a flurry of supply chain breaches, some critical zero-days, new nation-state malware, and a few reminders about basic security hygiene. Let's dive in:
Recent Cyber Attacks & Breaches β οΈ
- Luxury car manufacturer JLR has confirmed a cyber incident "severely disrupted" its global IT systems, impacting both production and retail operations.
- The company proactively shut down systems to mitigate impact, with no evidence of customer data theft reported yet, but significant operational downtime.
- This follows a trend of UK companies facing cyber incidents, highlighting the need for robust incident response and resilience planning.
ποΈ The Record | https://therecord.media/jaguar-land-rover-disruption-cyber-incident
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/jaguar-land-rover-says-cyberattack-severely-disrupted-production/
Pennsylvania AG Office Ransomware Attack ποΈ
- The Office of the Pennsylvania Attorney General confirmed a ransomware attack caused a two-week service outage, with the office refusing to pay the ransom.
- While systems are being restored, the incident led to court extensions for cases, though criminal prosecutions are not expected to be impacted.
- This marks the third ransomware attack on a Pennsylvania state entity, underscoring the persistent threat to government services and the importance of robust backups and recovery plans.
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/pennsylvania-ag-office-says-ransomware-attack-behind-recent-outage/
ποΈ The Record | https://therecord.media/pennsylvania-attorney-general-office-ransomware-attack-recovery
Salesloft Drift Supply Chain Attacks Continue π
- Palo Alto Networks, Zscaler, and Cloudflare are the latest victims in the ongoing Salesloft Drift supply chain attacks, where stolen OAuth tokens from Drift's Salesforce integration led to data exfiltration.
- Attackers gained access to Salesforce instances, primarily exfiltrating customer business contact information, company attributes, and basic support case details, with Cloudflare specifically warning about potential exposure of API tokens and sensitive info shared in support tickets.
- Organisations using Drift integrations should immediately revoke and rotate all associated OAuth tokens and API keys, and meticulously audit Salesforce login histories and API access logs from early August for suspicious activity.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/stolen_oauth_tokens_expose_palo/
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/zscaler_customer_data_drift_compromise/
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/security/cloudflare-hit-by-data-breach-in-salesloft-drift-supply-chain-attack/
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/cloudflare_salesloft_drift_breach/
Europe Blames Russia for GPS Jamming π°οΈ
- A plane carrying European Commission president Ursula von der Leyen was forced to use manual navigation after GPS jamming, which Bulgarian authorities and the EC attribute to Russia.
- This incident highlights a growing trend of GPS interference, particularly on Europe's Eastern flank, impacting air, maritime, and transport economies.
- The EU is working on an action plan to mitigate future attacks, including increasing low Earth orbit satellites and enhancing interference detection, but these are long-term solutions.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/eu_gps_jamming_russia_response/
New Threat Research π¬
Lazarus Group Expands Malware Arsenal π°π΅
- North Korea's Lazarus Group is deploying three new cross-platform RATs β PondRAT, ThemeForestRAT, and RemotePE β in social engineering campaigns targeting the DeFi sector.
- The attack chain involves impersonating employees, using fake meeting sites, and deploying a loader (PerfhLoader) for initial access, potentially leveraging a Chrome zero-day.
- PondRAT is a basic RAT for file operations and shellcode, ThemeForestRAT offers more functionality and stealth, while RemotePE is a sophisticated RAT reserved for high-value targets, showcasing the group's evolving tradecraft.
π° The Hacker News | https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html
Ukrainian Network FDN3 Launches Brute-Force Campaigns πΊπ¦
- A Ukrainian IP network, FDN3 (AS211736), along with associated networks (VAIZ-AS, ERISHENNYA-ASN, TK-NET), has been flagged for massive brute-force and password spraying attacks on SSL VPN and RDP devices.
- These networks frequently exchange IPv4 prefixes to evade blocklisting and are linked to bulletproof hosting services, including those associated with Ecatel's owners and Russian company Alex Host LLC.
- The activity, peaking in July 2025, highlights the use of such infrastructure by RaaS groups for initial access, urging defenders to secure RDP and SSL VPN endpoints against common credential attacks.
π° The Hacker News | https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.html
Vulnerabilities & Exploitation π‘οΈ
WhatsApp & Apple Zero-Day Under Attack π±
- WhatsApp and Apple have patched a zero-day vulnerability (CVE-2025-55177 in WhatsApp, CVE-2025-43300 in Apple OS) believed to be used in highly targeted, sophisticated attacks.
- The WhatsApp flaw involved "incomplete authorization of linked device synchronization messages," which could trigger content processing from arbitrary URLs.
- Apple's CVE-2025-43300 was an "out-of-bounds write issue" affecting iOS, iPadOS, and macOS, with both companies confirming active exploitation against specific individuals. Update your devices immediately!
ποΈ The Record | https://therecord.media/whatsapp-apple-zero-day-targeted-attacks
Frostbyte10 Bugs in Copeland Controllers π§
- Ten vulnerabilities, dubbed Frostbyte10, have been discovered in Copeland E2 and E3 controllers, used in thousands of refrigeration systems at major grocery chains and cold storage facilities.
