Ticker feed

The Agenda ransomware group (also called Qilin) has infected 591 victims across 58 countries since January 2025, with the U.S. leading at 295 incidents. Trend Micro researchers discovered the group's sophisticated approach: deploying Linux ransomware on Windows systems while exploiting legitimate remote access tools to avoid detection.

The attackers use fake Google CAPTCHA pages to steal credentials, then target backup systems like Veeam to harvest more passwords and disable recovery options. Manufacturing (92 incidents), technology (68), and healthcare (61) sectors face the heaviest attacks.

This cross-platform strategy bypasses traditional Windows-focused security tools, making detection extremely difficult. Organizations using remote access platforms or hybrid Windows/Linux environments face the highest risk.

Source: Industrial Cyber

Cybercriminals have developed a new phishing campaign that uses randomly generated Universal Unique Identifiers (UUIDs) to slip past Secure Email Gateways undetected. Discovered by Cofense researchers in February 2025, the attack hides malicious JavaScript in fake file-sharing documents from platforms like OneDrive and DocuSign.

When victims click these documents, the script randomly selects from nine bulk-generated .org domains and creates unique UUIDs to track each target. Instead of typical redirects that change URLs, it uses sophisticated DOM manipulation to replace webpage content in real-time, creating personalized login pages that match the victim's company branding.

This server-driven approach makes the phishing pages look incredibly legitimate, significantly increasing the chances victims will enter their credentials.

Source: Cybersecurity News

Medical Specialist Group (MSG) in Guernsey faces a £100,000 fine after hackers stole thousands of patient emails containing confidential health data. The breach started in August 2021 but went undetected for over three months. Criminals later used the stolen information in phishing campaigns targeting patients.

The Office of the Data Protection Authority found MSG failed to install critical security updates and missed opportunities to detect the attack. Commissioner Brent Homan said medical information requires the highest protection levels, which MSG failed to provide.

MSG must pay £75,000 within 60 days, with another £25,000 due in 14 months unless they complete an approved action plan.

Source: BBC News

Cybercriminals are rapidly adopting AI-powered tools while nation-state hackers increasingly collaborate with financially motivated groups, according to Trellix's latest threat report covering April-September 2025.

The industrial sector bore the brunt of attacks, accounting for 36.57% of all ransomware victims. Qilin emerged as the dominant ransomware group after RansomHub's collapse, responsible for 441 victim posts and showing a clear preference for industrial targets.

The report documented the first AI-powered infostealer, LameHug, attributed to Russian APT28 hackers. This malware uses large language models to generate dynamic attack commands, marking a significant shift from theoretical AI threats to operational weapons.

Geopolitical tensions drove cyber activity spikes, particularly during Taiwan Strait military exercises in April and Israel-Iran conflicts in June. PowerShell remains the top attack vector, used in 77.7% of ransomware campaigns.

Source: Industrial Cyber

Microsoft released an emergency patch Thursday for a critical Windows Server vulnerability that's already being exploited by hackers. The flaw, CVE-2025-59287, affects the Windows Server Update Service (WSUS) and earned a severe 9.8 security rating.

The bug allows attackers to remotely execute code on vulnerable systems through unsafe object deserialization. Microsoft's initial October patch was incomplete, prompting the emergency fix after cybersecurity firms spotted active attacks targeting exposed WSUS servers on ports 8530 and 8531.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog Friday. Organizations can temporarily protect themselves by disabling the WSUS Server Role or blocking traffic to the affected ports.

Source: Dark Reading

UK car production plummeted 27.1% in September after a devastating cyber attack shut down Jaguar Land Rover for five weeks. The attack halted all manufacturing at JLR's West Midlands and Merseyside plants from late August to early October, with zero vehicles produced during that period.

The breach is considered the most financially damaging cyber attack in UK history, costing an estimated £1.9 billion. September's output hit the lowest level since 1952, worse than during COVID lockdowns.

While JLR has restarted production, the automotive sector remains under severe pressure. Nearly half of September's limited output was electric or hybrid vehicles, with 76% destined for export to the EU, US, and Asia.

Source: Sky News

GCHQ head Anne Keast-Butler told companies Wednesday they must prepare for inevitable cyber attacks, including keeping paper copies of crisis plans in case all systems go down. Her warning comes as "highly significant" cyber attacks jumped 50% in the past year, with security agencies now handling several new attacks weekly.

The Jaguar Land Rover hack in August exemplifies the threat, costing the UK economy an estimated £1.9bn and potentially becoming Britain's most expensive cyber attack. JLR shut down all factories and offices, with production possibly disrupted until January.

Keast-Butler urged companies to add cybersecurity experts to their boards and share attack information with government agencies through "safe spaces" that protect commercial secrets.

Source: The Guardian

Chinese threat actors exploited the ToolShell vulnerability (CVE-2025-53770) just two days after Microsoft patched it in July 2025, compromising a Middle Eastern telecom company and government agencies across Africa and South America. Symantec researchers linked the attacks to Chinese groups Glowworm and UNC5221, who deployed malware including Zingdoor and KrustyLoader.

The hackers targeted critical infrastructure through mass scanning, then focused on networks of interest for espionage. They used legitimate tools like Trend Micro and BitDefender binaries to hide their malicious payloads, demonstrating sophisticated tradecraft.

Microsoft previously identified three Chinese groups exploiting ToolShell, including Budworm and Storm-2603. The widespread targeting suggests coordinated state-sponsored activity aimed at stealing credentials and maintaining persistent access to victim networks.

Source: Industrial Cyber

The Iranian threat group MuddyWater is conducting a massive cyberespionage campaign targeting over 100 government organizations across the Middle East and North Africa. The campaign, discovered by Group-IB, began August 19 and uses phishing emails sent through a compromised mailbox accessed via NordVPN to appear legitimate.

Victims receive blurred Word documents that prompt them to enable macros, which then deploy the Phoenix backdoor version 4 through a FakeUpdate injector. The malware establishes persistence and connects to command-and-control servers for intelligence gathering. Targets include embassies, diplomatic missions, and foreign affairs ministries, supporting MuddyWater's geopolitical objectives and Iran's Ministry of Intelligence operations.

Source: Dark Reading

The September cyber attack on Jaguar Land Rover has become Britain's costliest cyber incident ever, with analysts estimating damages at £1.9 billion. The hack shut down JLR's global production for five weeks starting September 1st, affecting major UK plants in Solihull, Halewood, and Wolverhampton.

The Cyber Monitoring Centre found 5,000 businesses caught in the supply chain disruption, with full recovery not expected until January 2026. JLR will bear more than half the costs through lost earnings and recovery expenses, while thousands of suppliers and local businesses face ongoing impacts.

The attack's exact nature remains unclear. JLR is gradually restarting production but declined to comment on the damage estimates.

Source: BBC