Daily Brief

Jaguar Land Rover's supply chain faces significant layoffs following a cyberattack, prompting calls for government intervention to protect affected workers. The UK's automotive union urges a Covid-style furlough scheme to safeguard jobs within JLR's extensive supplier network, which supports over 100,000 positions. Direct JLR employees are less vulnerable to layoffs compared to those at external suppliers, who are experiencing heightened job insecurity. The cyberattack has halted JLR's global assembly lines since September 2, with daily losses estimated between £5 million and £10 million. The financial impact of the ongoing downtime could reach £130 million, severely affecting JLR's operations across the UK, China, India, and Slovakia. JLR is collaborating with cybersecurity experts to restore its systems safely, acknowledging data compromise and ongoing disruptions. The situation highlights the critical need for robust cybersecurity measures and contingency plans to mitigate operational and economic risks.

The House of Lords is assessing Ofcom's new child-protection measures under the Online Safety Act, focusing on their effectiveness and potential compliance challenges. Ofcom's amendments propose stricter age-assurance rules and limitations on livestreaming to enhance child safety, raising concerns about privacy and operational burdens. The measures include using hash-matching technology to identify illegal content and deploying automated tools to detect harmful activities like grooming and self-harm. Critics argue the Online Safety Act risks infringing on free speech, with "legal but harmful" content rules potentially leading to censorship and undermining encryption. Privacy advocates warn that stringent age verification could involve collecting sensitive biometric data, posing risks of misuse and privacy violations. Some platforms express concerns over the financial and operational impact of compliance, with smaller sites potentially blocking UK users or shutting down. The Lords' inquiry aims to determine if Ofcom's proposals will genuinely enhance safety or result in increased costs and reduced digital freedoms.

The AI-powered Villager penetration testing tool, linked to Cyberspike, has seen nearly 11,000 downloads on PyPI, raising concerns about its potential misuse by cybercriminals. Villager automates testing workflows and integrates with tools like Kali Linux and LangChain, simplifying complex attack processes and lowering the skill threshold for malicious actors. The tool's ability to create and destroy isolated containers within 24 hours complicates detection and forensic analysis, posing challenges for cybersecurity teams. Villager's integration with known hacktools like AsyncRAT and Mimikatz in a turnkey framework suggests it could be repurposed for malicious operations. The tool's task-based architecture allows AI to dynamically orchestrate tools, marking a shift in cyber attack methodologies and increasing the speed of exploitation attempts. Cyberspike's emergence in 2023 and its association with a China-based company raise questions about the origins and intentions behind the tool's development. Organizations must remain vigilant as AI-driven attack tools like Villager could significantly increase the burden on detection and response capabilities.

Fortinet FortiGuard Labs identified a campaign using SEO poisoning and fake software sites to distribute malware targeting Chinese-speaking users. Malware families like HiddenGh0st and Winos, variants of Gh0st RAT, are deployed through trojanized installers mimicking popular software. Attackers manipulate search rankings and use lookalike domains to deceive users into downloading malicious payloads. The malware employs anti-analysis techniques, including DLL sideloading and TypeLib COM hijacking, to evade detection and establish persistence. Zscaler ThreatLabz discovered a separate campaign distributing kkRAT, which shares code with Gh0st RAT and uses GitHub Pages for malware hosting. kkRAT employs encryption and clipboard manipulation to replace cryptocurrency addresses, posing significant financial risks to victims. Both campaigns exploit the trust associated with legitimate platforms and use advanced techniques to bypass security measures and antivirus software. Organizations are advised to educate users on recognizing phishing sites and verify software sources to mitigate such threats.

UNDOC reports cyber-scam operations shifting to Timor-Leste, exploiting its limited experience in handling such activities. Criminal networks linked to offshore gambling and triad organizations are suspected of operating in newly identified scam centers. Increased law enforcement pressure in Southeast Asia prompts organized crime groups to seek new jurisdictions for scam operations. Recent U.S. Treasury sanctions target scam centers in Myanmar and Cambodia, linked to local armed groups and Chinese criminal actors. Sanctions block U.S. entities from engaging with designated individuals and entities, aiming to disrupt global scam networks. The relocation of scam centers reflects adaptive tactics by cybercriminals to evade regulatory actions and continue targeting victims worldwide.

