All news in category "Incidents and Data Breaches"

Jaguar Land Rover Extends Production Pause After Cyberattack

🚗 Jaguar Land Rover has extended a production shutdown until Wednesday 1 October 2025 after a major cyber incident that halted its Solihull, Halewood and Wolverhampton plants. The company said teams are working with cybersecurity specialists, the NCSC and law enforcement while it investigates, and warned the outage has already cost an estimated £120m in profits and £1.7bn in revenue. Unions have called for government-backed support for suppliers facing bankruptcy amid cascading supply-chain risk.

BadIIS SEO-Poisoning Campaign Targets Vietnam Servers

🔍 Palo Alto Networks Unit 42 is tracking an SEO poisoning campaign dubbed Operation Rewrite that employs a native IIS implant called BadIIS. The module inspects User-Agent strings, identifies search engine crawlers, and fetches poisoned content from a remote C2 to inject keywords and links so compromised sites artificially rank for targeted queries. Unit 42 observed multiple tooling variants — lightweight ASP.NET handlers, a managed .NET IIS module, and an all‑in‑one PHP script — and reports a focus on East and Southeast Asia, particularly Vietnam.

Ransomware Attack Disrupts Check-in at Major EU Airports

🛫 Over the weekend several major European airports experienced check-in and boarding disruptions after a ransomware attack on the external vendor Collins Aerospace. Attackers targeted the MUSE multi-airline check-in system, forcing manual processing of thousands of passengers and causing delays and cancellations to more than 100 flights. Airports affected included Heathrow, Brussels and Berlin Brandenburg, with only minor impact reported in Cork and Dublin. Authorities and the vendor are investigating while restoration efforts continue.

AAPB Fixes IDOR Bug That Exposed Restricted Media Files

🔒 A vulnerability in the American Archive of Public Broadcasting allowed protected and private media to be downloaded for years by abusing an IDOR flaw. A simple Tampermonkey script could alter media ID parameters in background fetch/XHR calls and bypass access controls, returning content instead of a '403 Forbidden'. The issue was reported to AAPB, confirmed by a spokesperson, and patched within 48 hours, but the full scope of prior access remains unknown.

Stellantis: Customer Contact Data Stolen in Salesforce Hack

🔒 Stellantis confirmed unauthorized access to a third-party platform supporting its North American customer service operations, and said attackers stole customer contact information. The company stated the compromised system did not contain financial or other sensitive personal data and that it activated incident response procedures and notified authorities. Reports link the incident to a broader wave of Salesforce-related intrusions claimed by ShinyHunters, and customers are being urged to watch for phishing attempts.

Experts Urge Updated Defenses Against Scattered Spider

🔐 Organizations should urgently update defenses to counter the Scattered Spider collective, experts warned at the Gartner Security & Risk Management Summit 2025. The group used social engineering, helpdesk vishing, and push notification fatigue to bypass MFA and abuse SSO, compromising accounts like Okta and stealing tokens from LastPass. Firms are advised to implement stronger identity protections, number-matching MFA, stricter password-reset procedures, and tighter third-party vendor monitoring to reduce exposure.

ComicForm and SectorJ149 Deploy FormBook via Phishing

🔒 Security researchers at F6 disclosed a phishing campaign by a previously undocumented group dubbed ComicForm that has been active since at least April 2025, targeting organizations in Belarus, Kazakhstan, and Russia. The attackers use RR archives containing Windows executables masquerading as PDFs to deploy an obfuscated .NET loader and a chain of DLLs culminating in the FormBook stealer. The malware creates scheduled tasks and adds Microsoft Defender exclusions, while some phishing sites mimic domestic document services and capture credentials by posting them to attacker-controlled domains.

Fake macOS apps on GitHub spread Atomic (AMOS) malware

⚠️ LastPass warns of a macOS campaign that uses fraudulent GitHub repositories to impersonate popular apps and trick users into running Terminal commands. The fake installers deliver the Atomic (AMOS) info‑stealer via a ClickFix workflow: a curl command decodes a base64 URL and downloads an install.sh payload to /tmp. Attackers rely on SEO and many disposable accounts to evade takedowns and boost search rankings. Users should only install macOS software from official vendor sites and avoid pasting unknown commands into Terminal.

European airports disrupted after Collins MUSE cyberattack

✈️ Collins Aerospace's MUSE check-in platform suffered a cyber-related outage late Friday, forcing airlines and major European airports to revert to manual processes including handwritten tickets, paper boarding passes, laptops and iPads. Brussels was hardest hit with dozens of cancellations; Heathrow and Brandenburg reported delays while operators isolated affected systems. Collins says the disruption is limited to electronic check-in and baggage drop and that manual operations are in place while it works to restore a secure version. Passengers were urged to check flight status and arrive earlier than usual.

SonicWall Advisory After MySonicWall Cloud Backup Incident

🔐 SonicWall released an advisory after identifying unauthorized access to a subset of customer cloud backup preference files stored via the MySonicWall portal. SonicWall’s investigation indicates a threat actor used brute force methods against MySonicWall.com to retrieve preference files that, while containing encrypted credentials, included other device-specific data that could enable access to SonicWall firewall devices. CISA urges customers to log into their accounts to verify exposures and to follow the advisory’s containment and remediation steps immediately.

