Daily Brief

A ransomware attack over the weekend targeted the check-in and boarding systems at major European airports, including Heathrow, Brussels, and Brandenburg, causing significant operational disruptions. The attack focused on Collins Aerospace's MUSE system, used by multiple airlines for shared check-in and boarding, resulting in over 100 flight delays or cancellations. Airports in Ireland, such as Cork and Dublin, faced minor impacts, while other affected airports advised passengers to verify flight statuses due to ongoing disruptions. The European Union Agency for Cybersecurity confirmed the ransomware nature of the attack, with Collins Aerospace actively working to restore affected systems. Law enforcement agencies, including the UK's National Cyber Security Centre, are investigating the incident, collaborating with Collins Aerospace and impacted airports. The incident underscores the critical need for robust cybersecurity measures in aviation, with the NCSC urging organizations to utilize its free security guidance and tools.

The American Archive of Public Broadcasting (AAPB) patched a vulnerability that allowed unauthorized downloading of restricted media, exploited since at least 2021. A cybersecurity researcher, who reported the flaw earlier, confirmed the fix was implemented within 48 hours of notification. The flaw involved an insecure direct object reference (IDOR), enabling access to media by altering media ID parameters, bypassing access controls. Despite the patch, the exploit method had circulated within Discord communities, leading to leaks of protected content. The incident underscores the challenges archives face in balancing public access with securing sensitive content. AAPB, operated by the WGBH Educational Foundation and the Library of Congress, is committed to preserving and securing its archival materials. This incident follows a previous breach involving PBS employee contact information, indicating ongoing security challenges in media archives.

A teenager has been arrested in Las Vegas, accused of hacking multiple casino networks as part of the Scattered Spider cybercrime group in 2023. The Las Vegas Cyber Task Force, involving local police and the FBI, led the investigation into casino attacks occurring between August and October 2023. Charges against the teen include using personal information for harm, extortion, and unlawful computer acts; authorities seek to try him as an adult. This arrest follows the detention of two UK teens linked to Scattered Spider, who are accused of attacking Transport for London in August 2024. The Scattered Spider group has been implicated in over 120 intrusions, demanding at least $115 million in ransom payments, highlighting the group's extensive reach. The recent arrests are part of broader efforts to dismantle the cybercrime group responsible for significant financial and operational damage. The Las Vegas casino attacks underscore the vulnerability of high-profile targets to sophisticated cybercriminal activities by organized groups.

Stellantis confirmed a data breach impacting North American customers, linked to unauthorized access via a third-party service provider's platform. The breach involved the theft of customer contact information, though no financial or sensitive personal data was compromised. Stellantis promptly activated incident response protocols, initiated an investigation, and notified authorities and affected customers. The breach is part of a broader wave of Salesforce data breaches claimed by the ShinyHunters extortion group, targeting high-profile companies. ShinyHunters reportedly stole over 18 million Salesforce records from Stellantis, utilizing stolen OAuth tokens for further data theft. The FBI has issued a Flash alert with indicators of compromise, warning organizations about similar threats to Salesforce environments. Stellantis advises customers to remain vigilant against phishing attempts and avoid engaging with suspicious communications.

Security researcher TwoSevenOneThree introduced EDR-Freeze, a tool leveraging Windows Error Reporting (WER) to suspend security software, bypassing the need for vulnerable drivers. The method exploits the MiniDumpWriteDump API, which suspends process threads, leaving security agents like EDR tools in a dormant state. Unlike traditional BYOVD attacks, EDR-Freeze operates entirely from user mode, using legitimate Windows components, enhancing stealth and reducing detection risk. The technique involves a race condition attack, successfully tested on Windows 11 24H2, freezing the Windows Defender process. Security measures can include monitoring WER for identifiers of sensitive processes; Microsoft is advised to harden components against such misuse. The method is considered a design flaw rather than a direct vulnerability, prompting discussions on potential security enhancements. Microsoft has been contacted for guidance on defending against this technique, with updates pending.