- Three critical bugs could allow unauthenticated remote code execution with root privileges, potentially enabling manipulation of temperatures, food spoilage, and supply chain disruption.
- Copeland has issued firmware updates (E3 version 2.31F01) to fix these flaws, and CISA is urging immediate patching, especially for E2 controllers which are end-of-life.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/frostbyte10_copeland_controller_bugs/
Exposed Ollama Servers Pose AI Risk π€
- Cisco Talos researchers found over 1,100 Ollama servers, used for running large language models locally, exposed to the public internet, with 20% actively hosting models susceptible to unauthorised access.
- These exposed servers could be exploited for resource exhaustion, denial of service, lateral movement, or even unauthorised model uploads and configuration manipulation.
- The findings highlight a widespread neglect of fundamental security practices in AI system deployments, urging better access control, authentication, and network isolation.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/exposed_ollama_servers_insecure_research/
Data Privacy π
Disney Fined $10M for Children's Data Collection πΆ
- Disney has agreed to pay $10 million to settle FTC allegations that it unlawfully collected personal data from children watching YouTube videos without parental consent.
- The company allegedly failed to label a "significant number" of its YouTube videos as "Made for Kids," allowing targeted advertising based on collected data, violating the COPPA Rule.
- The settlement mandates changes to Disney's video designation practices and pushes YouTube to implement age assurance technologies, reinforcing the importance of child online privacy.
ποΈ The Record | https://therecord.media/disney-settles-with-ftc-millions/
Regulatory & Oversight βοΈ
Commercial Surveillanceware Industry Thrives Amidst Weak Oversight π΅οΈββοΈ
- The commercial surveillanceware industry is experiencing significant growth and rising prices, with vendors charging millions for hacking services, despite government protestations and sanctions.
- Governments and companies are widely abusing these tools, targeting activists, journalists, and political figures, and there's evidence of surveillanceware techniques bleeding into criminal malware.
- The lack of effective political and regulatory safeguards, coupled with vendors' adeptness at covering tracks through corporate renamings and shell firms, leaves targets more exposed than ever.
π΅πΌ The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/02/commercial_surveillanceware_safe/
Government Staffing & Programs ποΈ
Nicholas Andersen Appointed CISA Cybersecurity EAD πΊπΈ
- Nicholas Andersen has been appointed as the Executive Assistant Director for Cybersecurity at CISA, a key leadership role focused on protecting federal civilian agency networks and critical infrastructure.
- Andersen, a veteran of the first Trump administration, previously served at the Department of Energy and most recently as President and COO of Invictus International Consulting.
- His appointment comes amidst significant changes at CISA, including job cuts and funding reductions, with Andersen previously advocating for streamlining the agency.
π€« CyberScoop | https://cyberscoop.com/cisa-nicholas-andersen-executive-assistant-director-of-cybersecurity/
ποΈ The Record | https://therecord.media/andersen-leadership-cisa-role
Moscow Hires Former School System Hackers π·πΊ
- Moscow authorities have reportedly hired "three or four young people" who previously successfully hacked the capital's digital education platform, Moscow Electronic School (MES).
- These individuals are now working on the educational platform and other city services, a move that is not unprecedented in Russia, where the FSB has also appointed former hackers.
- This practice raises questions about the ethics and implications of governments recruiting individuals with a history of cybercrime, potentially normalising such activities.
ποΈ The Record | https://therecord.media/moscow-hires-hackers-breached-education/
Everything Else π‘
Varonis Acquires AI Email Security Firm SlashNext π€
- Varonis has acquired SlashNext, an AI-driven email security company, for up to $150 million, integrating its data-centric security with SlashNext's phishing and social engineering detection.
- SlashNext's technology uses predictive AI models, computer vision, and natural language processing to block threats across email and collaboration platforms like Slack and Microsoft Teams.
- This acquisition reflects the increasing role of AI in both cyber attacks and defence, aiming to enhance real-time data threat detection and incident response capabilities.
π€« CyberScoop | https://cyberscoop.com/varonis-slashnext-acquisition-ai-email-security/
Google Debunks Widespread Gmail Password Reset Rumours β
- Google has clarified that it did not issue a broad warning for all 2.5 billion Gmail users to reset their passwords, debunking widely reported misinformation.
- The company stated that claims of a major Gmail security issue are "entirely false" and that Gmail's security defences block over 99.9% of phishing and malware attacks.
- This incident highlights the prevalence of unverified cybersecurity stories and the importance of relying on official sources for accurate information.
π€ Bleeping Computer | https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-billion-gmail-users-to-reset-passwords/
#CyberSecurity #ThreatIntelligence #Ransomware #SupplyChainAttack #ZeroDay #Vulnerability #APT #LazarusGroup #DataBreach #InfoSec #AI #DataPrivacy #GovernmentCyber #GPSJamming #IncidentResponse
