News Stories
Jaguar Land Rover Cyberattack Severely Disrupts Production Systems Taken Offline
Jaguar Land Rover halted operations after a cyberattack disabled its production systems, forcing shutdowns at multiple facilities. The attackers targeted backend servers controlling assembly-line processes, disrupting vehicle output and parts distribution. Security teams isolated compromised systems and initiated forensic analysis to identify lateral movement paths and persistence mechanisms. The company confirmed customer and supplier data were unaffected but has yet to disclose attacker attribution or method of intrusion. Read more
GPS Jamming Attack Forces Ursula von der Leyen’s Plane to Land Without Navigation
European Commission President Ursula von der Leyen’s aircraft was forced to land after GPS jamming rendered navigation systems unreliable. Investigators linked the disruption to sophisticated electronic warfare activity likely from Russian sources. The jamming disabled satellite feeds, forcing reliance on manual navigation protocols. Flight logs confirmed persistent spoofing signals along the aircraft’s route, prompting aviation authorities to issue advisories on GNSS resilience and fallback navigation procedures for state and commercial aircraft. Read more
Embassy Breach Alert: Iranian Hackers Exploit 100 Email Accounts via Phishing
Iranian state-aligned hackers compromised more than 100 diplomatic email accounts through credential phishing. Attackers used spear-phishing lures containing malicious links that redirected victims to spoofed login portals. Once credentials were harvested, the group leveraged MFA bypass techniques and created persistence by registering malicious OAuth applications. Investigators reported exfiltration of sensitive communications and attachments, indicating long-term espionage objectives. Alerts were circulated to affected embassies across Europe and the Middle East for remediation. Read more
Santa Fe County Website Hack Likely Based on Old Source Code
Santa Fe County confirmed its website compromise stemmed from vulnerabilities in legacy source code. Hackers injected malicious scripts into public-facing pages, redirecting visitors to credential harvesting portals. Analysis showed attackers exploited outdated PHP libraries and insecure API endpoints that had not been patched for years. The intrusion disrupted service portals but did not expose resident data. Officials are conducting codebase audits and transitioning legacy modules to supported, hardened platforms to prevent recurrence. Read more
Salesforce Supply Chain Breach Hits Palo Alto Networks Customers
Palo Alto Networks disclosed exposure of customer data after attackers breached its Salesforce environment through compromised Salesloft tokens. Malicious actors escalated access to CRM datasets, retrieving customer contact records and business engagement details. The attack was part of a wider supply chain campaign targeting Salesforce integrations. The company has rotated affected credentials, disabled exposed integrations, and notified impacted customers while working with Salesforce and law enforcement on coordinated investigation and containment. Read more
Evertec Confirms $130M Fraud Attempt in Sinqia Pix Cyberattack
Payment processor Evertec reported a $130 million attempted fraud stemming from a cyberattack on Sinqia’s Pix payment system. Hackers exploited transaction authorization workflows by injecting fraudulent payment requests into real-time processing channels. Fraud detection systems flagged anomalies, halting disbursements before funds were transferred. Forensic teams traced the intrusion to compromised privileged accounts within middleware servers. Authorities are investigating the cross-border operation, highlighting weaknesses in Brazil’s instant payment ecosystem exploited by sophisticated financial cybercriminals. Read more
Cloudflare Confirms Salesforce Breach in Growing Supply Chain Attack
Cloudflare joined the list of Salesforce breach victims, disclosing unauthorized access to its CRM instance. Attackers leveraged OAuth tokens through consent-grant manipulation, accessed limited objects, and attempted data export via bulk API calls. Cloudflare invalidated tokens, enforced IP allowlisting, and applied session policies to restrict external access. The company is tightening app-scoped permissions and expanding anomaly detection for bulk queries to verify containment and map the access timeline. Read more
TamperedChef Infostealer Delivered Through Fraudulent PDF Editor Ads
Malvertising campaigns promoted fake PDF editors, distributing trojanized installers that sideloaded TamperedChef via DLL hijacking. The infostealer disabled AMSI, harvested browser cookies and saved credentials, and exfiltrated session tokens to C2 infrastructure over DNS-over-HTTPS channels. Distribution used ad tracking templates to evade platform detection. Recommended mitigations include application allowlisting, blocking unsigned installers, and enforcing enterprise browser policies to protect against deceptive ad-driven infection chains. Read more
Amazon Disrupts Midnight Blizzard Campaign Targeting Microsoft 365
