Summaries of Cybersecurity News Worth Your Attention this Week – 2025-09-22

From this weeks cybersecurity news summary we learn that cyberattacks definitely impact our every day lives – like yesterday when quite a few airports in Europe had disruptions because airport software was attacked. Or the fact that the UK Jaguar factory is still closed and losing 5million a day because of an attack that started end of August.

Speaking of attackers, from pop culture, we often get portraid of a criminal as a ugly-scary and hairy guy in a cellar somewhere, but no, latest arrest included a 18 and 19 year olds supposedly demanding hundreds of millions of ransomware.

And be careful with LinkedIn job offers, these turned out pretty badly for 11! telecom companies last week.

P.S. Scroll to the end if you want to subscribe and get this summary to your inbox every monday 🙂

1. Cyberattack on Collins Aerospace Software Disrupts Check-In at Major European Airports

A cyberattack on Collins Aerospace’s MUSE check-in software caused flight delays, cancellations, and diversions at major European airports including Heathrow, Brussels, and Berlin on September 20, 2025. The incident highlighted vulnerabilities in airport digital infrastructure and caused operational disruptions mitigated only by manual check-in processes.lans.

Key Details

• The disruption affected electronic check-in and baggage drop systems
• 29 flights were canceled by mid-morning, with Brussels airport asking airlines to reduce departing flights the following day to ease queues.
• RTX, parent company of Collins Aerospace, confirmed a “cyber-related disruption” but did not disclose attacker identity or attack type.
• Past ransom attacks on Collins Aerospace were reported in 2023, underscoring persistent threat risks to aviation software providers.

Next Steps

• Develop and test manual process backups for critical processes

Read more at Reuters.

2. Actor Token Flaw in Azure AD Graph API Allowed Cross-Tenant Global Admin Takeover

A validation error in Azure AD Graph API combined with undocumented “actor tokens” could let an attacker impersonate any user—including Global Administrators—in any Entra ID tenant without logging or revocation controls. 

Key Details

• CVE-2025-55241 tracked a privilege-escalation flaw in Azure AD Graph API’s token validation.
• “Actor tokens” issued by a legacy Access Control Service are unsigned, non-revocable for 24 hours, bypass conditional access, and generate no logs.
• An attacker only needs the public tenant ID and a victim’s netID (brute-forcible or via B2B guest) to craft a cross-tenant token.
• Microsoft deprecated Azure AD Graph API but many services still rely on it; patch blocked actor-token requests for Graph.

Next Steps

• Audit and retire any remaining Azure AD Graph integrations.
• Enforce tenant-origin validation on all internal token issuance.
• Enable and review resource-provider logs for unusual service-to-service token use.

Read more at BleepingComputer

3. Zero-Click “ShadowLeak” Attack Enables Undetectable Data Exfiltration via ChatGPT Email Integrations

Researchers at Radware uncovered "ShadowLeak," a zero-click prompt injection vulnerability in ChatGPT’s Deep Research agent that lets attackers embed hidden HTML prompts within emails. When users request email summaries, the AI executes malicious commands and exfiltrates sensitive data to attacker-controlled servers without touching enterprise networks or triggering alerts. OpenAI patched the flaw in August, but ShadowLeak highlights persistent risks in agentic AI connectors and reinforces the need for enhanced governance, sanitization, and monitoring controls.

Key Details

• Hidden HTML (tiny fonts/white-on-white text) instructs the AI to send PII to attacker URLs.
• Data exfiltration occurs on OpenAI’s cloud servers, evading local logs, EDR, and secure web gateways.
• Basic malicious prompts succeeded ~50% of the time; framing with urgency increased response rates significantly.
• ShadowLeak was reported to OpenAI on June 18; the issue was fixed by early August and marked resolved Sept 3.

Next Steps

• Review applications that employees are allowed to connect to AI agents.
• Educate employees on the risks that come with the use of AI agents.

Read more at Dark Reading, The Record, CSO Online

4. Microsoft and Cloudflare Seize 338 Domains to Disrupt RaccoonO365 Phishing Service

Microsoft’s Digital Crimes Unit, backed by a U.S. court order, seized 338 websites linked to RaccoonO365, a subscription-based phishing-as-a-service that has harvested over 5,000 Microsoft 365 credentials across 94 countries since mid-2024. The takedown, conducted with Cloudflare, targets a platform responsible for large-scale tax-themed and healthcare phishing campaigns that put patient safety and organizational security at risk.

Key Details

• Storm-2246 gang offered annual subscriptions (~$600) allowing up to 9,000 targeted emails per day.
• Phishing kits mimic Microsoft branding and bypass email filters and MFA prompts via CAPTCHA and cookie-capture techniques.
• Tax-season campaign struck over 2,300 U.S. organizations; at least 20 U.S. healthcare entities were later hit with malware or ransomware.
• DCU investigators identified Nigerian national Joshua Ogundipe as the architect—his crypto payments (~$100K) traced through an operational security slip.

Read more at Dark Reading, Cloudflare Blog

5. Self-Replicating “Shai-hulud” Worm Infects Hundreds of npm Packages

A newly discovered worm, dubbed Shai-hulud, has autonomously spread through hundreds of npm packages since mid-September, hijacking developer credentials to inject malicious code and further propagate itself. 

It steals NPM, GitHub and cloud tokens using TruffleHog to harvest secrets and even makes private repositories public for additional reconnaissance. 

Key Details

• First spotted Sept. 15 in the “rxnt-authentication” package; ReversingLabs estimates ~700 repos compromised.
• Once installed, bundle.js runs a postinstall script that harvests NPM_TOKEN, GITHUB_TOKEN, AWS/GCP keys via TruffleHog.
• Worm uses stolen NPM credentials to publish trojanized versions of all packages a developer maintains.
• Also copies private GitHub repos to public “shai-hulud” migrations, exposing hard-coded secrets and source code.

