Free technical content sponsored by Palo Alto Networks
 Cortex Forward Webinar Series | Sign up now to be one of the first to receive the full agenda and discover the operational edge you've been waiting for. Secure your spot. https://www.sans.org/info/234050 | |
|
|
Losses from JLR Cyberattack Estimated at $2.5 Billion
(October 22, 2025)
The cyberattack and subsequent shutdown experienced by Jaguar Land Rover (JLR) in late August 2025 may be the "most economically damaging cyber event to hit the UK," with an estimated financial impact of £1.9 billion (about US$2.5 billion), according to the Cyber Monitoring Centre (CMC), a UK non-profit that monitors, categorizes, and reports on cyber events. The CMC rates the JLR incident as "a Category 3 systemic event on the five-point Cyber Monitoring Centre scale," an analysis ideally conducted within 30 days by a technical committee, based on the total financial losses and number of UK organizations that experienced a financial impact of at least £1,000 (US$1,332.40). In late September the UK government guaranteed a £1.5 billion (about US$2 billion) commercial bank loan to support the vulnerable JLR supply chain during shutdown. On October 7, JLR announced the gradual restoration of manufacturing operations in a phased restart.
Editor's Note
[Pescatore]
Damage estimates for widespread physical damage from storms and other natural disasters are just semi-informed guesses that don’t drive business decisions. The easy business decision is that JLR would have spent less avoiding or minimizing this event than they have already spent — not to mention future lawsuits from the 5,000 suppliers impacted to the tune of about $400K on average.
[Dukes]
The estimated cost is not surprising given that JLR was down for two months. Couple that with the ripple effect on parts suppliers, it was indeed a seismic ransomware event. Hopefully the UK government will require an after-action report on the state of cybersecurity at JLR as part of the loan arrangement. We all can learn from this unfortunate event.
[Neely]
A CMC rating of 5, their max, requires an impact of £5 billion (about US$6.7 billion) and affects more than 5% of the UK population. With the JLR incident impacting over 5,000 organizations, and estimated costs approaching $2.5 billion, this has become one of the most costly incidents in UK history. JLR is ramping up operations in a phased approach, but not providing an ETA for return to full capacity; CMC is estimating that to be January 2026. The trick for JLR, or any of us in their position, is to not be distracted by external analysis, but rather to focus on the planned recovery and remediation actions. Ensure that who you have orchestrating appropriate response or escalation is also tracking external feedback: there may be something there you missed or can leverage.
Read more in:
- cybermonitoringcentre.com: Cyber Monitoring Centre Statement on the Jaguar Land Rover Cyber Incident – October 2025
- cybermonitoringcentre.com: Event Categorisation Methodology (February 2025) (PDF)
- www.theregister.com: Jaguar Land Rover cyber-meltdown tipped to cost the UK almost £2B
- www.theguardian.com: Jaguar Land Rover hack has cost UK economy £1.9bn, experts say
- therecord.media: Jaguar Land Rover cyberattack cost $2.5 billion, says monitoring group | |
|
|
F5 Breach Illustrates Where Federal CDM Program Needs to Increase Visibility
(October 23, 2025)
Following F5’s breach disclosure, officials at the Cybersecurity and Infrastructure Security Agency (CISA) said they faced difficulties tracking instances of F5 throughout civilian branch of the government. CISA issued an emergency directive regarding the F5 vulnerability, instructing agencies to identify and patch all F5 instances, after the disclosure that a nation-state had had persistent access to F5 systems. The directive also instructed the agencies to help CISA identify F5 instances on federal systems. CISA's Continuous Diagnostics and Mitigation (CDM) program, on which the government has spent billions of dollars, was intended to make this type of process simpler. One of the program's four main goals is "increasing visibility into the federal cybersecurity posture." CyberScoop communicated with several experts who spoke to various reasons that current CDM practices lack visibility into F5 instances and other network edge devices. Matt Hartman, former deputy executive assistant director for cybersecurity at CISA, told CyberScoop, "Today, CDM excels on traditional IT assets, like servers and workstations, but is not fully optimized for specialized systems like OT and IoT, or cloud-native resources and containerized workloads that change dynamically. The positive news is that CISA fully acknowledges these gaps and they are on the CDM deployment roadmap." Last year, CMD program manager Matt House spoke to Federal News Network about the program's efforts to expand its purview to the cloud: “We can tackle the infrastructure-as-a-service piece fairly directly as a logical, if not concrete extension of what we’re doing for traditional assets. But we’re largely blind right now if we try to take the tools that we have in place today and apply them to platform as a service and software as a service. It just doesn’t work. It’s not applicable, so we are somewhat blind there.” CISA also offers Cyber Hygiene (CyHy) services which may be of some help in identifying devices that are frequently missed.
