Svoboda Cybersecurity Brief September 18, 2025

JLR Cyberattack Disrupts UK Automotive Supply Chain

A cyberattack on Jaguar Land Rover (JLR) has caused production halts since September 1, 2025, severely impacting supplier Autins, whose share price plummeted 55%. The attack, claimed by Scattered Spider/ShinyHunters, has raised concerns over 100,000 jobs at risk and triggered calls for UK government intervention.
Source: DataBreaches

ShinyHunters Claims Theft of 1.5 Billion Salesforce Records

The ShinyHunters group (also tracked as UNC6040/UNC6395) breached 760 companies via compromised Salesloft Drift OAuth tokens, exfiltrating Account, Contact, and Case data. The attackers used TruffleHog to scan Salesloft’s GitHub for secrets, escalating access to victims like Google, Cloudflare, and Palo Alto Networks.
Source: BleepingComputer

Shai-Hulud Worm Infects 187 npm Packages in Supply Chain Attack

A self-propagating worm compromised 187 npm packages, including @ctrl/tinycolor (2M+ weekly downloads), stealing GitHub tokens, AWS keys, and cloud credentials. The malware publishes secrets to public GitHub repos labeled “Shai-Hulud Migration” and leverages compromised accounts to propagate further.
Impact: Exposes sensitive credentials and opens backdoors via auto-updating malicious packages.
Mitigation: Audit dependencies, revoke exposed tokens, and pin package versions.
Source: SecurityWeek

RaccoonO365 Phishing Service Seized by Microsoft and Cloudflare

Microsoft and Cloudflare disrupted RaccoonO365, a PhaaS operation, seizing 338 domains and freezing $100K in crypto. The group used Cloudflare Turnstile CAPTCHAs to evade detection and stole 5,000+ Microsoft 365 credentials, targeting healthcare and financial sectors.
Source: The Hacker News

Chinese TA415 Targets US Policy Experts via VS Code Tunnels

TA415 (APT41) impersonated US officials in spear-phishing attacks, deploying a Python loader (WhirlCoil) to establish Visual Studio Code remote tunnels. The campaign targeted entities focused on US-China trade policy, leveraging cloud services like Zoho and Dropbox for payload delivery.
Source: The Hacker News

SonicWall Warns Customers After Firewall Backup Breach

SonicWall disclosed a breach exposing firewall backup files containing encrypted passwords and API keys for 5% of devices. Attackers brute-forced the cloud backup API, potentially easing exploitation of SonicWall appliances.
Impact: Credential exposure risks lateral movement.
Mitigation: Reset credentials, disable WAN access, and patch CVE-2024-40766 (SSLVPN flaw).
Source: BleepingComputer

BreachForums Founder Resentenced to 3 Years Prison

Conor Fitzpatrick (“Pompompurin”) received a 3-year sentence for operating BreachForums, a marketplace trading 14B+ stolen records, and possessing CSAM. The forum peaked at 330,000 members before seizures and relaunches.
Source: The Hacker News

VC Giant Insight Partners Hit by Ransomware Attack

Insight Partners notified 12,657 individuals of a social engineering attack leading to ransomware (unclaimed) and data theft. Attackers exfiltrated banking, tax, and employee data before encrypting servers in January 2025.
Source: BleepingComputer

Pixie Dust Wi-Fi Attack Still Affects Modern Routers

NetRise found 20 router models (including TP-Link) remain vulnerable to the 2014 Pixie Dust attack, allowing WPS PIN extraction in seconds. Half of tested devices are still supported but unpatched.
Impact: Unauthorized network access via low-entropy WPS implementations.
Mitigation: Disable WPS or upgrade firmware.
Source: SecurityWeek

Scattered Spider Continues Attacks Despite “Retirement” Claims

Scattered Spider targeted a US bank via Azure AD password resets, contradicting its “retirement” announcement. The group dumped VMware ESXi credentials and attempted Snowflake/AWS data exfiltration.
Source: The Hacker News

Share this brief: https://svo.bz/nkLB