Amazon disrupted infrastructure supporting the Midnight Blizzard campaign that targeted Microsoft 365 with OAuth app abuse and device-code phishing. Attackers used residential proxies for token replay and brokered refresh tokens for persistence. Amazon, in coordination with providers, dismantled phishing middleware and proxy endpoints, interrupting token validation flows. Recommended controls include revoking risky OAuth grants, enforcing phishing-resistant MFA, and monitoring abnormal device-code requests and cross-tenant token use. Read more
Zscaler Data Breach Exposes Customer Information After Salesloft, Drift Compromise
Attackers leveraged compromised Salesloft and Drift accounts to pivot into Zscaler’s Salesforce workflows, extracting contact records and case metadata. The incident used MFA fatigue and SIM-swap attempts to seize tokens and query APIs. Zscaler invalidated affected tokens, suspended integrations, and issued notifications. Mitigations include tenant allowlists for SaaS apps, scoped OAuth permissions, and enhanced audit logging to correlate cross-platform activity. Read more
Hackers Threaten Google with Data Leak Unless It Fires Threat Intelligence Employees
A threat group published extortion demands asserting possession of internal Google datasets and demanded dismissals of specific security staff. The group circulated proof packs on underground channels. Preliminary analysis suggests data provenance from aggregated third-party leaks and OSINT rather than an internal exfiltration. Google enhanced insider-risk monitoring, validated DLP coverage, and coordinated with law enforcement while investigating claimed proofs and monitoring for further dissemination. Read more
SK Telecom Hit with Record US$96.9 Million Fine After Data Breach Exposes 23 Million Users
Regulators fined SK Telecom US$96.9M after attackers exploited IDOR and weak session validation in a legacy self-service portal to extract subscriber data. Automated enumeration and credential-stuffing enabled mass data retrieval. The ruling cited delayed patching and insufficient monitoring. SK Telecom is decommissioning legacy endpoints, rolling out FIDO2-based authentication, and deploying behavioral anomaly detection on customer-facing systems. Read more
Hackers Leak Sensitive Healthcare Data of 433,000 U.S. Doctors
A dataset containing 433,000 physicians’ records appeared on criminal marketplaces after attackers abused an exposed SFTP/api endpoint tied to a healthcare vendor. The breach involved automated scraping and packaging for sale. Exposed elements included licensure details, addresses, and SSNs. Recommended responses include rotating transferred keys, enforcing key-based auth and IP allowlists for file-transfer services, and partner-connection audits. Read more
Tea App Data Breach Exposes Sensitive Images
The Tea app leak occurred via publicly accessible object storage paths lacking authorization checks, allowing direct access to uploaded images and metadata. The operator has implemented signed URLs with short TTLs, tightened bucket policies, and enabled server-side encryption. Engineers are adding token-based access middleware and rate-limiting to prevent bulk scraping and are conducting log-based investigations to determine prior access. Read more
NCSC Warns of Malware Campaign Using Fake PDF Editors
The NCSC advisory describes a campaign distributing loaders through counterfeit PDF editor sites and ads. Payloads use DLL search-order hijacking, persist via scheduled tasks, and pull modules for credential theft. The advisory recommends application allowlisting, DNS filtering for distribution domains, and disabling script interpreters where possible to reduce attack surface. Read more
TransUnion Data Breach Exposes Personal Information of 4.4 Million
TransUnion reported a breach affecting 4.4 million records after attackers accessed an internet-facing service via compromised third-party integrations. The incident involved data exfiltration, archive compression to obfuscate transfer, and log tampering to hide activity. TransUnion disabled implicated integrations, rotated keys, rebuilt impacted systems, and engaged external forensic teams while notifying regulators and affected individuals. Read more
Brokewell Android Malware Spread Through Fake TradingView Ads
Brokewell distribution leveraged Meta ads to push sideloaded APKs impersonating TradingView. The malware requests Accessibility and notification-listener privileges to perform overlay-based credential theft, intercept OTPs, and exfiltrate wallet data. Communications used WebSocket beacons to C2. Enterprises should restrict sideloading, enforce Play Protect, and apply MDM policies blocking high-risk permissions. Read more
SentinelOne AI Cybersecurity Forecast Growth
SentinelOne forecasts expansion in autonomous detection and model-driven response, promoting integration of endpoint, identity, and cloud telemetry. Roadmaps emphasize agentless cloud monitoring, AI-assisted triage, and measurable reductions to dwell time, with demand strongest in finance and government sectors for consolidated detection platforms. Read more
U.S. and Allies Expose Salt Typhoon Cyber Espionage Network
Authorities published technical findings on “Salt Typhoon,” documenting spear-phishing, living-off-the-land tactics, webshell deployment, and cloud identity abuse targeting critical infrastructure and defense suppliers. The report included IoCs, recommended hardening steps (phishing-resistant MFA, OAuth monitoring, edge appliance patching), and YARA rules for detection. Read more
