European airports are still suffering from a weekend attack on third-party system

Several of Europe's biggest airports still faced disruptions today after hackers knocked out automatic check-in systems provided by Collins Aerospace, owned by RTX (formerly Raytheon), affecting dozens of flights and thousands of passengers since Friday.

A ransomware attack caused the disruptions, the EU's cybersecurity agency ENISA confirmed.

Collins said that it was working with the affected airports, including Brussels and London Heathrow, Europe's busiest airport, and was in the final stages of completing updates to help restore full functionality.

It is understood that hackers behind the attack targeted a popular checking software called Muse.

Berlin airport, which was facing higher passenger numbers than usual on Monday due to the Berlin Marathon, still did not have its check-in systems restored and reported delays of over an hour for departures.

Brussels Airport was using iPads and laptops to check passengers in online. Of roughly 550 departing and arriving flights, 60 had to be cancelled on Monday, it said. Dublin Airport was experiencing "minimal impact" and had some manual processes in place. (Chrisoph Steitz, Klaus Lauer, Sabine Siebold, Bart Meijer, Conor Humphries, Miranda Murray / Reuters, and Joe Tidy and Tabby Wilson / BBC News)

Related: The Guardian, The Guardian, New York Times, The Standard, Hong Kong Free Press, BBC, Brussels Airport Website, Associated Press, Le Monde, Metro.co.uk, Tech Times, France 24, Daily Sabah, Business news, Travel And Tour World, Gulf News, Politico, CyberInsider, Nairametrics, The Kyiv Independent, New York Times, Al Jazeera, Financial Times, The Guardian, The i Paper, Metro.co.uk, Bloomberg, Gulf News, The Indian Express, Türkiye Today, The Sun, Euro Weekly News, Mirror, GB News, The Japan Times, Business Insider, r/cybersecurity, HackRead, , Presstv, Bloomberg, IBTimes.co.uk : Technology,  The Stack, Arutz Sheva News, Security News | Tech Times, Fast Company, OpIndia, hacking: security in practice, Evening Standard, UPI.com, Reddit cybersecurity, Al Mayadeen, WebProNews, CyberInsider, Devdiscourse News Desk, France 24, The Times of Israel, Boston.com,  CBC, WashingtonExaminer.com, Digital Journal, Industrial Cyber, TIME, The West Australian, Times of Israel, DataBreaches.net, The European Conservative, France 24, TThe420CyberNews, Metro.co.uk, CBSNews

Three weeks after it was initially hit by a ransomware attack for which the group Scattered Lapsus$ Hunters took credit, JLR, the maker of the Jaguar and Land Rover brands, is still incapacitated, unable to produce at any of its factories across the UK, Slovakia, Brazil, and India, facing turmoil across its parts supply chain, and implementing significant employee layoffs.

With little hope of an imminent restart, the UK government is facing increasing calls for financial support for suppliers that fear going bust if the sudden revenue drought continues.

Officials at the Department for Business and Trade are understood to be speaking to JLR daily, while the National Cyber Security Centre has been working with the company since last Wednesday to provide support in relation to the incident.

The UK government admitted that the cyberattack against JLR was having a “significant impact” on the company and on the “wider automotive supply chain.” The concession came as unions and officials have increasingly warned that thousands of jobs in JLR’s sprawling supply chain could be lost, and some smaller companies could go bankrupt.

Reports claim JLR itself may be losing up to £50 million ($67 million) per week in the shutdown. Some firms have reportedly already laid off staff, with the Unite union claiming that workers in the JLR supply chain “are being laid off with reduced or zero pay.” Some have been told to “sign up” for government benefits, the union claims. (Jasper Jolly and Dan Milmo / The Guardian and Matt Burgess / Wired)

Related: GOV UK, The Manufacturer, Autoblog, MotorTrader, The Telegraph, Automotive News Europe, BBC News, Reuters, The Times

Automaker Stellantis, parent company to Chrysler, announced it experienced unauthorized access to a third-party service provider's platform that supports its North American customer service operations.

The company said the hack exposed only basic contact information and did not involve financial details or sensitive personal data. Stellantis did not specify how many customers were affected.

