Cybercriminals are actively exploiting a critical Windows Server Update Services vulnerability that bypasses Microsoft's earlier patch from this month. The tech giant released an emergency fix Thursday for CVE-2025-59287, but researchers detected live attacks by Friday.

Over 2,800 vulnerable servers remain exposed online, with 28% located in the United States. Security firm Huntress has tracked five active attacks so far. The flaw affects software dating back to 2012 and allows attackers to gain complete system control without authentication.

The risk extends beyond individual servers—attackers could potentially push malware to entire networks disguised as legitimate Microsoft updates, turning trusted update systems into distribution weapons.

Source: CyberScoop

A cyberattack on Jaguar Land Rover in late August has cost the UK economy an estimated £1.9 billion, making it potentially Britain's most expensive cyber incident ever. The hack forced JLR to shut down all factories and offices, affecting 5,000 organizations across its supply chain.

The carmaker, which produces about 1,000 vehicles daily across three UK factories, only managed a limited restart in early October and won't return to full production until January. Smaller suppliers were forced to lay off thousands of workers due to cash flow problems.

The government promised JLR a £1.5 billion loan guarantee in September to help support suppliers. The Cyber Monitoring Centre ranked this as a category 3 systemic event, with losses potentially higher if production delays continue.

Source: The Guardian

The Agenda ransomware group (also called Qilin) has infected 591 victims across 58 countries since January 2025, with the U.S. leading at 295 incidents. Trend Micro researchers discovered the group's sophisticated approach: deploying Linux ransomware on Windows systems while exploiting legitimate remote access tools to avoid detection.

The attackers use fake Google CAPTCHA pages to steal credentials, then target backup systems like Veeam to harvest more passwords and disable recovery options. Manufacturing (92 incidents), technology (68), and healthcare (61) sectors face the heaviest attacks.

This cross-platform strategy bypasses traditional Windows-focused security tools, making detection extremely difficult. Organizations using remote access platforms or hybrid Windows/Linux environments face the highest risk.

Source: Industrial Cyber

Cybercriminals have developed a new phishing campaign that uses randomly generated Universal Unique Identifiers (UUIDs) to slip past Secure Email Gateways undetected. Discovered by Cofense researchers in February 2025, the attack hides malicious JavaScript in fake file-sharing documents from platforms like OneDrive and DocuSign.

When victims click these documents, the script randomly selects from nine bulk-generated .org domains and creates unique UUIDs to track each target. Instead of typical redirects that change URLs, it uses sophisticated DOM manipulation to replace webpage content in real-time, creating personalized login pages that match the victim's company branding.

This server-driven approach makes the phishing pages look incredibly legitimate, significantly increasing the chances victims will enter their credentials.

Source: Cybersecurity News

Medical Specialist Group (MSG) in Guernsey faces a £100,000 fine after hackers stole thousands of patient emails containing confidential health data. The breach started in August 2021 but went undetected for over three months. Criminals later used the stolen information in phishing campaigns targeting patients.

The Office of the Data Protection Authority found MSG failed to install critical security updates and missed opportunities to detect the attack. Commissioner Brent Homan said medical information requires the highest protection levels, which MSG failed to provide.

MSG must pay £75,000 within 60 days, with another £25,000 due in 14 months unless they complete an approved action plan.

Source: BBC News

Cybercriminals are rapidly adopting AI-powered tools while nation-state hackers increasingly collaborate with financially motivated groups, according to Trellix's latest threat report covering April-September 2025.

The industrial sector bore the brunt of attacks, accounting for 36.57% of all ransomware victims. Qilin emerged as the dominant ransomware group after RansomHub's collapse, responsible for 441 victim posts and showing a clear preference for industrial targets.

The report documented the first AI-powered infostealer, LameHug, attributed to Russian APT28 hackers. This malware uses large language models to generate dynamic attack commands, marking a significant shift from theoretical AI threats to operational weapons.

Geopolitical tensions drove cyber activity spikes, particularly during Taiwan Strait military exercises in April and Israel-Iran conflicts in June. PowerShell remains the top attack vector, used in 77.7% of ransomware campaigns.

Source: Industrial Cyber

Microsoft released an emergency patch Thursday for a critical Windows Server vulnerability that's already being exploited by hackers. The flaw, CVE-2025-59287, affects the Windows Server Update Service (WSUS) and earned a severe 9.8 security rating.

The bug allows attackers to remotely execute code on vulnerable systems through unsafe object deserialization. Microsoft's initial October patch was incomplete, prompting the emergency fix after cybersecurity firms spotted active attacks targeting exposed WSUS servers on ports 8530 and 8531.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog Friday. Organizations can temporarily protect themselves by disabling the WSUS Server Role or blocking traffic to the affected ports.

Source: Dark Reading

UK car production plummeted 27.1% in September after a devastating cyber attack shut down Jaguar Land Rover for five weeks. The attack halted all manufacturing at JLR's West Midlands and Merseyside plants from late August to early October, with zero vehicles produced during that period.

The breach is considered the most financially damaging cyber attack in UK history, costing an estimated £1.9 billion. September's output hit the lowest level since 1952, worse than during COVID lockdowns.

While JLR has restarted production, the automotive sector remains under severe pressure. Nearly half of September's limited output was electric or hybrid vehicles, with 76% destined for export to the EU, US, and Asia.

Source: Sky News

GCHQ head Anne Keast-Butler told companies Wednesday they must prepare for inevitable cyber attacks, including keeping paper copies of crisis plans in case all systems go down. Her warning comes as "highly significant" cyber attacks jumped 50% in the past year, with security agencies now handling several new attacks weekly.

The Jaguar Land Rover hack in August exemplifies the threat, costing the UK economy an estimated £1.9bn and potentially becoming Britain's most expensive cyber attack. JLR shut down all factories and offices, with production possibly disrupted until January.

Keast-Butler urged companies to add cybersecurity experts to their boards and share attack information with government agencies through "safe spaces" that protect commercial secrets.

Source: The Guardian

Chinese threat actors exploited the ToolShell vulnerability (CVE-2025-53770) just two days after Microsoft patched it in July 2025, compromising a Middle Eastern telecom company and government agencies across Africa and South America. Symantec researchers linked the attacks to Chinese groups Glowworm and UNC5221, who deployed malware including Zingdoor and KrustyLoader.

The hackers targeted critical infrastructure through mass scanning, then focused on networks of interest for espionage. They used legitimate tools like Trend Micro and BitDefender binaries to hide their malicious payloads, demonstrating sophisticated tradecraft.

Microsoft previously identified three Chinese groups exploiting ToolShell, including Budworm and Storm-2603. The widespread targeting suggests coordinated state-sponsored activity aimed at stealing credentials and maintaining persistent access to victim networks.

Source: Industrial Cyber