Editor's Note
[Pescatore]
This is a good example of a government-wide (and corporate-wide) fault that becomes a security problem. At the very top, why doesn’t the USG have the overall ability by OMB or GSA to search procurement records to find all procurements from one supplier? Next level down, why don’t agency CIOs have the capability for accurate software and SaaS inventories? If the roof leaks, patching drywall quickly does not change the problem.
[Neely]
CDM has lofty goals akin to creating a government-wide SOC with visibility into systems across the USG. Implementing it requires not only ongoing funding for staff, services, and infrastructure, but also requires culture change. Past funding has been for initial startup/limited term, leaving agencies on the hook for sustaining funding. Even so, in general, the low-hanging fruit of commodity IT has largely been solved, but branching to appliances and OT/ICS systems will include considerations about how to collect equivalent data, often from specialized systems and crossing air gaps without reductions in security.
[Dukes]
It befuddles me that they can’t seem to roll up procurement records by department and agency for a complete picture. Meanwhile, we’ve spent billions on CDM and still have a long, long way to go to gain visibility of IT products in the Federal government. If you don’t know your enterprise, how can you protect it? | |
|
|
Maryland Establishes a Vulnerability Disclosure Program
(October 22, 2025)
Maryland State CISO James Saunders has announced that Maryland's "Office of Security Management has launched a Statewide Vulnerability Disclosure Policy (VDP) covering every unit of government in Maryland." The program, which is being run with support from Bugcrowd, "will provide a secure and legal channel for security researchers to report potential vulnerabilities in State systems." The VDP covers "systems and services that are publicly accessible and either ... use state-managed domain names like *.maryland.gov, *.md.gov, or *.state.md.us; or are connected to the state’s secure government network, networkMarylandTM." While not unheard of, few non-federal government organizations run VDPs; California and New York City have VDPs, and Ohio's Secretary of State operates a VDP for that state’s election-related websites. In a separate, related story, Saunders has issued a "directive requir[ing] all entities of the State of Maryland to become members of the Maryland Information Sharing and Analysis Center (MD-ISAC)."
Editor's Note
[Neely]
When implementing a VDP, it's important to leverage a partner with expertise and resources to make sure you're fully prepared, not only with terms of engagement and reporting processes, but also with response capabilities, to include SLAs. Staff will need to be briefed on how to treat issues reported, including the researchers.
[Ullrich]
The topic of bug bounties comes up during my web application security class. Feedback from students has been overwhelmingly positive. I do believe a robust bug bounty program is a sign of a competent security program. Most of the objections to bug bounty programs come from leadership with insufficient subject matter expertise being afraid a bug bounty will draw attention to an ineffective security program.
[Dukes]
Vulnerability disclosure programs have proven themselves time and time again as a cost-effective way to reduce bugs in software. Often overlooked is bespoke, government-produced software. This closes that gap in Maryland. Kudos to Maryland for joining the small list of states that have such a program.