Next Steps

• Audit npm account activity for “Shai-Hulud Migration” branches and repos.

Read more at Dark Reading

6. HybridPetya Malware Combines Petya and NotPetya Traits to Bypass UEFI Secure Boot

Researchers at ESET have uncovered HybridPetya, a new ransomware strain that installs malicious UEFI bootkits to bypass Secure Boot and encrypt the NTFS Master File Table on affected systems.  While no active deployments have been observed, its ability to persist in firmware and leverage CVE-2024-7344 highlights a growing class of hard-to-detect bootkits.

Key Details

• Installs payloads to the EFI System Partition and encrypts the MFT, crippling file access.
• Exploits Howyar Reloader UEFI vulnerability (CVE-2024-7344) to load unsigned code.
• Blends NotPetya’s destructive wiper behavior with Petya’s recoverable encryption.
• Maintains persistence through firmware, surviving OS reinstalls and disk wipes.

Read more at DarkReading

7. Jaguar Land Rover extends production halt to September 24 amid cyberattack

Jaguar Land Rover (JLR) today announced that its global manufacturing operations will remain suspended until at least Wednesday, September 24, as its forensic investigation into an end-of-August cyberattack continues. The initial attack was disclosed September 2nd. It has been estimated that Jaguar might be losing around £5 million a day due to these disruptions. 

Key Details

• Threat actors confirmed data theft and deployment of ransomware on SAP servers.
• Group calling itself “Scattered Lapsus$ Hunters” posted internal screenshots.
• Approx. 39,000 JLR employees and thousands of suppliers remain idle.

Read more at Bleeping Computer

8. CISA Reports Dual Malware Toolkits Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428

Two distinct Java-based malware sets were discovered on an organization’s Ivanti Endpoint Manager Mobile servers after threat actors chained an authentication bypass (CVE-2025-4427) with a remote code execution flaw (CVE-2025-4428). Each toolkit drops a loader (web-install.jar) and malicious listener classes in /tmp, reconstructs payloads via Base64-encoded HTTP GET requests, and injects backdoors for arbitrary code execution, persistence, and data exfiltration.

Key Details

• Exploitation began around May 15, 2025, immediately after a public PoC for the two zero-days.
• Set 1 includes web-install.jar, ReflectUtil.class and SecurityHandlerWanListener.class; Set 2 pairs web-install.jar with WebAndroidAppInstaller.class.
• Malware delivered in segmented, Base64-encoded chunks via the /mifs/rs/api/v2 endpoint using HTTP GET requests.
• Listeners decode/decrypt payloads with hard-coded AES keys, dynamically load classes, and intercept HTTP requests to maintain persistence and exfiltrate data.

Next Steps

• Upgrade Ivanti EPMM to the latest patched release
• Treat MDM infrastructure as high-value assets and tighten access controls.

Read more at CISA, The Hacker News, Bleeping Computer

9. UK Arrests Two Teens in Scattered Spider-Linked TfL Cyberattack

Two UK teenagers—19-year-old Thalha Jubair and 18-year-old Owen Flowers have been arrested by the National Crime Agency for their alleged roles in the August 2024 Transport for London breach, accused of conspiring under the Computer Misuse Act to disrupt critical transport services and extort millions.  In parallel, US prosecutors unsealed charges against Jubair for orchestrating at least 120 network intrusions and extorting 47 US organizations, with ransom payments exceeding $115 million.

Key Details

• The TfL attack disabled customer log-ins and third-party APIs, costing TfL an estimated £30 million and exposing ~5,000 Oyster account records.
• Flowers also faces UK charges for conspiring to breach SSM Health and Sutter Health networks; Jubair is charged under RIPA for refusing to surrender device PINs.
• The US DOJ alleges Jubair led 120 intrusions from May 2022–Sept 2025, extorting 47 US entities for at least $115 million in ransom.
• Law enforcement seized ~$36 million in cryptocurrency from Jubair-controlled wallets, though he diverted ~$8.4 million during the seizure.

Next Steps

• Review and tighten anti-phishing and social engineering defenses.
• Enforce strong multi-factor authentication on all critical systems.
• Coordinate with UK NCA and US DOJ on cross-border intelligence sharing.

Read more at The Hacker News, US Department of Justice

10. Iran-Linked UNC1549 Uses LinkedIn Job Lures and MINIBIKE Malware to Infiltrate 11 Telecom Firms

UNC1549 (aka Subtle Snail) posed as HR recruiters on LinkedIn to compromise 34 devices at 11 telecommunications organizations across five countries. Victims who clicked fake interview links downloaded a ZIP that sideloaded a customized MINIBIKE backdoor via malicious DLLs, enabling long-term persistence, data theft, and stealthy C2 over Azure cloud services.  

Key Details

• Campaign spanned Canada, France, UAE, UK and US, compromising 34 endpoints in telecoms and related sectors.
• MINIBIKE backdoor loaded via DLL side-loading supports 12 modular C2 commands and auto-persists in Windows Registry.
• Browser-stealer leverages Chrome-App-Bound-Encryption-Decryption tool to bypass Google’s app-bound encryption and exfiltrate stored passwords.
• Operators proxy C2 through legitimate Azure cloud services and VPS infrastructure to evade detection.

Things to consider when looking for a job on Linkedin:

• Validate recruiter profiles and interview domains used on LinkedIn.
• Verify job ad on company website
• Avoid weird attachments like ZIP or EXE attachments

Read more at The Hacker News

Subscribe

Subscribe to receive weekly cybersecurity news summary to your inbox every Monday.