San Mateo, CA, September 22, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
Scattered Spider hits banks after ‘retirement’ claim
Researchers at ReliaQuest tied a new wave of attacks on financial firms to Scattered Spider, contradicting the group’s retirement claims and instead indicating a shift toward banking targets. The firm says “Scattered Spider gained initial access by socially engineering an executive’s account and resetting their password via Azure Active Directory Self-Service Password Management. From there, they accessed sensitive IT and security documents, moved laterally through the Citrix environment and VPN, and compromised VMware ESXi infrastructure to dump credentials and further infiltrate the network.” Analysts caution the group’s farewell may be a strategic retreat rather than a true disbanding. “The recent claim that Scattered Spider is retiring should be taken with a significant degree of skepticism,” Karl Sigler, security research manager of SpiderLabs Threat Intelligence at Trustwave, a LevelBlue Company, said. “Rather than a true disbanding, this announcement likely signals a strategic move to distance the group from increasing law enforcement pressure.” Read more.
1 in 3 Android and half of iOS apps leak data
The 2025 Zimperium Global Mobile Threat Report warns that insecure APIs in mobile apps are exposing sensitive data at scale, with one in three Android apps and over half of iOS apps leaking information. Nearly half of all apps also contain hardcoded secrets like API keys, enabling reverse engineering and misuse. Client-side weaknesses, rooted or jailbroken devices, and a lack of SSL pinning further widen the attack surface, leaving finance and travel apps particularly exposed. Experts stressed that API protection must start within the app, combining hardening, obfuscation, secure storage, and methods to validate genuine traffic. “Today, we are facing a concerning reality: many enterprise mobile apps still lack basic protections such as code obfuscation, secure storage, and updated third-party libraries,” said Vishrut Iyengar, senior solutions manager at Black Duck. Read more.
Microsoft seizes 338 domains in phishing crackdown
Microsoft’s Digital Crimes Unit seized 338 domains tied to RaccoonO365, a phishing service used to steal more than 5,000 Microsoft credentials since mid-2024. The group responsible, tracked as Storm-2246, sold phishing kits to over 850 buyers on Telegram, enabling attacks against 2,300 U.S. organizations and at least 20 healthcare providers. Microsoft accused Nigerian programmer Joshua Ogundipe of running the service, which facilitated hundreds of millions of malicious emails. Working with Cloudflare and Chainalysis, Microsoft traced cryptocurrency payments exceeding $100,000 to Ogundipe. Officials warned the case highlights legal gaps that allow cybercriminals to operate across borders, with Steven Masada, assistant general counsel at Microsoft’s DCU, saying, “Today’s patchwork of international laws remains a major obstacle and cybercriminals exploit these gaps. Governments must work together to align their cybercrime laws, speed up cross-border prosecutions and close the loopholes that let criminals operate with impunity.” Read more.
WatchGuard patches critical Firebox firewall flaw
WatchGuard has issued patches for CVE-2025-9242, a critical remote code execution flaw in Firebox firewalls caused by an out-of-bounds write weakness in Fireware OS. The bug affects Fireware OS 11.x, 12.x, and 2025.1, and has been fixed in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1. Exploitation requires IKEv2 VPN configurations, but systems may remain vulnerable even after removing mobile user or dynamic peer VPN settings if static gateway peers persist. Impacted models include T15, T20–T85, M-series appliances, Firebox Cloud, NV5, FireboxV, and the new T115–T185 line. WatchGuard provided a temporary workaround for admins unable to patch immediately. No active exploitation is reported yet, though ransomware actors have recently targeted similar firewall vulnerabilities. Read more.
OpenAI and Anthropic partner with U.S. and U.K. on AI safety
OpenAI and Anthropic said they partnered with U.S. and U.K. government research bodies, giving access to models, classifiers, training data, and prototypes so independent experts could probe resilience and uncover vulnerabilities. OpenAI said work with NIST and the U.K. AI Security Institute revealed two flaws that, combined with context poisoning, enabled remote takeover of agents at about a 50 percent success rate and spurred expanded red teaming of GPT5 and agent safeguards. Anthropic reported prompt injection attacks and a universal jailbreak that prompted a redesign of its safeguard architecture. “Governments bring unique capabilities to this work, particularly deep expertise in national security areas like cybersecurity, intelligence analysis, and threat modeling that enables them to evaluate specific attack vectors and defense mechanisms when paired with their machine learning expertise,” Anthropic said in a blog post. Read more.