Read more in:
- statescoop.com: Maryland creates vulnerability disclosure program, expands ISAC statewide
- www.linkedin.com: James Saunders
- doit.maryland.gov: Vulnerability Disclosure Program
- doit.maryland.gov: Mandatory Enrollment in the Maryland Information Sharing and Analysis Center (MD-ISAC) BOD 25-01
- doit.maryland.gov: MD-ISAC | |
|
|
|
|
|
|
|
Sponsored Links
SANS Cyber Solutions Fest | Identity & Access Management Track | November 5, 2025 @ 9:30 AM ET
This focused track explores the ever-evolving world of Cloud IAM, diving into modern strategies, common missteps, and emerging tools designed to help organizations reclaim control over sprawling identities and creeping permissions. https://www.sans.org/info/234020
Webcast | SANS 2025 ICS/OT Survey: The State of ICS/OT Cybersecurity | Wednesday, November 19, 2025 @10:30 AM ET
Since 2017, the SANS ICS/OT Cybersecurity Survey has been a foundational benchmark for critical infrastructure asset owners and operators. Join Jason Christopher and other industry experts as they explores results from our 2025 survey. https://www.sans.org/info/234025
Summit Bonus Session | Living Off the Cloud - Responding to Sophisticated Ransom Attacks in the Cloud | Wednesday, October 29, 2025 @ 12:30 PM CT
This session will focus on a real-world living off the cloud attack case study, analyzing a step-by-step account of the attack as it unfolded from the attackers’ perspective. https://www.sans.org/info/234030 | |
|
|
|
|
Researchers Find Adobe Commerce and Magento Vulnerability is Being Actively Exploited
(October 22 & 23, 2025)
Researchers at Sansec have observed threat actors actively exploiting a known vulnerability in Adobe Commerce and Magento Open Source, CVE-2025-54236, known as SessionReaper. Adobe released updates for the improper input validation vulnerability on September 9, 2025. Sansec says they recently "blocked over 250 SessionReaper exploitation attempts in the wild," and estimates that 62 percent of Magento stores are still vulnerable. Earlier this week, Assetnote/Searchlight Cyber researcher Tomais Williamson published analysis of the vulnerability and the patch Adobe released for it, determining that while Adobe has labeled the issue a “security feature bypass,” Searchlight Cyber "believe[s] that this is a critical vulnerability. In instances that use file-based session storage, remote code execution can be easily achieved by an unauthenticated user." According to the US National Institute of Standards and Technology's (NIST's) National Vulnerability Database (NVD) description, the vulnerability could be exploited "to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction."
Editor's Note
[Ullrich]
Many instances of Adobe Commerce are still vulnerable. Adobe Commerce vulnerabilities have a history of being exploited shortly after a patch is announced, and users of the product must be careful to not miss any patches.
[Neely]
CVE-2025-54236, Adobe Commerce Input Validation Flaw, CVSS score 9.1, impacts Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. Apply the hotfix, VULN-32437-2-4-X, published in September. If you have the older version of the Custom Attributes Serializable module installed, update to version 0.4.0 before applying the hotfix.
Read more in:
- sansec.io: SessionReaper attacks have started, 3 in 5 stores still vulnerable
- slcyber.io: Why nested deserialization is STILL harmful – Magento RCE (CVE-2025-54236)
- www.darkreading.com: Fear the 'SessionReaper': Adobe Commerce Flaw Under Attack
- thehackernews.com: Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw
- www.helpnetsecurity.com: Critical Adobe Commerce, Magento vulnerability under attack (CVE-2025-54236)
- www.bleepingcomputer.com: Hackers exploiting critical "SessionReaper" flaw in Adobe Magento
- helpx.adobe.com: Security update available for Adobe Commerce | APSB25-88
- nvd.nist.gov: CVE-2025-54236 Detail | |
|
|
Cache Poisoning in BIND DNS Resolver
(October 22 & 23, 2025)
On Wednesday, October 22, the Internet Systems Consortium (ISC) released updates to the Berkeley Internet Name Domain (BIND) DNS resolver to address three vulnerabilities. Two of the vulnerabilities, CVE-2025-40778 and CVE-2025-40780, could be exploited to poison cache results and redirect users to malicious sites. CVE-2025-40778 allows cache poisoning attacks via unsolicited resource records (RRs); ISC notes that "under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache." CVE-2025-40780 is a weak Pseudo Random Number Generator (PRNG) issue that could make it "possible for an attacker to predict the source port and query ID that BIND will use." A third vulnerability, CVE-2025-8677, is described as "resource exhaustion via malformed DNSKEY handling ... [that] could overwhelm the server, significantly impacting performance and leading to denial of service for legitimate clients." All three of the flaws are high severity. Users are advised to updated versions of BIND as soon as possible.
