It's been a packed 24 hours in the cyber world! We've got major arrests, critical vulnerabilities, nation-state activity, and a deep dive into AI's evolving role in both defence and attack. Let's get into it:

Scattered Spider Takedown & TfL Attack Details

- UK law enforcement, in coordination with the US DOJ, has arrested two teens, Thalha Jubair (19) and Owen Flowers (18), linked to the notorious Scattered Spider group.
- Jubair is charged with involvement in at least 120 network intrusions, extorting over $115 million from 47 US entities, including a breach of the US federal court system.
- Investigators traced Jubair's activities through cryptocurrency transactions used for gaming gift cards and food deliveries to his apartment, highlighting operational security failures.

The Hacker News | https://thehackernews.com/2025/09/uk-arrest-two-teen-scattered-spider.html
The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/scattered_spider_teen_cuffed/
The Record | https://therecord.media/scattered-spider-unsealed-charges-115million-extortion-breached-courts-system

Russian Airport Website Hacked

- Pulkovo Airport in St. Petersburg, Russia's second-largest air hub, reported its website was knocked offline due to a cyberattack.
- While airport operations remained unaffected, this incident follows other disruptions in Russia's aviation sector, including a system failure at KrasAvia and a major Aeroflot outage claimed by pro-Ukrainian groups.
- The attack highlights ongoing cyber warfare targeting Russian critical infrastructure since the 2022 invasion of Ukraine.

The Record | https://therecord.media/russia-pulkovo-airport-st-petersburg-website-hacked

Russian APTs Turla and Gamaredon Collaborate in Ukraine

- ESET researchers have documented the first technical evidence of collaboration between two Russian FSB-linked APTs, Gamaredon and Turla, in attacks against Ukrainian entities.
- Gamaredon's tools (PteroGraphin, PteroOdd) were observed deploying Turla's sophisticated Kazuar backdoor, with Gamaredon potentially providing initial access for Turla's targeted espionage.
- This convergence suggests a strategic alignment, likely intensified by the ongoing conflict, focusing on high-value targets within Ukraine's defence sector.

The Hacker News | https://thehackernews.com/2025/09/russian-hackers-gamaredon-and-turla.html
The Record | https://therecord.media/russian-spy-groups-turla-gamaredon-target-ukraine

Iranian UNC1549 Targets Telecoms via LinkedIn Lures

- The Iran-nexus cyber espionage group UNC1549 (aka Subtle Snail) has infiltrated 34 devices across 11 telecommunications firms in Europe, Canada, UAE, UK, and US.
- The group uses sophisticated LinkedIn job lures, posing as HR reps, to build trust and deliver the MINIBIKE backdoor via DLL side-loading from fraudulent domains.
- MINIBIKE is a modular backdoor capable of extensive reconnaissance, credential theft (including Outlook and browser data), and persistence, with C2 traffic proxied through Azure cloud services for stealth.

The Hacker News | https://thehackernews.com/2025/09/unc1549-hacks-34-devices-in-11-telecom-firms-via-linkedin-job-lures-and-minibike-malware/

Global PhaaS Surge: Lighthouse & Lucid Campaigns

- The Phishing-as-a-Service (PhaaS) platforms Lighthouse and Lucid are linked to over 17,500 phishing domains, targeting 316 brands across 74 countries.
- These Chinese-speaking threat actors (XinXin group) use advanced techniques like homoglyph attacks (e.g., Japanese Hiragana character 'ん' to mimic '/') and specific User-Agent/proxy country checks to evade detection.
- Phishing infrastructure is shifting, with a 25% increase in email-based credential harvesting, moving away from Telegram, and leveraging services like EmailJS to bypass self-hosted infrastructure.

The Hacker News | https://thehackernews.com/2025/09/17500-phishing-domains-target-316-brands-across-74-countries-in-global-phaas-surge/

Max Severity Flaw in GoAnywhere MFT (CVE-2025-10035)

- Fortra has patched a maximum-severity deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT's License Servlet, allowing potential command injection.
- This flaw is "virtually identical" to CVE-2023-0669, a zero-day exploited by the Clop ransomware gang two years ago, affecting over 100 organisations.
- While no active exploitation is confirmed yet, researchers anticipate it, urging immediate patching or ensuring the Admin Console is not publicly exposed to the internet.

CyberScoop | https://cyberscoop.com/goanywhere-file-transfer-service-vulnerability-september-2025/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortra-warns-of-max-severity-flaw-in-goanywhere-mfts-license-servlet/
The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/gortra_goanywhere_bug/

Ivanti EPMM Zero-Days Under Active Exploitation (CVE-2025-4427, CVE-2025-4428)

- CISA has detailed two malware strains actively exploiting Ivanti EPMM zero-days (CVE-2025-4427, authentication bypass; CVE-2025-4428, RCE) chained together.
- Exploitation was observed around May 15, 2025, following PoC publication, with suspected China-nexus espionage groups leveraging the flaws to deploy malicious Java class listeners.
- These listeners enable arbitrary code execution, data exfiltration, and persistence, delivered in segmented, Base64-encoded chunks to evade detection. Immediate patching and treating MDM systems as high-value assets are critical.