Senator Wyden Demands Independent Cybersecurity Review of Federal Courts
Senator Wyden requested an independent audit of federal court cybersecurity after incidents exposed filings and sealed records via legacy case-management systems. The call cites inadequate patching, weak segmentation, and insufficient vendor oversight; it requests a remediation roadmap, mandatory MFA for privileged access, and transparent reporting to Congress. Read more
FEMA Fires 24 Staff After DHS Cybersecurity Audit Uncovers Major Failures
A DHS audit uncovered shared admin credentials, disabled logging, and unpatched internet-exposed services at FEMA, prompting termination of 24 staff. FEMA launched centralized identity management, SIEM onboarding across systems, and mandatory change-control measures. External pen testing and procurement changes requiring hardened defaults are in progress to validate remediation. Read more
Maryland’s Paratransit Ransomware Strike: Cyberattack Disrupts Disabled Transit Services
Ransomware encrypted scheduling databases for Maryland’s paratransit service, disabling dispatch and booking portals. Attackers exploited an unpatched remote access vector to elevate privileges and deploy encryption, forcing manual operations. Response included domain controller rebuilds, offline backup restores, and coordination with state cyber units; passenger safety and alternative communication channels were prioritized during recovery. Read more
Critical SharePoint Zero-Day Exploited: Immediate Steps Against CVE-2025-53770 Vulnerability
Active exploitation of CVE-2025-53770 enables pre-auth deserialization leading to remote code execution on SharePoint servers. Attackers use crafted requests to drop webshells and pivot laterally. Advised mitigations include blocking vulnerable API paths, applying vendor workarounds, hunting for anomalous w3wp/spawned child processes, and auditing farm solutions and OAuth app registrations to limit post-exploitation movement. Read more
Podcasts
Cato Networks Acquires Aim Security to Bolster AI Defense in SASE
This episode covers Cato Networks’ acquisition of Aim Security to strengthen AI-driven detection and automated playbooks within SASE. Discussion includes edge latency considerations for model inference, tenant isolation during model training, and defenses against adversarial prompt injection for embedded assistants. Listen to Podcast
Tidal Cyber Secures $10M to Advance Threat-Informed Defense
Analysts discuss how Tidal Cyber will expand ATT&CK-aligned control validation, telemetry normalization, and automated evidence capture. The episode details API connectors to SIEM/SOAR, exporting coverage gaps to remediation workflows, and scaling community-driven detection engineering. Listen to Podcast
Disney Fined $10M for COPPA Violations Over Mislabeling Kids Content on YouTube
The podcast reviews COPPA violations tied to metadata mislabeling and identifier use in child-directed content, covering platform classifier limits, remediation steps (retagging, disabling personalized ads), and implications for cross-platform governance. Listen to Podcast
Google Patches 111 Android Flaws in September 2025, Including Two Zero-Days Under Attack
Experts break down exploited zero-days and other critical Android bugs, covering privilege-escalation chains, sandbox escapes, and mitigation strategies like SELinux hardening, ASB patch deployment, and OEM update coordination. Listen to Podcast
Google Warns of Sitecore Zero-Day: ViewState Deserialization Under Fire
This episode explains active exploitation of ViewState deserialization in Sitecore, examining gadget chains enabling pre-auth remote code execution, and recommended mitigations such as enforcing ViewState MAC and rotating validation keys. Listen to Podcast
Brokewell Malware Targets Android Users via Fake TradingView Ads on Meta
Researchers discuss distribution via ads, sideloading risks, and Brokewell’s abuse of Accessibility Services to harvest credentials and intercept OTPs, plus indicators for mobile gateways and MDM detection. Listen to Podcast
Von der Leyen and Shapps Flights Hit by Suspected Russian Electronic Warfare
Analysts detail GNSS jamming/spoofing patterns, signal anomalies, and aircraft fallback to inertial and ATC vectors, with discussion on spectrum monitoring and aviation PNT resilience measures. Listen to Podcast
Salesforce and Google Workspace Compromised in Largest SaaS Breach
Panel analyzes consent-phishing flows that capture OAuth tokens and enable API-driven exfiltration across Salesforce and Google Workspace tenants, focusing on app governance gaps and bulk-query detection. Listen to Podcast
Blogs
Agentic AI Steals Spotlight at Black Hat 2025 with Real-Time Threat Response
Black Hat coverage demonstrated agentic AI orchestrating EDR, identity, and network tooling to automate investigation and containment actions. Demos highlighted provenance tracking, guardrails against prompt injection, and rollback mechanisms. Implementations emphasized least-privilege API keys, human-in-the-loop approvals, and auditing to map model-driven actions to ATT&CK techniques and SOC playbooks. Read more