"Upon discovery, we immediately activated our incident response protocols ... and are directly informing affected customers," Sellantis said in the statement. It said it had notified authorities and urged customers to be alert to possible phishing attempts. (Surbhi Misra / Reuters)

Related: Just Auto, Stocktwits, LiveMint

The Everest ransomware group has listed German automaker BMW Group as one of its victims, claiming it stole internal files in a September 14 incident.

However, the Everest Group itself was apparently the victim of a hack (by an unknown actor) in April 2025 and subsequently took its Tor site offline. This claim of an attack on BMW could be a means for the group to become relevant again. (Günter Born / Borncity)

Related: Cyber Daily, CSO Online, GBHackers, SC Media

The Las Vegas Metropolitan Police Department (LVMPD) said that a teenage boy suspected of involvement in the 2023 cyberattacks that disrupted the two largest Las Vegas casino companies has surrendered to authorities.

The suspect, whose name has not been released due to his status as a minor, is currently being held at the Clark County Juvenile Detention Center. He faces six felony charges.

According to police, prosecutors from the Clark County District Attorney’s Office seek to transfer his case to the criminal division, where he would face the charges as an adult.

The arrest stems from a broader investigation led by the FBI’s Las Vegas Cyber Task Force, which includes LVMPD cyber investigators. In November 2024, federal prosecutors indicted four men, aged 20 to 23, in connection with similar cyber attacks, though those charges were not formally linked to the MGM and Caesars incidents.

LVMPD’s latest statement did not name MGM Resorts International or Caesars Entertainment directly, instead referring to “multiple Las Vegas casino properties” targeted between August and October 2023. The hacking group Scattered Spider is widely considered to be the threat actor behind those incidents. (Corey Levitan / Casino.org)

Related: Las Vegas Metropolitan Police Department, KTLA, KOLO, KLAS, Las Vegas Review-Journal

Crypto exchange Crypto.com has denied that it kept a 2023 data leak of user details a secret from authorities, as reported by Bloomberg in a lengthy piece on Scattered Spider's Noah Urban.

Bloomberg reported the group had phished their way into gaining access to a Crypto.com employee’s account sometime before early 2023, which exposed the personal information of some users.

Blockchain investigator ZachXBT then claimed on X that Crypto.com had “covered up a breach that impacted the personal information of your users,” adding that Crypto.com had been “breached several times.”

However, a Crypto.com spokesperson told Cointelegraph that the company made a “Notice of Data Security incident filing” in the US-based Nationwide Multistate Licensing System and in “additional reports with the relevant jurisdictional regulators.”

The spokesperson said the company “detected a phishing campaign that targeted one of our employees in 2023.”

The incident “included exposure of limited PII [Personally Identifiable Information] data affecting a very small number of individuals,” they added. “The incident was contained within hours of detection, and no customer funds were accessed or ever at risk.”

It’s unclear if Crypto.com had notified those affected by the breach or if its filings of the incident with regulators were made publicly available. (Jesse Coghlan / Cointelegraph)

Related: Cryptonews, The Block, Cointelegraph, Decrypt, BeInCrypto

Researchers at GitLab report that threat actors with ties to the Democratic People's Republic of Korea have been observed leveraging ClickFix-style lures to deliver a known malware called BeaverTail and InvisibleFerret.

The hackers exploit fake job offers within the cryptocurrency sector to deliver malware. These attacks target individuals seeking non-technical positions in the crypto industry, tricking them into running malicious commands on their devices.

The hackers convince applicants to record short video clips, claiming that they need to fix microphone or camera issues on fake websites. Once the victim follows the instructions, the malware payload is executed.

Once installed on the victim’s computer, the malware runs quietly in the background, gathering sensitive information such as login credentials and crypto wallet data. Some parts of the malware are even hidden inside password-protected files, adding another layer of complexity to identifying and neutralizing the threat. (Kelvin Munene / CoinCentral)

Related: GitLab, GBHackers

Security researcher Dirk-Jan Mollema, founder of Outsider Security, discovered that a critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world.

The fatal mix included undocumented tokens called “actor tokens” and a vulnerability in the Azure AD Graph API (CVE-2025-55241) that allowed the tokens to work with any organization’s Entra ID environment.

A threat actor exploiting the issue would have had access to a slew of highly sensitive data without leaving any trace in the logs on the targeted environment, except for their own actions.

Mollema discovered a token validation flaw that gave him Global Admin privileges in every Entra ID tenant.