Fifteen ransomware groups, including Scattered Spider and Lapsus$, declared their retirement, claiming to have achieved their objectives beyond extortion. The announcement was made on Breachforums, with the groups stating they will cease operations and enjoy their accumulated wealth. Recent attacks by these groups targeted high-profile companies such as Jaguar and Marks & Spencer, leading to significant operational disruptions. Some members have been arrested, and the groups express intentions to use their skills to retaliate against law enforcement actions. Cybersecurity experts anticipate these groups may rebrand and resume activities under new identities to evade detection. The situation underscores the ongoing challenges in combating ransomware, as criminal actors adapt to law enforcement measures.

The FBI issued a FLASH alert on cybercriminal groups UNC6040 and UNC6395 targeting Salesforce environments for data theft and extortion. UNC6040 uses social engineering and vishing to trick employees into connecting malicious OAuth apps to Salesforce accounts, leading to mass data exfiltration. High-profile companies like Google, Adidas, and Cisco were impacted, with attackers targeting "Accounts" and "Contacts" database tables. UNC6395 exploited stolen Salesloft Drift OAuth tokens to access Salesforce support case information, extracting sensitive credentials and authentication tokens. Salesloft and Salesforce collaborated to revoke compromised tokens and required customer reauthentication to mitigate further breaches. The attacks, linked to groups like ShinyHunters and Scattered Lapsus$, highlight vulnerabilities in OAuth token security and the need for robust authentication practices. Threat actors claimed access to sensitive FBI and Google systems, posing significant risks if proven true, though official confirmation is pending.

Okta Threat Intelligence researchers uncovered VoidProxy, a phishing-as-a-service platform targeting Microsoft 365 and Google accounts, including those using third-party SSO providers like Okta. The service employs adversary-in-the-middle tactics to capture credentials, MFA codes, and session cookies in real time, posing a significant threat to account security. Attack initiation involves emails from compromised accounts at services like Constant Contact, using shortened links to redirect victims to phishing sites. Malicious sites utilize disposable domains and Cloudflare protection to obscure IP addresses, enhancing their evasiveness and perceived legitimacy. Phishing targets are presented with fake login pages mimicking Microsoft or Google, while federated accounts face additional phishing stages impersonating SSO flows. VoidProxy's proxy server intercepts and duplicates session cookies, making them accessible to attackers via the platform's admin panel. Okta recommends measures such as restricting sensitive app access to managed devices, enforcing risk-based controls, and using IP session binding to mitigate risks. Users employing phishing-resistant authentication methods like Okta FastPass were shielded from VoidProxy's attack sequence and received alerts about potential threats.

Companies face potential multi-million dollar fines and lawsuits if data on decommissioned devices is not adequately erased before disposal. Morgan Stanley incurred $155 million in total liabilities due to improper disposal of hard drives containing sensitive customer information. The incident involved a third-party vendor selling unwiped devices, highlighting the importance of vendor oversight and accountability. Proper data sanitization requires adherence to guidelines such as NIST 800-88, which recommends methods based on data sensitivity and risk. Organizations can opt for third-party sanitization services, which offer verification and certification, or utilize software solutions for in-house data erasure. Ensuring data destruction compliance is critical, as regulations like HIPAA and the FTC Disposal Rule impose strict requirements on handling personal information. Asset recovery programs from OEMs like Dell and HP provide environmentally responsible options that can offset costs through equipment resale.

WhiteCobra has infiltrated the Visual Studio marketplace and Open VSX registry with 24 malicious extensions, targeting VSCode, Cursor, and Windsurf users. The extensions appear legitimate, boasting professional design and inflated download counts, making them difficult to distinguish from genuine products. WhiteCobra's campaign includes a wallet-draining mechanism that starts by executing a seemingly benign file, which then triggers a secondary script. The malicious payloads are platform-specific, deploying LummaStealer malware on Windows and an unknown malware family on macOS. WhiteCobra previously executed a $500,000 crypto-theft using a fake Cursor editor extension, indicating a well-organized and persistent threat. Koi Security emphasizes the need for improved verification mechanisms on extension platforms to prevent such malicious activities. Users are advised to scrutinize extensions for impersonation attempts and rely on known, reputable projects to mitigate risks.