Editor's Note
[Ullrich]
DNS spoofing and cache poisoning is just not going away. Not the most critical vulnerability, but it should be easy to patch.
[Neely]
The attack requires specific timing and network level spoofing, and only affects cache integrity without server compromise. The vulnerability is considered important rather than critical. Even so, make sure you are on BIND 9.20.14 or higher.
Read more in:
- arstechnica.com: Cache poisoning vulnerabilities found in 2 DNS resolving apps
- www.securityweek.com: BIND Updates Address High-Severity Cache Poisoning Flaws
- kb.isc.org: BIND 9 Software Vulnerability Matrix
- kb.isc.org: CVE-2025-40778: Cache poisoning attacks with unsolicited RRs
- kb.isc.org: CVE-2025-40780: Cache poisoning due to weak PRNG
- kb.isc.org: CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling | |
|
|
Check Point Research: YouTube Ghost Network Distributed Malware
(October 23, 2025)
Researchers at Check Point have published their analysis of the YouTube Ghost Network, a malware distribution scheme on YouTube that has posted more than 3,000 maliciously crafted videos purporting to offer pirated software or game cheats, but instead delivering infostealers, most frequently Lumma (which was disrupted earlier this year) or Rhadamanthys. Check Point defines a Ghost Network "as a collection of fake or ‘ghost’ accounts operating as a service, manipulating platform engagement mechanisms to disguise malicious activities as benign and enable large-scale malware distribution." Users often told to disable Windows Defender before downloading the sought-after content/software, and then to download a file from Dropbox, Google Drive, or MediaFire. Google has taken down most of the offending YouTube videos.
Editor's Note
[Neely]
Threat actors are using several techniques with the endgame of enticing users to disable EDR and ignore any warning prompts — e.g., if a file is too large to scan, or giving assurances that code is fine despite warnings — to install software to meet the manufactured gain such as game cheat codes or free versions of paid software. Check Point has published IoCs for your threat hunters to get after. You need to make sure that EDR cannot be trivially disabled, that users are aware to not accept or bypass security challenges for installs without validation, and that users only install software from official sources. Assure them that for software needed to do their jobs, licenses will be funded.
[Dukes]
An example of ingenuity by evildoers and perhaps stems from the fact that we no longer buy software. What’s a bit disappointing is that it took GOOG five years to remove the malicious network. | |
|
|
Lanscope RCE Flaw Added to KEV Catalog
(October 20 & 23, 2025)
On Wednesday, October 22, the US Cybersecurity and Infrastructure Security Agency (CISA) added an improper verification of source of a communication channel vulnerability in Motex LANSCOPE Endpoint Manager (CVE-2025-61932) to the Known Exploited Vulnerabilities (KEV) catalog. The critical (CVSS 9.3) flaw could be exploited to execute arbitrary code. In an advisory, Motex writes that the "vulnerability exists in the client program (MR) and detection agent (DA) of the on-premise version of (Lanscope) Endpoint Manager," and acknowledges that exploitation attempts have been detected. Motex has patched the vulnerability in Lanscope Endpoint Manager On-Premise versions 9.4.7.3, 9.4.6.3, 9.4.5.4, 9.4.4.6, 9.4.3.8, 9.4.2.6, 9.4.1.5, 9.4.0.5, 9.3.3.9, and 9.3.2.7. Users are urged to update as soon as possible. Japan's CERT has published a related news flash that includes a list of IP addresses for the source of communication to the backdoor and the unauthorized communication destination.