Mozilla now allows Firefox extension developers to revert to previous versions, enhancing the ability to quickly address critical bugs and issues in extensions. This rollback feature ensures that users with automatic updates will see extensions revert to stable versions within 24 hours if a problematic update is detected. Developers can use the "Rollback to a previous version" option via the Developer Hub or Add-on Submission API, provided there are at least two approved versions. This capability applies to extensions distributed on addons.mozilla.org, while self-distributed extensions can revert to any approved version. Mozilla's ongoing security measures include blocking malicious extensions, with recent efforts removing hundreds of scam crypto wallet extensions. The introduction of this rollback feature represents Mozilla's commitment to maintaining the integrity and security of its extension ecosystem. Extension developers are encouraged to leverage this feature to maintain user trust and ensure a smooth user experience.

A new hacking group, ComicForm, has targeted organizations in Belarus, Kazakhstan, and Russia since April 2025, focusing on sectors like industrial, financial, and biotechnology. The attack involves phishing emails with misleading subject lines, urging recipients to open a disguised Windows executable that deploys Formbook malware. The phishing emails are sent from domains registered in Russia, Belarus, and Kazakhstan, using Russian or English language to broaden their target reach. ComicForm's infrastructure analysis revealed phishing attempts against a Kazakh company and a Belarusian bank, aiming to steal credentials via fake login pages. SectorJ149, a pro-Russian group, has targeted South Korean sectors such as manufacturing and energy, using spear-phishing emails to deploy malware like Lumma Stealer and Remcos RAT. SectorJ149's attacks involve Visual Basic Scripts that execute PowerShell commands to download and run malware, indicating a shift towards hacktivist motives. The incidents highlight the persistent threat of phishing campaigns and the need for robust email security measures to protect against credential theft and malware infections.

LastPass alerts users to a campaign targeting macOS users with fake password managers, delivering the Atomic (AMOS) info-stealing malware. The malware is distributed through fraudulent GitHub repositories, using SEO tactics to appear in Google and Bing search results. AMOS, a malware-as-a-service, costs $1,000/month and now includes a backdoor for persistent access to compromised systems. Attackers impersonate over 100 software products, including 1Password, Dropbox, and Adobe After Effects, to deceive users. The campaign uses ClickFix attacks, tricking users into executing terminal commands that download malware to their systems. LastPass actively monitors and reports fake repositories to GitHub, though attackers can rapidly create new ones. Users are advised to download software only from official vendor websites to avoid falling victim to such attacks.

Cyber attackers are expanding phishing tactics beyond email, utilizing social media, instant messaging, and search engine ads to reach targets, complicating detection and response efforts. The decentralization of modern work environments has increased exposure to phishing, with employees accessing multiple communication platforms on corporate devices. Non-email phishing incidents often go unreported, as traditional email security tools do not capture these attacks, leaving organizations reliant on user reports. Advanced phishing kits employ obfuscation techniques, bypassing web proxies and other detection methods, making technical controls less effective. Attackers exploit personal and corporate account overlaps, as seen in the Okta breach, where personal device compromise led to corporate credential theft. Recent campaigns include LinkedIn spear-phishing targeting executives and Google Search malvertising, both utilizing sophisticated evasion and targeting strategies. Organizations are urged to adopt comprehensive solutions like Push Security to detect and block phishing across all platforms, responding in real-time as threats emerge.

The European Union Agency for Cybersecurity confirmed a ransomware attack affecting airport operations across Europe, including London Heathrow, Berlin Brandenburg, Brussels, Dublin, and Cork. Collins Aerospace, a U.S.-based company providing critical check-in software, is at the center of the disruption, impacting traveler processing systems at multiple airports. Airport staff have switched to manual operations, urging travelers to use self-service check-in and bag drop systems to mitigate delays. Heathrow and other affected airports have implemented contingency plans, maintaining near-normal flight operations despite the cyberattack's impact. Brussels Airport experienced significant disruptions, cancelling nearly half of its flights on Monday, while Heathrow reported minimal cancellations and delays. Airlines and airport authorities are actively working with Collins Aerospace to resolve the issue, though a timeline for full recovery remains uncertain. This incident underscores the vulnerability of critical infrastructure to cyberattacks and the importance of robust cybersecurity measures and contingency planning.