The FBI issued a flash alert about UNC6040 and UNC6395, cybercriminal groups targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens in the Salesloft Drift application, linked to a GitHub breach from March to June 2025. Salesloft has responded by isolating Drift infrastructure, taking the AI chatbot offline, and enhancing security with multi-factor authentication and GitHub hardening. UNC6040, active since October 2024, uses vishing to gain access to Salesforce instances, employing modified Salesforce Data Loader and custom scripts for data exfiltration. Extortion activities by UNC6040 are linked to another cluster, UNC6240, claiming to be ShinyHunters, which may escalate tactics by launching a data leak site. ShinyHunters, Scattered Spider, and LAPSUS$ have reportedly consolidated efforts but announced a temporary shutdown, likely to avoid law enforcement scrutiny. Despite the group's claims of going dark, experts caution that such pauses are often temporary, and organizations should remain vigilant against potential data resurfacing and persistent threats.

ESET researchers have uncovered HybridPetya, a new ransomware strain capable of bypassing UEFI Secure Boot, exploiting a patched vulnerability (CVE‑2024‑7344) in unrevoked Windows systems. HybridPetya combines features of the infamous Petya and NotPetya, encrypting the Master File Table on NTFS partitions and displaying a fake Windows "CHKDSK" message during the encryption process. The ransomware remains a proof-of-concept with no current evidence of active deployment in the wild, but its technical capabilities pose a potential future threat. Unlike NotPetya, HybridPetya functions as true ransomware, allowing decryption of files upon payment, rather than simply wiping data. The bootkit works by installing a malicious EFI application, responsible for encryption, on the EFI System Partition, compromising modern UEFI-based systems. Microsoft's revocation of the vulnerability in the dbx on updated machines mitigates the immediate risk, though vigilance is advised for unpatched systems. This discovery adds to a growing list of Secure Boot bypasses, including BlackLotus and Bootkitty, emphasizing the need for ongoing monitoring and patch management.

Samsung patched a critical Android vulnerability (CVE-2025-21043) that allowed remote code execution, affecting devices running Android OS versions 13 through 16. The flaw, found in the image processing library libimagecodec.quram.so, was exploited in the wild before the patch, potentially impacting apps like WhatsApp. Meta and WhatsApp's security teams reported the vulnerability to Samsung, indicating a possible link to a similar Apple OS-level flaw (CVE-2025-43300). Apple's vulnerability, also an out-of-bounds write issue, was patched on August 20, addressing a sophisticated attack vector targeting specific users. Amnesty International's Security Lab is investigating these attacks, suggesting involvement of a commercial surveillanceware vendor targeting civil society individuals. The incidents underline the critical need for timely vulnerability management and cross-platform collaboration in addressing emerging threats. While Samsung and Meta have not disclosed specific attackers, the nature of the attacks points to highly targeted campaigns, raising concerns over digital privacy.

HybridPetya, a new ransomware strain, can bypass UEFI Secure Boot to install malicious applications, posing a significant threat to system security. Inspired by Petya/NotPetya, HybridPetya encrypts systems, demanding a $1,000 Bitcoin ransom for decryption, simulating previous destructive attacks. ESET researchers discovered HybridPetya on VirusTotal, noting its potential as a research project or early-stage cybercrime tool. The ransomware exploits CVE-2024-7344, a vulnerability in Microsoft-signed applications, allowing bootkit deployment even with Secure Boot active. HybridPetya installs into the EFI System Partition, replacing critical boot files and using a Salsa20 key for encryption, similar to NotPetya tactics. Microsoft addressed CVE-2024-7344 in the January 2025 Patch Tuesday update, emphasizing the importance of timely security updates for protection. Indicators of compromise for HybridPetya are available on GitHub, aiding in defense against this emerging threat. Maintaining offline backups remains a crucial strategy for ransomware defense, ensuring data recovery without ransom payment.

CISA has released a vision document aiming to take a dominant role in the future of the Common Vulnerabilities and Exposures (CVE) program, a global standard for vulnerability identification. Earlier this year, the CVE program faced potential shutdown when CISA nearly allowed MITRE's contract to expire, later extending it through March 2026. The CVE Foundation, formed by board members, advocates for transitioning the program to a nonprofit entity with international coordination and diverse funding, opposing CISA's control. Nicholas Andersen, CISA's Executive Assistant Director for Cybersecurity, asserts that a government-led system is essential for national cyber defense, dismissing privatization due to potential conflicts of interest. The vision document suggests CISA seeks to correct past missteps and establish long-term stewardship, emphasizing the need for government oversight over alternative governance models. MITRE, the nonprofit managing CVE since 1999, remains committed to supporting CISA and its partners, despite the current governance challenges. The ongoing debate over CVE's governance highlights the complexities of balancing national security interests with the need for transparent and diversified management.