Editor's Note
[Neely]
CVE-2025-61932, improper request source validation, has a CVSS score of 9.8. If you're a Motex LANSCOPE site, make sure that you're grabbing the IoCs from JPCERT/CC as well as updating to the latest version. There are hints of a workaround; it turns out the identified workaround is to update urgently.
Read more in:
- www.helpnetsecurity.com: Lanscope Endpoint Manager vulnerability exploited in zero-day attacks (CVE-2025-61932)
- thehackernews.com: Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms
- www.bleepingcomputer.com: CISA warns of Lanscope Endpoint Manager flaw exploited in attacks
- www.securityweek.com: Lanscope Endpoint Manager Zero-Day Exploited in the Wild
- www.motex.co.jp: [Important Notice] Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager On-Premise Edition (CVE-2025-61932)
- www.jpcert.or.jp: Regarding the vulnerability (CVE-2025-61932) in the on-premise version of LANSCOPE Endpoint Manager where there is insufficient verification of the sender's origin in the communication channel
- nvd.nist.gov: CVE-2025-61932 Detail | |
|
|
TP-Link Releases Firmware Updates to Address Four Vulnerabilities in Omada Gateways
(October 21, 22, & 23, 2025)
TP-Link has released firmware updates to address four vulnerabilities in TP-Link Omada Gateways. The two advisories each describe a pair of vulnerabilities that could be exploited to achieve command injection. One of the advisories concerns CVE-2025-6541 and CVE-2025-6542, vulnerabilities that together allow "An arbitrary OS command [to] be executed on Omada gateways by the user who can log in to the web management interface or by a remote unauthenticated attacker." The second advisory concerns CVE-2025-7850, "a command injection vulnerability may be exploited after the admin's authentication on the web portal on Omada gateways," and CVE-2025-7851, an issue that could allow "an attacker [to] obtain the root shell on the underlying with the restricted conditions on Omada gateways." The flaws affect various ER, G, and FR models of Omada Gateways.
Editor's Note
[Neely]
CVE-2025-6541, CVSS score 8.6; CVE-2025-6542, CVSS score 9.3; CVE-2025-7850, CVSS score 9.; and CVE-2025-7851, CVSS score 8.7, are all flaws in your boundary/access (VPN) devices, warranting immediate action. Make sure you're getting vendor alerts on flaws on all your perimeter devices; addressing this is a top priority.
[Murray]
TP-Link offers a wide range of popular wired and wireless products. ER models, included in this release, are priced in the tens to low hundreds of dollars and are intended for the small business and home office market. Owners, operators, and users of networks in this market are often unaware of brands, models, and vulnerabilities; many of these will not be updated. Where one has only one of these devices it is often cheaper to simply replace it than to update firmware. However, the same model from a distributor's inventory may contain the vulnerability. | |
|
|
Indiana, Tennessee, and Texas Public Service Cyberattacks
(October 22, 2025)
Public services in three US states suffered cyberattacks from late September to mid-October, 2025. Indiana's DeKalb County published a press release notifying residents of a cyberattack discovered on September 25, which disrupted county workstation logins. The county's "Emergency Management, Information Technology, ... County Commissioners, Attorney, and Auditor" informed law enforcement and cybersecurity officials, and collaborated with third-party contractors to restore computer systems and phone lines. 911 service remained operational. La Vergne, Tennessee announced on October 17 that the city took systems offline following a "network incident," engaging third-party cybersecurity experts and collaborating with law enforcement as well as the FBI and Tennessee Bureau of Investigation (TBI) to investigate. An update on October 21 announced that certain La Vergne public services would resume via "temporary paper-based procedures" while recovery is ongoing: no water billing late fees or shutoffs will occur while computer systems are down, and the city will accept only checks or money orders for water bills and property taxes; municipal court hearings have also been postponed. Kaufman County in Texas experienced a security incident on October 20, which infected some courthouse computers and prevented some employees from accessing files. A local news outlet alleges the attack appears to be ransomware. The county "notified appropriate agencies" and worked with cybersecurity experts and law enforcement to investigate. The Kaufman Sherriff's Department and emergency services, including 911 dispatch, have not been impacted.
