It's been a packed 24 hours in the cyber world, with major disruptions to phishing operations, nation-state actors leveraging AI, significant breaches impacting critical infrastructure and financial services, and a notable resentencing in a high-profile cybercrime case. Let's dive in:
Recent Cyber Attacks and Breaches 🚨
- UK telco Colt Technology Services is still reeling from an August cyberattack, with recovery efforts now expected to stretch into late November. The Warlock ransomware group is claiming responsibility, and the incident is suspected to have originated from SharePoint exploits.
- The Jaguar Land Rover (JLR) cyberattack continues to send "shockwaves" through the UK automotive supply chain, with supplier Autins reporting a 55% share price drop and production halts. This highlights the significant economic security implications of attacks on critical industrial players.
- Venture capital firm Insight Partners has begun notifying over 12,000 individuals about a ransomware breach that occurred in October, with servers encrypted in January. The attack, initiated via a sophisticated social engineering campaign, led to the exfiltration of sensitive personal, banking, and tax information.
- SonicWall has warned customers to reset credentials after a security breach of its MySonicWall.com platform exposed firewall configuration backup files. Threat actors used brute-force attacks to access these files, which contain encrypted passwords and other data that could significantly aid firewall exploitation.
- The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Salesloft Drift OAuth tokens. This extensive data theft, linked to the "Scattered Lapsus$ Hunters" collective, involved scanning source code for secrets and exfiltrating sensitive customer support ticket data.
💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/uk_telco_colts_cyberattack_recovery/
🗞️ The Record | https://therecord.media/jlr-cyber-shockwave-auto-sector
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/vc-giant-insight-partners-warns-thousands-after-ransomware-breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/sonicwall-warns-customers-to-reset-credentials-after-MySonicWall-breach/
🤫 CyberScoop | https://cyberscoop.com/sonicwall-cyberattack-customer-firewall-configurations/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/
Threat Actor Activity and AI in Cybercrime 🕵️
- Microsoft and Cloudflare have successfully disrupted RaccoonO365, a major Phishing-as-a-Service (PhaaS) operation, by seizing 338 domains and associated infrastructure. The financially motivated group, tracked as Storm-2246, stole over 5,000 Microsoft 365 credentials from 94 countries, often preceding malware and ransomware attacks.
- The notorious Scattered Spider group has resurfaced, shifting its focus to the financial sector despite recent claims of "going dark" alongside other cybercrime groups. ReliaQuest observed a targeted intrusion against a US banking organisation, where initial access was gained via social engineering and Azure AD self-service password reset, followed by lateral movement and credential dumping.
- North Korean Kimsuky hackers (APT43) are leveraging OpenAI's ChatGPT to generate deepfake military ID cards for phishing campaigns targeting South Korean defence institutions. This demonstrates a growing trend of nation-state actors using generative AI to create highly convincing forgeries and enhance social engineering tactics.
- The RevengeHotels group is also employing AI to boost its attacks on hotels, primarily in Brazil and Latin America, using phishing emails to deliver the VenomRAT remote access trojan. The use of large language models has enabled the hackers to produce cleaner, more structured malicious code, making their payment card data theft campaigns more effective.
📰 The Hacker News | https://thehackernews.com/2025/09/raccoono365-phishing-network-shut-down.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/microsoft-and-cloudflare-disrupt-massive-raccoono365-phishing-service/
📰 The Hacker News | https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html
💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/scattered_spider_bank_attack/
🗞️ The Record | https://therecord.media/north-korea-kimsuky-hackers-phishing-fake-military-ids-chatgpt
🗞️ The Record | https://therecord.media/hackers-payment-data-guests-steal
New Vulnerability: DDR5 Rowhammer ⚠️
- Researchers from Google and ETH Zurich have discovered a new class of Rowhammer vulnerability, dubbed "Phoenix" (CVE-2025-6202), affecting DDR5 memory modules. This attack, while computationally expensive, can corrupt data in adjacent memory cells, posing a risk to data integrity and potentially enabling privilege escalation.
- The vulnerability stems from repeatedly accessing specific rows of memory cells, which can degrade data in neighbouring cells, a known issue that DDR5 was thought to be more resistant to without additional refresh management commands.
- While AMD has released a BIOS update to protect systems using its processors, the discovery highlights the ongoing challenge of securing modern memory architectures and the need for system builders to implement robust defences like JEDEC's Per-Row Activation Counting (PRAC).
💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/ddr5_dram_rowhammer/
Legal and Regulatory Developments ⚖️
- The founder of BreachForums, Conor Brian Fitzpatrick (Pompompurin), has been resentenced to three years in prison for his role in running the cybercrime forum and possessing child sexual abuse material (CSAM). This follows an appeals court vacating his initial lenient sentence of 17 days time served.
- Fitzpatrick pleaded guilty to access device conspiracy, access device solicitation, and possession of CSAM, and has agreed to forfeit over 100 domain names, electronic devices, and cryptocurrency. The resentencing underscores the severity of his crimes, which involved facilitating the sale of over 14 billion individual records.
📰 The Hacker News | https://thehackernews.com/2025/09/doj-resentences-breachforums-founder-to.html
💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/breachforums_founder_prison/
Data Privacy Win Against Big Tech 🔒
- A California federal judge has rejected Meta's attempt to overturn a jury verdict finding the tech giant liable for illegally obtaining sensitive reproductive health data from millions of women via the Flo period tracking app. The ruling confirms Meta directly acquired user communication content in real-time without proper consent.
- The judge's unusually harsh wording called Meta's attempt to nullify the verdict "improper," reinforcing the significance of this case as one of the first major verdicts on how big tech handles sensitive health data. This could pave the way for further litigation and increased scrutiny of data collection practices.
🗞️ The Record | https://therecord.media/judge-rejects-meta-attempt-overturn-flo-privacy-lawsuit
Linux Arm64 and UEFI Secure Boot 🐧
- The adoption of UEFI Secure Boot for Linux on Arm64 devices presents a more fragmented landscape compared to x86, primarily due to the diversity of Arm chip manufacturers and their firmware implementations. While the UEFI specification is architecture-independent, its practical application varies significantly.
- Many Arm devices rely on the u-boot bootloader, which offers UEFI compliance but requires users to create and deploy their own certificates and keys, unlike the x86 world where Microsoft-signed shims are common.
- While some Linux distributions like Debian, Ubuntu, and SUSE offer out-of-the-box Secure Boot support on Arm with Microsoft keys, others like Fedora and RHEL require manual certificate deployment or disabling Secure Boot initially, highlighting ongoing integration challenges.
💻 The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/17/uefi_secure_boot_for_linux/
#CyberSecurity #ThreatIntelligence #Ransomware #Phishing #AI #NationState #APT #Vulnerability #Rowhammer #DDR5 #DataBreach #IncidentResponse #Cybercrime #Legal #DataPrivacy #Linux #UEFI #InfoSec
buherator
Olly 👾
Habr
Florian Adamsky
The New Oil
SOC Goulash
WinFuture.de
Bill