38M installs tied to massive SlopAds fraud scheme
Researchers have uncovered SlopAds, a large-scale ad and click fraud scheme involving 224 Android apps with 38 million downloads across 228 countries. HUMAN’s Satori Threat Intelligence and Research Team reports that the “apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks.” Fraud was selectively triggered only on installs from ad clicks, with the apps otherwise behaving normally to evade detection. “From developing and publishing apps that only commit fraud under certain circumstances to adding layer upon layer of obfuscation, SlopAds reinforces the notion that threats to the digital advertising ecosystem are only growing in sophistication,” HUMAN researchers said. Google has removed all offending apps. Read more.
FBI warns Salesforce users of ShinyHunters’ activity
The FBI has issued an advisory warning Salesforce customers about UNC6040 (linked to ShinyHunters) and UNC6395, two threat groups that are exploiting the platform for data theft and extortion. Since October 2024, UNC6040 has used vishing campaigns where actors impersonate IT support staff to trick call center employees into granting access or revealing credentials, sometimes authorizing malicious Salesforce apps to exfiltrate data. Some victims later received extortion demands allegedly from ShinyHunters. UNC6395, meanwhile, leveraged stolen OAuth tokens from Salesloft’s Drift integration to compromise hundreds of Salesforce environments before Salesforce revoked the tokens in August. The FBI recommends implementing phishing-resistant MFA, providing call center training, implementing access restrictions, and monitoring third-party integrations. Read more.
Jaguar Land Rover extends shutdown after cyberattack
Jaguar Land Rover has extended its production shutdown until September 24 following a cyberattack that forced it offline at the end of August, stating that they “have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time.” The company, owned by Tata Motors and employing nearly 39,000 people, confirmed that attackers stole data and significantly disrupted operations, prompting a halt to global production. While JLR has not attributed the breach, a group calling itself Scattered Lapsus$ Hunters claimed responsibility, posting screenshots of JLR’s SAP system and alleging ransomware deployment. The group says it is linked to Scattered Spider, Lapsus$, and ShinyHunters, and has recently targeted Salesforce and stolen data from Google, Cloudflare, Palo Alto Networks, and others. Read more.
Apple CarPlay exploit still threatens most cars
Although a patch for Apple CarPlay was released almost half a year ago, few vendors and no car manufacturers have applied fixes for CVE-2025-24132. This buffer overflow can grant root remote code execution without user interaction. Researchers say attackers can reach CarPlay via USB, Wi-Fi with weak or default passwords, or Bluetooth, and then abuse Apple iAP2 and the AirPlay SDK to seize control. “Our testing found that a significant number of systems rely on Just Works Bluetooth pairing, and many older and third-party head units use default or predictable Wi-Fi passwords,” reports Oligo Security researcher Uri Katz. “Newer vehicles are improving, but legacy systems (which stay on the road for years) often ship with minimal pairing protections — this is an issue for many other IoT devices today as well.” Oligo Security withheld technical details while Apple issued a fix on March 31 and coordinated disclosure on April 29. According to Katz, the reason vehicles are slow to be patched is due to a lack of standardization in the process. Read more.
Windows update breaks SMBv1 file shares
Microsoft has confirmed that its September 2025 Windows security updates are breaking connections to Server Message Block (SMB) v1 shares across both client (Windows 11 24H2/23H2/22H2, Windows 10 22H2/21H2) and server (Windows Server 2025, 2022) platforms. The issue occurs when connecting to SMBv1 shares using the NetBIOS over TCP/IP (NetBT) protocol, with failures reported if either the client or server has the update installed. As a temporary workaround, Microsoft advises allowing traffic on TCP port 445, which forces connections to bypass NetBT and use TCP directly. SMBv1, deprecated since 2014, has long been flagged as insecure, with its weaknesses exploited in major malware outbreaks like WannaCry and NotPetya. Microsoft has been warning network admins to remove support for SMBv1 for years. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