This level of access allows full tenant compromise and opens the door to any service authenticated through Entra ID.

Mollema reported the issues to Microsoft on July 14, and the company confirmed that the problem was resolved nine days later.

On September 4, Microsoft also patched CVE-2025-55241, describing it as a critical privilege escalation vulnerability in Azure Entra. (Ionut Ilascu / Bleeping Computer)

Related: Dirkjanm.io, Beta News, Ars Technica, Dark Reading

Over the last year, there has been a marked uptick in the use of so-called “SMS blasters” by scammers, with cops in multiple countries detecting and arresting people using the equipment.

SMS blasters are small devices, which have been found in the back of criminals’ cars and sometimes backpacks, that impersonate cell phone towers and force phones to use insecure connections. They then push the scam messages, which contain links to fraudulent websites, to the connected phones.

Last week, Switzerland’s National Cybersecurity Centre issued a warning about SMS blasters. The devices are capable of sending huge volumes of scam texts indiscriminately. The Swiss agency said some blasters can send messages to all phones in a radius of 1,000 meters, while reports about an incident in Bangkok say a blaster was used to send around 100,000 SMS messages per hour.

SMS blasters act as illegitimate phone masts, often known as cell-site simulators (CSS). The blasters are not dissimilar to so-called IMSI catchers, or “Stingrays,” which law enforcement officials have used to scoop up people’s phone data. But instead of being used for surveillance, they broadcast false signals to targeted devices. (Matt Burgess / Wired)

Related: NCSC of Switzerland, Futurism

Pessimism is mounting about the chances that Congress will reauthorize a crucial cyber threat information-sharing law, the 2015 Cybersecurity Information Sharing Act (CISA 2015), before it expires at the end of this month.

Industry groups say the law is a vital tool in the fight against malicious hackers because of the legal protections it provides for organizations to share cyber threat data with the government.

But in recent weeks, multiple efforts to re-up the law have failed or been brushed aside. The House inserted a two-month extension of CISA 2015 into a continuing resolution to avert a government shutdown, but after the House passed the bill, the Senate voted against the continuing resolution last week. Negotiations about continuing to fund the federal government past the end of this month appear to be at a standstill.

The Senate Homeland Security and Governmental Affairs Committee had scheduled a markup of legislation last week introduced by Chairman Rand Paul, R-Ky., to extend the law with significant changes that drew bipartisan and industry criticism. The panel then abruptly canceled the markup.

The top Democrat on Paul’s panel, Gary Peters of Michigan, tried to get an unaltered or “clean” 10-year reauthorization of the expiring law passed on the Senate floor with a unanimous consent motion, but Paul objected without explanation, preventing it from advancing.

House Homeland Security Chairman Andrew Garbarino, R-N.Y., sought earlier this month to offer his legislation to extend and alter CISA 2015 as an amendment to the House version of the annual defense policy bill, or National Defense Authorization Act (NDAA), but the Rules Committee prohibited the amendment from receiving a vote. (A Senate intelligence policy bill had included a 10-year extension, but when senators folded the intelligence authorization bill into that chamber’s version of the NDAA, Paul objected and got it removed.)

While it’s unclear exactly how even a temporary lapse in the law might affect cyber information sharing, some have offered dire predictions about how bad it will be. In the legal community, “if you’re giving people a reason not to do something, they won’t do it,” an industry source said. (Tim Starks / CyberScoop)

Related: Homeland Security Governmental Affairs Committee, Federal News Network, The Cipher Brief, NextGov/FCW, Axios

The White House is signaling that it is considering a broader set of actions related to quantum computing along the lines of its earlier released AI Action Plan, to improve the nation’s capacity to defend against future quantum-enabled hacks and ensure the United States promotes and maintains global dominance around a key national security technology.

The new effort might also include a possible mandate for federal agencies to move up their timelines for migrating to post-quantum protections.

A key component of one or perhaps multiple executive orders is language that would accelerate the deadline for federal agencies’ post-quantum migrations from 2035 to 2030. (Derek B. Johnson / CyberScoop)

Related: NextGov/FCW

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

While many business sectors are still weighing the pluses and minuses of generative AI, criminal hackers are jumping in with both feet.

