Cybercriminals are increasingly attacking industrial control systems (ICS) using malicious JavaScript and fake vendor websites. In Q2 2025, 6.49% of ICS computers blocked these web-based threats, making them the top danger to industrial networks.

Attackers send phishing emails with links to cloned vendor portals. When workers click these links, malicious scripts automatically download and create backdoors into critical systems. The criminals then steal credentials and can directly control programmable logic controllers and SCADA systems.

Several attacks caused real damage—one altered chemical processing temperatures, triggering emergency shutdowns. Another disabled safety systems after stealing privileged accounts through fake support portals. Africa and Southeast Asia saw the most attacks, while Northern Europe faced fewer attempts.

Source: Cybersecurity News

A cyberattack on Friday night disrupted check-in and boarding systems at major European airports including Brussels, Berlin's Brandenburg, and London's Heathrow on Saturday. The attack targeted Collins Aerospace's MUSE software, forcing airports to resort to manual check-in processes.

Brussels Airport saw nine flight cancellations and 15 delays of over an hour, though the overall impact remained limited. Passengers faced longer waits as staff had to write baggage tags by hand at understaffed counters.

Experts called the attack "very clever" since it hit multiple airports simultaneously through a single system provider. The aviation industry's reliance on shared digital platforms makes it an attractive target for cybercriminals, with the attack's motive still unclear.

Source: Security Week

Security researcher "Ynwarcs" has published proof-of-concept exploit code for CVE-2024-38063, a critical zero-click vulnerability affecting all Windows systems with IPv6 enabled. Originally discovered by XiaoWei of Kunlun Lab, this remote code execution flaw targets Windows 10, Windows 11, and Windows Server without requiring any user interaction.

The exploit code is now available on GitHub for researchers to study, but this also increases the risk of malicious actors exploiting the vulnerability. Microsoft is urging users to install the latest security updates immediately to protect against potential attacks. Organizations should prioritize patching and monitor for unusual IPv6 packet activity.

Source: Dark Reading

A devastating cyberattack has crippled Jaguar Land Rover for three weeks, forcing the closure of all factories in the UK, Slovakia, Brazil, and India. The hack, discovered in late August, has left Britain's largest automotive employer unable to produce vehicles, potentially costing hundreds of millions of pounds.

The attack exposed vulnerabilities in JLR's interconnected "smart factory" systems, managed by outsourcing giant Tata Consultancy Services under an £800m contract. When hackers breached the network, JLR couldn't isolate affected systems and was forced to shut down everything.

The crisis threatens JLR's entire supply chain of 700+ companies across the West Midlands. Workers remain furloughed with no clear restart date, while suppliers face potential bankruptcy. The government is providing daily support and considering financial aid for struggling suppliers as the automotive industry braces for a prolonged shutdown.

Source: The Guardian

Researchers at Radware discovered a clever attack called "ShadowLeak" that allowed hackers to steal emails from ChatGPT users completely undetected. The attack worked by embedding hidden malicious code in normal-looking emails using tiny or white text. When victims asked ChatGPT to summarize their emails, the AI would read the hidden code and secretly send email contents to attacker-controlled servers.

The attack left zero traces on company networks since everything happened through OpenAI's infrastructure. Researchers found ChatGPT followed malicious instructions about half the time, with success rates improving when attackers added urgency like "HR compliance checks." OpenAI quietly fixed the vulnerability in August after Radware reported it in June, though the exact solution remains unclear.

Source: Dark Reading

A high court judge has overturned the Home Office's decision to prioritize US extradition over Portugal's request for Diogo Santos Coelho, a 25-year-old Portuguese man with autism facing cybercrime charges.

Coelho, who ran the hacking forum RaidForums, was allegedly groomed online from age 14 and exploited by adults. He faces up to 52 years in US prison but has been assessed as high suicide risk and wants to face justice in Portugal, his home country, where he has family support.

Justice Linden ruled that former Home Secretary James Cleverly failed to properly consider Coelho's mental health, autism diagnosis, victim status under modern slavery laws, and family connections. The current Home Secretary must now reconsider the decision, allowing Coelho to argue why Portugal should take priority.

Source: The Guardian

UK authorities arrested two alleged Scattered Spider hackers: Thalha Jubair, 19, from East London, and Owen Flowers, 18, from West Midlands. Both face UK charges for attacking Transport for London's systems.

Jubair also faces US charges for allegedly orchestrating over 120 cyberattacks worldwide, including 47 against American organizations. Prosecutors say his group used social engineering to steal data and demand ransoms, collecting more than $115 million between May 2022 and September 2025. Jubair controlled wallets containing $36 million in cryptocurrency and faces up to 95 years in prison.

The arrests come as Scattered Spider announced its retirement, though cybersecurity experts remain skeptical and report continued activity targeting financial institutions.

Source: Security Week

SonicWall disclosed a data breach on September 17 where attackers accessed cloud backup files for customer firewalls through brute force attacks targeting their API service. The breach affected fewer than 5% of SonicWall's firewall install base, exposing encrypted credentials and configuration files that could help attackers exploit the related firewalls.

The security vendor immediately disabled the backup feature and launched an investigation with third-party experts. Impacted customers using MySonicWall.com cloud backups are advised to check their accounts, verify if their serial numbers are listed, and rotate all passwords and multi-factor authentication credentials stored in their firewalls.

This marks another security challenge for SonicWall, which has become a frequent target for cybercriminals attacking network edge devices.

Source: Dark Reading

A data breach in New York City's affordable housing lottery program exposed personal information for about 38,000 applicants, including names, incomes, phone numbers, and in some cases Social Security numbers. The breach occurred between May and July when applications became publicly searchable online due to a "system misconfiguration" by Reside New York, a company that reviews applications for the city.

City Council Housing Committee Chair Pierina Sanchez demanded answers after CBS News New York uncovered the breach. Reside CEO Martin Joseph blamed a third-party company called LogicFold for the mistake and says the portal was fixed immediately after being notified.

No identity theft or fraud has been reported so far. The city assures applicants that Housing Connect remains safe, and affected individuals are being offered credit monitoring services.

Source: CBS News New York

A devastating supply chain attack called Shai-Hulud infected over 180 NPM packages starting September 14, compromising 40+ developer accounts and publishing 700+ malicious versions. The self-replicating worm steals secrets, dumps them on public GitHub repositories, and spreads by hijacking NPM tokens to infect more packages.

High-profile targets included @ctrl/tinycolor (2 million weekly downloads) and CrowdStrike packages. The malware harvests GitHub, AWS, and Google Cloud credentials, then creates public repos labeled 'Shai-Hulud Migration' to expose stolen secrets.

Security firms call it one of the most severe JavaScript supply-chain attacks ever. The worm targets Linux and macOS systems while skipping Windows machines. Though many credentials were quickly revoked, dozens of GitHub tokens remain active, keeping the campaign alive.

Source: Security Week