Editor's Note
[Neely]
The government shutdown, changes in funding to MS-ISAC, spindown of CIS support, and expiration of legislation regarding cyber intelligence sharing are complicating life for SLTT entities. Make sure you're following the latest path to reconnecting the lost threat feeds, to include partnering with peers for alternate information sources and approaches.
[Dukes]
It’s hard to tell if this is just opportunistic evil-doers using malware to attack public services of state and local communities or a direct impact of the cuts in federal cybersecurity spending. What is known is that we’ve lost centralized reporting on cyber events in the SLTT community with the lapse in funding and RIF (Reduction In Force) at CISA.
[Murray]
Municipalities rank right up there with healthcare as targets for ransomware.
Read more in:
- therecord.media: Cyber incidents in Texas, Tennessee and Indiana impacting critical government services | |
|
|
Former Cybersecurity Company Executive Charged with Stealing Trade Secrets and Selling Them to Russia
(October 14, 23, & 24, 2025)
The US Department of Justice (DoJ) has filed charges against a former Trenchant executive for allegedly stealing trade secrets and selling them "to a buyer based in the Russian Federation (Russia)." Peter Williams, an Australian national residing in the US, is the former "general manager of Trenchant, a specialized cybersecurity division within L3Harris, which provides hacking and surveillance tools to Western intelligence agencies." Federal prosecutors are seeking the forfeiture of Williams's home, luxury goods, and financial accounts.
Editor's Note
[Neely]
The question is, for your staff handling highly sensitive information, could you tell if they were engaged in similar activities? How often do you recheck their background? Do you know where your sensitive information is, and shouldn't be? Do you consider how it can be captured/exfiltrated, to include mobile devices and media? Many of us have been so distracted by ransomware and extortion campaigns, we may have neglected insider concerns. Double check, just to be sure. | |
|
|
|
|
|
|
|
|
|
SANS Internet Storm Center StormCast Friday, October 24, 2025
Android Infostealer; SessionReaper Exploited; BIND/unbound DNS Spoofing fix; WSUS Exploit
https://isc.sans.edu/podcastdetail/9670
Infostealer Targeting Android Devices
This infostealer, written in Python, specifically targets Android phones. It takes advantage of Termux to gain access to data and exfiltrates it via Telegram.
https://isc.sans.edu/diary
Attackers exploit recently patched Adobe Commerce Vulnerability CVE-2025-54236
Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. E-Commerce security company SanSec has detected multiple exploit attempts.
https://sansec.io/research/sessionreaper-exploitation
Patch for BIND and unbound nameservers CVE-2025-40780
The Internet Systems Consortium (ISC.org), as well as the Unbound project, patched a flaw that may allow for DNS spoofing due to a weak random number generator.
https://kb.isc.org/docs/cve-2025-40780
WSUS Exploit Released CVE-2025-59287
Hawktrace released a walk through showing how to exploit the recently patched WSUS vulnerability
https://hawktrace.com/blog/CVE-2025-59287 | |
SANS Internet Storm Center StormCast Thursday, October 23, 2025
Blue Angel Software Exploit; Oracle CPU; Rust tar library vulnerability
https://isc.sans.edu/podcastdetail/9668
webctrl.cgi/Blue Angel Software Suite Exploit Attempts. Maybe CVE-2025-34033 Variant?
Our honeypots detected attacks that appear to exploit CVE-2025-34033 or a similar vulnerability in the Blue Angle Software Suite.
https://isc.sans.edu/diary
Oracle Critical Patch Update
Oracle released its quarterly critical patch update. The update includes patches for 374 vulnerabilities across all of Oracle’s products. There are nine more patches for Oracle’s e-Business Suite.
https://www.oracle.com/security-alerts
Rust TAR Library Vulnerability
A vulnerability in the popular, but no longer maintained, async-tar vulnerability could lead to arbitrary code execution https://edera.dev/stories/tarmageddon | |
|
|
|