They have figured out how to turn the artificial intelligence programs proliferating on most computers against users to devastating effect, say cybersecurity experts who express deepening concerns about their ability to fend off cyberattacks.

Hackers can now turn AI into a kind of sorcerer’s apprentice, threat analysts say. Something as simple and innocuous as a Google Calendar invite or an Outlook email can be used to task connected AI programs with spiriting away sensitive files without tripping any security alarms.

Compounding the problem is the rapid and sometimes ill-considered pace of new AI product deployments, whether by executives eager to please investors or employees on their own initiative, even in defiance of their IT departments. (Joseph Menn / Washington Post)

which outlets and allied social media accounts have seized on the killing of conservative activist Charlie Kirk to push narratives that favor the Kremlin and aim to divide Americans and potentially ingratiate the Russians with President Donald Trump, researchers say.

News organizations such as Sputnik and the former Russia Today (now RT) have extensively covered the killing, the arrest, and the continuing political fallout, emphasizing theories shared by Trump’s most conservative allies and highlighting comments by people who said they were unmoved by Kirk’s death.

“RT was quickly taking to amplifying insensitive or cruel response to it by Americans, sometimes tagging influential conservative accounts,” said Emerson Brooking, director of strategy at the Atlantic Council’s Digital Forensic Research Lab.

Iranian figures have said Israel was behind Kirk’s death, while Chinese outlets and supporters have used bogus claims to exaggerate U.S. divisions, according to research by NewsGuard, a news site rating company. (Joseph Menn / Washington Post)

A gamer seeking financial support for cancer treatment lost $32,000 after downloading from Steam a verified game named Block Blasters that drained his cryptocurrency wallet.

Block Blasters is a 2D platformer that was available on Steam for almost two months, between July 30 and September 21. The game was safe until August 30, when a cryptodrainer component was added.

Published by developer Genesis Interactive and no longer on Steam, the retro-styled game was a free-to-play title promising fast-paced action on responsive controls, and had a few hundred ‘Very Positive’ reviews on the gaming platform.

The malicious component in the game was revealed during a live fundraising from video game streamer RastalandTV, who was trying to raise funds for life-saving treatment against stage 4 high-grade sarcoma.

The gamer also started a GoFundMe crowdsourcing campaign to receive donations. At the time of writing, completion of the goal is at 58%. However, some members of the crypto community offered to cover the loss. Crypto influencer Alex Becker said that he sent Rastaland $32,500 to a safe wallet.

As the Latvian gamer explains, he lost more than $32,000 after downloading a verified game on Steam.

Crypto investigator ZachXBT told BleepingComputer that the attackers appear to have stolen a total of $150,000 from 261 Steam accounts.

VXUnderground security group, which has also been following the attack, reports a higher victim count of 478, and published a list of usernames, urging their owners to reset their passwords immediately.

Reportedly, these people were explicitly targeted after being identified over Twitter for managing significant cryptocurrency amounts, and were presumably sent invitations to try out the game.

There are unconfirmed reports that OSINT experts participating in the hunt identified the threat actor as an Argentinian immigrant living in Miami, Florida. (Bill Toulas / Bleeping Computer)

Related: CyberInsider

China’s public security authority has penalized Dior’s Shanghai subsidiary after finding it sent customers’ personal information to France without the required safeguards, according to official notices and state media.

The authority said the branch transferred data to the company’s headquarters in France illegally, leading to a leak in May, and did so without conducting mandated security assessments. It also said the firm failed to notify users or apply encryption as required. An administrative penalty has been imposed, although details of the sanction were not disclosed.

According to the National Cybersecurity Notification Centre, the administrative investigation revealed that Dior (Shanghai) Co., Ltd. committed several violations of China’s Personal Information Protection Law (PIPL).

The investigation found that Dior Shanghai transferred user personal information to Dior headquarters in France without undergoing a data export security assessment, establishing a standard contract for exporting personal information, or obtaining personal information protection certification. The company also failed to fully inform users about how their data would be processed overseas and did not obtain their separate consent for the transfer, as mandated by law.