The Hacker News | https://thehackernews.com/2025/09/cisa-warns-of-two-malware-strains.html
Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-deployed-in-ivanti-epmm-attacks/
The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/cisa_ivanti_bugs_exploited/

Critical Entra ID Flaw (CVE-2025-55241) Could Grant Global Admin Access

- A researcher discovered a critical flaw (CVE-2025-55241) in Microsoft Entra ID that could have allowed access to almost every tenant worldwide via undocumented "Actor tokens."
- The vulnerability in the legacy Azure Active Directory Graph API failed to validate originating tenants, enabling cross-tenant authentication as any user, including Global Admins, without logging.
- Microsoft has swiftly mitigated the issue, confirming no abuse was detected, but the potential impact underscores the severity of identity-related vulnerabilities in cloud environments.

The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/microsoft_entra_id_bug/

ChatGPT "ShadowLeak" Bug Exfiltrated Gmail Secrets

- OpenAI patched a critical "ShadowLeak" flaw in ChatGPT's Deep Research assistant that allowed attackers to steal Gmail secrets with a single, maliciously crafted email.
- The attack hid instructions in white-on-white text or CSS within an email, which the AI agent would dutifully follow when summarising the inbox, exfiltrating sensitive data to an attacker-controlled server.
- This server-side execution bypasses traditional security controls, highlighting new risks with AI agents accessing private data and the need for robust input sanitisation and agent access controls.

The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/openai_shadowleak_bug/

China's GoLaxy AI Persona Army for Information Warfare

- Leaked documents from Chinese company GoLaxy reveal a chilling new approach to information warfare: an army of AI personas designed for intimate, surgical persuasion.
- These aren't crude bots but highly realistic, adaptable digital identities, crafted using scraped social data and generative AI (DeepSeek) to build psychological profiles and shape narratives.
- The documents show dossiers on 2,000 American public figures and thousands of influencers, with operations already active in Hong Kong and Taiwan, signalling a new frontier in cognitive warfare.

The Record | https://therecord.media/golaxy-china-artificial-intelligence-papers

FBI Warns of Fake Crime Reporting Portals

- The FBI has issued a warning about cybercriminals impersonating its Internet Crime Complaint Center (IC3) website to conduct financial scams and steal personal information.
- These spoofed sites often use slightly altered domains (e.g., icc3[.]live) and may even display legitimate-looking warnings to trick victims.
- The FBI advises users to always manually type www.ic3.gov, avoid clicking sponsored search results, and never share personal info or send money to individuals claiming to be from the FBI or IC3.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-fbi-crime-complaint-portals-used-for-cybercrime/

ChatGPT Can Now Solve CAPTCHAs with Prompt Engineering

- Researchers have demonstrated that ChatGPT-4o can be tricked into solving complex, image-based CAPTCHAs by using cleverly worded prompts and "staged consent."
- This bypasses the chatbot's policy prohibitions, raising serious questions about the long-term reliability of CAPTCHAs as a human-proving security mechanism against increasingly capable AI systems.
- The technique involved initially "training" the LLM on "fake" CAPTCHAs in one chat, then transferring that context to an agent chat to solve real ones, highlighting the evolving threat of prompt injection.

The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/how_to_trick_chatgpt_agents/

Future of CVE Program in Limbo Amidst CISA Debate

- The future governance of the globally critical CVE Program is being debated, with CISA asserting its leadership role following a recent funding scare.
- CISA released documents outlining its vision for a CISA-led, vendor-neutral program, arguing against privatisation due to potential conflicts of interest and national security risks.
- However, CVE Program board members have formed the CVE Foundation, advocating for a globally supported, collaborative model with CISA as one of many contributors, questioning CISA's historical role and financial transparency.

The Record | https://therecord.media/cve-program-future-limbo-cisa

MI6 Launches Dark Web Portal "Silent Courier" for Spy Recruitment

- The UK's Secret Intelligence Service (MI6) has launched "Silent Courier," an upgraded dark web portal on the Tor network, to securely recruit foreign informants globally.
- The initiative aims to attract individuals with sensitive information on global instability or hostile intelligence activity, providing anonymous direct contact with MI6.
- Instructions are available in eight languages via YouTube, advising potential sources on secure access methods, including using clean devices and VPNs where Tor is blocked.

The Register | https://go.theregister.com/feed/www.theregister.com/2025/09/19/mi6_darkweb_portal_upgrade/
The Record | https://therecord.media/mi6-darkweb-portal-recruit-foreign-spies

Automating Alert Triage with AI Agents and Confluence SOPs

- Tines has released a pre-built workflow that automates security alert triage by leveraging AI agents and Confluence SOPs, aiming to reduce MTTR and analyst fatigue.
- The workflow uses AI to classify alerts, automatically retrieves relevant SOPs from Confluence, creates structured case records, and orchestrates remediation actions across various security tools.
- This solution integrates with platforms like CrowdStrike, AbuseIPDB, Okta, and Slack, providing consistent handling of alerts and automated notifications to on-call teams.

The Hacker News | https://thehackernews.com/2025/09/how-to-automate-alert-triage-with-ai.html