Google has released updates for Chrome to fix four vulnerabilities, including CVE-2025-10585, which is being actively exploited in the wild. The zero-day flaw, CVE-2025-10585, is a type confusion issue found in the V8 JavaScript and WebAssembly engine. This marks the sixth zero-day vulnerability in Chrome exploited or demonstrated as a proof-of-concept in 2025. Google has not disclosed specific details on the exploitation methods or the threat actors involved. Organizations are urged to prioritize patching to mitigate potential risks associated with these vulnerabilities. The rapid exploitation of newly disclosed vulnerabilities highlights the need for accelerated patch management processes. Staying informed and agile in response to emerging threats is critical for maintaining security posture.

Stellantis, owner of brands like Chrysler and Jeep, reported a data breach through a third-party vendor, affecting its North American customer service operations. The breach exposed customer names and email addresses, but Stellantis confirmed no financial or sensitive information was compromised. Upon discovering the breach, Stellantis activated incident response protocols, notified law enforcement, and began informing affected customers to watch for phishing attempts. The automaker has not disclosed the number of affected individuals or the identity of the compromised vendor, maintaining a focus on customer protection. This incident coincides with broader industry challenges, as Jaguar Land Rover faces a major cyberattack disrupting global production and retail systems. The JLR attack, reportedly linked to ransomware, has led to halted production, supplier issues, and workforce impacts, highlighting vulnerabilities in supply chain logistics. The automotive sector's reliance on extensive supply chains and just-in-time logistics underscores the importance of robust cybersecurity measures and contingency planning.

Enterprises face growing challenges from non-human identities (NHIs), including service accounts and AI agents, which often operate with broad permissions and lack oversight. NHIs can outnumber human users significantly, creating potential security blind spots due to their automatic creation and lack of clear ownership. AI agents, unlike traditional machine identities, act autonomously, accessing sensitive data and APIs without adequate guardrails or lifecycle management. Security teams are urged to adopt a proactive governance approach, treating NHIs as critical identities requiring comprehensive inventory and management. Implementing an identity security fabric can consolidate identity management, reducing blind spots and enhancing response capabilities across diverse environments. Prioritizing risk-based privilege management and automating lifecycle processes can mitigate the risks associated with over-permissioned and orphaned NHIs. Organizations are encouraged to integrate modern identity platforms to manage NHIs effectively, ensuring robust security controls and minimizing the attack surface.

A verified game on Steam, Block Blasters, was used to steal over $150,000 from cryptocurrency wallets, affecting 261 to 478 users. The scam targeted individuals managing significant cryptocurrency amounts, identified through Twitter, and invited to download the malicious game. The game initially appeared safe but was later updated with a cryptodrainer component on August 30, compromising user accounts. Affected users included a Latvian gamer raising funds for cancer treatment, who lost $32,000 during a live fundraising event. Investigations revealed a batch script and Python backdoor used to collect Steam login details and upload them to a command and control system. Security researchers noted an operational security lapse by the attackers, exposing their Telegram bot code and tokens. Valve, the company behind Steam, has yet to respond to inquiries regarding the incident and potential preventive measures. Users are advised to reset Steam passwords and transfer digital assets to new wallets if they downloaded Block Blasters.

Lloyds Banking Group is integrating AI technologies while ensuring the protection of its 28 million customers' data, emphasizing security over rapid deployment of new models. The bank has banned developers from using AI model hosting platforms like Hugging Face to prevent potential cybersecurity threats from malicious models. Lloyds is actively implementing over 100 AI use-cases, including chatbots and document processing, to enhance both customer service and internal operations. Microsoft Co-Pilot and Google Gemini are key AI platforms deployed by Lloyds, aiding in digital transformation and operational efficiency. Despite the cautious approach to certain AI platforms, Lloyds remains committed to exploring AI's potential to reshape the banking experience. A recent paper by Lloyds reports that 60% of financial institutions have seen productivity improvements due to AI, highlighting its growing importance in the sector. The bank's strategic approach to AI adoption reflects a balance between innovation and security, ensuring customer trust and data integrity.