Leaked Documents Reveal Business of Chinese Surveillance

🔍 Leaked documents reveal how Chinese companies build and sell censorship, surveillance, and propaganda systems, showing that firms such as Geedge work with universities, tailor offerings to different government clients, and even reuse competitors’ infrastructure. The account draws clear parallels with Western vendors that began as academic projects and commercialized via government contracts. These disclosures complicate the image of a purely top-down Great Firewall, highlighting corporate incentives and market dynamics behind tools of control.

Oversized SVG Files Deliver AsyncRAT Across Latin America

🛡️ A recent campaign in Latin America leverages oversized SVG image attachments to deliver AsyncRAT by embedding the entire malicious payload inside the XML. Victims receive convincing, urgent emails impersonating judicial services, and interacting with the >10MB SVG loads a fake portal that triggers a password-protected ZIP download containing an executable and a DLL-sideloaded payload. ESET telemetry highlights a spike in activity, notably affecting Colombia, while attackers appear to use AI to generate unique, randomized SVGs to evade detection.

Cyberattack Disrupts Passenger Processing at Major Airports

🛫 According to Tagesschau, IT service provider Collins Aerospace was hit by a cyberattack on the evening of 19 September, disrupting passenger processing at Berlin (BER), Brussels, Dublin and London Heathrow. Security experts said the incident targeted the multi-tenant environment of the ARINC system that supports check-in, boarding and baggage handling. Affected airports reported partial delays and cancellations while Collins worked to restore services.

FBI Warns of Threat Actors Spoofing IC3 Reporting Website

⚠️ The FBI has issued a public service announcement warning that threat actors are creating spoofed versions of the IC3 cybercrime reporting site to steal personally identifiable information and facilitate fraud. The agency advises typing www.ic3.gov directly, avoiding sponsored search results and mismatched URLs, and never paying anyone claiming to be IC3 staff. Victims should report impersonation attempts to the legitimate IC3 portal and provide full details.

Verified Steam Game Drains Streamer's Crypto Donations

🔴 A gamer seeking funds for stage 4 sarcoma lost roughly $32,000 after downloading a verified Steam title, Block Blasters, which had a cryptodrainer component added on August 30. The free-to-play game, published by Genesis Interactive and available on Steam from July 30 to September 21, had positive reviews before turning malicious during a live fundraiser by streamer RastalandTV. Investigators identified batch droppers, a Python backdoor and a StealC payload; victims are advised to reset Steam passwords and move digital assets to new wallets.

Third-day airport chaos after supplier cyber-attack

✈️ A suspected cyber-attack on a third-party supplier's check-in platform caused widespread flight cancellations and delays at several European airports, including Heathrow, Brussels, Berlin and Dublin. RTX's Muse software, used for check-in, boarding-pass validation and baggage tagging, was reported as the target, forcing some airlines to revert to pen-and-paper processes. Airports posted notices saying recovery work is ongoing and urging passengers to confirm flight status and use online check-in where possible.

DPRK Hackers Use ClickFix to Deliver BeaverTail Malware

🛡️ GitLab Threat Intelligence observed DPRK-linked operators using ClickFix-style hiring lures to deliver the JavaScript stealer BeaverTail and its Python backdoor InvisibleFerret. The late-May 2025 wave targeted marketing and cryptocurrency trader roles via a fake Vercel-hosted hiring site that tricks victims into running OS-specific commands. Attackers deployed compiled BeaverTail binaries (pkg/PyInstaller) and used a password-protected archive to stage Python dependencies, suggesting tactical refinement and expanded targeting.

Canada Shuts Down TradeOgre Exchange, Seizes Crypto

🔒 The Royal Canadian Mounted Police have dismantled the TradeOgre cryptocurrency exchange and seized more than $40 million in assets believed linked to criminal activity. The small, privacy-focused platform — which supported Monero and did not enforce Know Your Customer (KYC) checks — was taken offline after an investigation by the RCMP’s Money Laundering Investigative Team. Authorities say the exchange failed to register with FINTRAC and cautioned not all seized funds have been confirmed as criminal proceeds.

LastPass Alerts: Fake GitHub Repos Deliver macOS Infostealer

🛡️ LastPass warns of a widespread campaign leveraging fake GitHub repositories and SEO-poisoned search results to distribute an Atomic-infostealer targeting macOS users. The malicious pages impersonate popular tools such as LastPass, 1Password, and Dropbox, and redirect victims to pages that instruct them to run Terminal commands. Those commands fetch and execute a multi-stage dropper that deploys the Atomic Stealer. Users should verify official vendor pages and avoid running untrusted commands in Terminal.

Iran-linked UNC1549 Compromises 34 Devices in Telecoms

🔒 PRODAFT links a recruitment-themed espionage campaign to an Iran-affiliated cluster tracked as Subtle Snail and attributed to UNC1549 (aka TA455), reporting infiltration of 34 devices across 11 telecommunications organizations in Canada, France, the UAE, the UK and the US. Operators posed as HR recruiters on LinkedIn and delivered a ZIP-based dropper that uses DLL side-loading to install the modular backdoor MINIBIKE, which harvests credentials, browser data, screenshots, keystrokes and system details. MINIBIKE communicates with C2 infrastructure proxied through Azure services, employs anti-analysis measures and achieves persistence via registry modifications to enable long-term access and data exfiltration.