Chinese threat actors exploited the ToolShell vulnerability (CVE-2025-53770) just two days after Microsoft patched it in July 2025, compromising a Middle Eastern telecom company and government agencies across Africa and South America. Symantec researchers linked the attacks to Chinese groups Glowworm and UNC5221, who deployed malware including Zingdoor and KrustyLoader.

The hackers targeted critical infrastructure through mass scanning, then focused on networks of interest for espionage. They used legitimate tools like Trend Micro and BitDefender binaries to hide their malicious payloads, demonstrating sophisticated tradecraft.

Microsoft previously identified three Chinese groups exploiting ToolShell, including Budworm and Storm-2603. The widespread targeting suggests coordinated state-sponsored activity aimed at stealing credentials and maintaining persistent access to victim networks.

Source: Industrial Cyber

The Iranian threat group MuddyWater is conducting a massive cyberespionage campaign targeting over 100 government organizations across the Middle East and North Africa. The campaign, discovered by Group-IB, began August 19 and uses phishing emails sent through a compromised mailbox accessed via NordVPN to appear legitimate.

Victims receive blurred Word documents that prompt them to enable macros, which then deploy the Phoenix backdoor version 4 through a FakeUpdate injector. The malware establishes persistence and connects to command-and-control servers for intelligence gathering. Targets include embassies, diplomatic missions, and foreign affairs ministries, supporting MuddyWater's geopolitical objectives and Iran's Ministry of Intelligence operations.

Source: Dark Reading

The September cyber attack on Jaguar Land Rover has become Britain's costliest cyber incident ever, with analysts estimating damages at £1.9 billion. The hack shut down JLR's global production for five weeks starting September 1st, affecting major UK plants in Solihull, Halewood, and Wolverhampton.

The Cyber Monitoring Centre found 5,000 businesses caught in the supply chain disruption, with full recovery not expected until January 2026. JLR will bear more than half the costs through lost earnings and recovery expenses, while thousands of suppliers and local businesses face ongoing impacts.

The attack's exact nature remains unclear. JLR is gradually restarting production but declined to comment on the damage estimates.

Source: BBC

Ransomware attacks on critical infrastructure exploded in 2025, with 4,701 incidents recorded through September—a 34% jump from 2024. Half of these attacks hit vital sectors like manufacturing, healthcare, energy, and finance. The U.S. bore the brunt with 21% of global incidents.

Manufacturing took the biggest hit, seeing attacks surge 61% as criminals targeted companies like Jaguar Land Rover and Bridgestone. Just five ransomware groups were responsible for 25% of all incidents, showing how organized these criminal operations have become.

Experts warn ransomware has evolved from a business nuisance into a national security threat, capable of paralyzing supply chains and undermining public trust in critical services.

Source: Industrial Cyber

A sophisticated cyber espionage campaign dubbed "PassiveNeuron" is targeting government, industrial, and financial organizations across Asia, Africa, and Latin America. The attackers deploy two custom malware tools—Neursite and NeuralExecutor—specifically designed to compromise Windows servers.

Kaspersky researchers discovered the campaign in June 2024, with new infections observed through August 2025. The malware focuses on Microsoft SQL Server software, likely exploiting vulnerabilities or brute-forcing database credentials for initial access.

While early clues pointed to Russian actors, researchers now attribute the campaign to Chinese-speaking threat groups with "low confidence," citing similarities to previous EastWind operations and the use of GitHub for command-and-control communications. Organizations should prioritize server security and patch SQL injection vulnerabilities.

Source: Dark Reading

Aussie Fluid Power, an Australian hydraulic equipment supplier, confirmed a cyberattack after ransomware group Anubis claimed responsibility last week. The breach compromised employee, customer, and supplier information through unauthorized access to company IT systems.

The company has engaged forensic experts and reported the incident to the Australian Cyber Security Centre while strengthening security protocols. They're contacting affected stakeholders and apologizing for the breach.

This attack highlights the manufacturing sector's vulnerability, with ransomware incidents surging 87% against industrial organizations. Manufacturing faced a 71% rise in cyberattacks in 2024, with 79% carried out by cybercriminals.

Source: Industrial Cyber

AT&T customers affected by two major data breaches have until December 18, 2025, to claim their share of a $177 million settlement. The 2019 breach exposed personal data including Social Security numbers for 73 million customers, while the 2024 Snowflake hack accessed phone records for 109 million users.

Customers who can prove documented losses can receive up to $5,000 for the 2019 breach or $2,500 for the 2024 incident. Those without proof still get cash payments based on which data was compromised. You need a Class Member ID from Kroll's notification email to file a claim, or call 833-890-4930 if you didn't receive one.

Source: CNET

Chinese cyber group Salt Typhoon exploited a Citrix NetScaler Gateway vulnerability to infiltrate a European telecommunications company in July 2025. The hackers used advanced techniques including DLL sideloading and deployed SNAPPYBEE backdoor malware, hiding malicious code within legitimate antivirus software from Norton and other vendors.

Salt Typhoon, active since 2019, has targeted critical infrastructure across 80+ countries including telecommunications, energy, and government systems. The group used SoftEther VPN to mask their location and established communication with command-and-control servers.

Darktrace researchers identified the attack through behavioral anomalies, emphasizing that traditional signature-based detection isn't enough against sophisticated state-sponsored groups that blend into normal network operations.

Source: Infosecurity Magazine

A researcher has released working exploit code for CVE-2025-59287, a critical Windows Server Update Services vulnerability that lets attackers execute code remotely without authentication. The flaw affects all Windows Server versions from 2012 to 2025 and scores 9.8 out of 10 for severity.

The bug stems from unsafe data handling in WSUS's cookie processing system. Attackers can send malicious requests to port 8530, triggering code execution with full system privileges. Microsoft warns the vulnerability is "wormable," meaning it could spread across networks automatically.

With public exploit code now available on GitHub, unpatched WSUS servers face immediate risk. Organizations should apply Microsoft's October 2025 security updates immediately and restrict network access to WSUS servers until patching is complete.

Source: Cyber Security News

Renault UK suffered a cyber attack through a third-party data provider, exposing customer names, addresses, birth dates, phone numbers, and vehicle details. The car manufacturer emphasized that no financial information or passwords were compromised in what they called an "isolated incident."

Unlike Jaguar Land Rover's recent attack that shut down UK production, Renault's manufacturing operations remain unaffected since their own systems weren't breached. The company is contacting affected customers and has notified authorities, though they won't reveal how many people were impacted.

This marks another major automotive cyber attack following JLR's August breach, highlighting the growing threat to car companies' data security.

Source: Sky News