Cybersecurity News | Daily Recap [20 Sep 2025]

hendryadrian.com

hendryadrian.com

AI & Influence

• Researchers uncovered MalTerminal, a GPT‑4-powered proof-of-concept malware enabling ransomware and reverse shells, highlighting rising LLM misuse in attacks – MalTerminal
• A zero-click prompt-injection flaw dubbed ShadowLeak in OpenAI ChatGPT’s Deep Research can exfiltrate sensitive Gmail data without user interaction – ShadowLeak
• Reporting exposes China’s use of AI persona armies by GoLaxy for influence and deception campaigns, raising strategic and trust concerns – GoLaxy Papers
• CrowdStrike launched an Agentic Security platform and bought $260M Pangea to harden AI security while Microsoft rolls out AI features like Gaming Copilot across Windows 11 — signaling both AI adoption and the need for defensive investment – AI Security, Gaming Copilot

Malware Campaigns & Infra

• Attackers use SEO-poisoned GitHub repos and fake podcast pages to distribute macOS stealers like Atomic infostealer and AMOS Stealer to target developers and crypto influencers – Atomic Repos, AMOS Phish
• The REM Proxy network, powered by SystemBC, leverages ~1,500 compromised VPS hosts daily across 80 C2 servers to provide proxy services for criminal operations and ransomware gangs – SystemBC REM

Vulnerabilities & Patches

• Fortra patched a max‑severity deserialization/command-injection flaw (CVE‑2025‑10035) in GoAnywhere MFT; apply updates immediately to mitigate remote code/exploit risk – GoAnywhere MFT, GoAnywhere Patch, GoAnywhere Advisory
• Schneider Electric warned that its Saitel RTUs are vulnerable to OS command injection; firmware updates and mitigations are available from CISA – Schneider Saitel
• CISA analyzed malware kits used to exploit Ivanti EPMM (CVE‑2025‑4427/4428), linking intrusions to advanced actors who performed remote control and data exfiltration before patches were applied – Ivanti EPMM, Ivanti Analysis

Ransomware & Major Incidents

• A sustained cyberattack attributed to Lapsus$ Hunters has forced Jaguar Land Rover to halt production since Sept 1, threatening supply‑chain impacts for ~200,000 workers and prompting national response efforts – JLR Crisis
• Ransomware and extortion remain prolific: the DOJ says Scattered Spider extorted ~$115 million and breached U.S. courts, Qilin claims a Spartanburg County compromise, and analysts warn many strains still evade defenses – Extortion Figures, Spartanburg Hack, Ransomware Trend

State-backed & Targeted Ops

• Researchers report collaboration between Russian groups Turla and Gamaredon in fresh intrusions on Ukraine, signaling coordinated espionage against sensitive targets – Turla/Gamaredon, Turla/Gamaredon
• Iran‑linked UNC1549 (aka Subtle Snail) used LinkedIn job lures and the MINIBIKE backdoor to compromise 34 devices across 11 European telecom firms for long‑term espionage and data theft – UNC1549 Campaign

Scams, Privacy & Breaches

• The FBI warned of spoofed IC3 portals used by criminals to phish for victim data; users should access the real site directly and beware impersonation scams – FBI Spoofs
• Consolidated breach reporting highlights ~600k hit by healthcare exposures and high‑profile data thefts like ShinyHunters’ Salesforce database theft, stressing continued data protection gaps – Major Breaches
• A watchdog found MrBeast improperly collected children’s data without parental consent under COPPA, prompting remediation and privacy reviews – MrBeast COPPA

Policy & Programs

• The future of the CVE Program is disputed as CISA and board members debate whether CISA should retain control or transition to a more transparent, vendor‑neutral nonprofit model – CVE Future

Cybersecurity News | Daily Recap – hendryadrian.com