Additionally, the investigation found that Dior Shanghai did not implement security measures such as encryption or de-identification for the personal information it collected. These failures resulted in a data breach in May, with users in mainland China receiving official warning text messages from Dior regarding the incident. (Jonathan Easton / Retail Systems)

Related: DAO Insights, China Skinny, Lexology, JD Supra, China Briefing

According to data disclosed by Rep. Min Byung-deok of Korea's ruling Democratic Party, despite a staggering 88.54 million cases of personal data being compromised across Korea’s public and private sectors over the past five years, the average financial penalty per leaked record stood at a mere 1,019 won ($0.73), prompting growing concerns over the country’s insufficient regulatory response.

The legislator who serves on the National Assembly’s Political Affairs Committee, a total of 88.54 million records of personal information were compromised in 451 separate data breach incidents from 2021 to July 2025, based on figures from the Personal Information Protection Commission.

Among the reported incidents, 125 were subject to administrative fines totaling 87.7 billion won, while 405 incurred administrative surcharges amounting to 2.5 billion won. On average, each breach resulted in a fine of 700 million won and a surcharge of 6.17 million won.

While the per-record penalties have gradually risen -- from 41 won in 2021 to 8,302 won in 2024 -- the 2025 figure, as of July, has dropped to 2,743 won, reinforcing skepticism about the deterrent power of Korea’s current data protection framework.

Although a 2023 revision to the Information and Communications Network Act now requires companies to report hacking incidents within 24 hours, violators face a maximum surcharge of only 30 million won. (Jie Ye-eun / The Korea Herald)

Related: Chosun Biz, The Investor, Korea Bizwire

Sources say data from around 20 asset management firms in Korea were stolen earlier this month in a hacking incident on a cloud service provider conducted by the Russian-speaking ransomware gang Qilin.

Qilin claimed that the leaked data include the firms' tax-related documents, employee data and personal information of their investors.

Financial authorities said they have yet to receive any reports of credit information leaks that could lead to monetary damage. They added that they were aware of the data breach in advance and have been monitoring the situation. (Yonhap News)

Related: Tripura Times

The FBI warned that cybercriminals are impersonating its Internet Crime Complaint Center (IC3) website in what the law enforcement agency described as "possible malicious activity."

Although it didn't share any examples and didn't point to specific attacks, the FBI said that such spoofed websites could be used by attackers in financial scams or to steal the visitors' personal information.

"Threat actors create spoofed websites often by slightly altering characteristics of legitimate website domains, to gather personally identifiable information entered by a user into the site, including name, home address, phone number, email address, and banking information," the FBI said.

"For example, spoofed website domains may feature alternate spellings of words or use an alternative top-level domain to impersonate a legitimate website."

While the FBI didn't link to any domains spoofing the Crime Complaint Center website, BleepingComputer has found several examples hosted at icc3[.]live, practicinglawyer[.]net, and ic3a[.]com. (Sergiu Gatlan / Bleeping Computer)

Related: IC3, Infosecurity Magazine, The Register, Security Week

In a bid to slash red tape, the European Commission wants to eliminate one of its peskiest laws: a 2009 tech rule that plastered the online world with pop-ups requesting consent to cookies.

European rulemakers in 2009 revised a law called the e-Privacy Directive to require websites to get consent from users before loading cookies on their devices, unless the cookies are “strictly necessary” to provide a service. Fast forward to 2025, and the internet is full of consent banners that users have long learned to click away without thinking twice.

“Too much consent basically kills consent. People are used to giving consent for everything, so they might stop reading things in as much detail, and if consent is the default for everything, it’s no longer perceived in the same way by users,” said Peter Craddock, data lawyer with Keller and Heckman.

Cookie technology is now a focal point of the EU executive’s plans to simplify technology regulation. Officials want to present an “omnibus” text in December, scrapping burdensome requirements on digital companies. On Monday, it held a meeting with the tech industry to discuss the handling of cookies and consent banners. (Ellen O'Regan / Politico)

Related: Silicon Republic, The National Law Review, r/europeanunion, digit, Euractiv

Best Thing of the Day: Other Countries, Please Take Note

Australian Privacy Commissioner Carly Kind found that Kmart Australia breached Australians’ privacy by collecting their personal and sensitive information through a facial recognition technology (FRT) system designed to tackle refund fraud.

Worst Thing of the Day: Beware the Fake GitHub Links

Bad actors are exploiting GitHub's reputation by pretending that software is open source, when in reality it links to a compiled file or to an external site.

Closing Thought (Please Click on Image)