JLR cyberattack is the most economically damaging in UK history

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Experts at the UK nonprofit, the Cyber Monitoring Centre (CMC), say the cyber attack on Jaguar Land Rover (JLR) will cost an estimated £1.9bn (around $2.5 billion) and be the most economically damaging cyber event in UK history.

The CMC analyzed the continuing fallout from the hack, which halted the car giant's production on 1 September for five weeks and caused widespread delays across JLR's supply chain.

According to the CMC, 5,000 businesses have been affected in total, and a full recovery will not be reached until January 2026. It has classified the JLR incident as a Category 3 event, which is significant. Category 5 is the most severe.

Ciaran Martin, chair of the CMC's technical committee, said: "With a cost of nearly £2bn, this incident looks to have been by some distance the single most financially damaging cyber event ever to hit the UK.

"That should make us all pause and think. Every organization needs to identify the networks that matter to them, and how to protect them better, and then plan for how they'd cope if the network gets disrupted." (Joe Tidy / BBC News)

Related: Financial Times, CMC, Reuters, The Independent, GB News, The Guardian, The Telegraph, inkl, Digit

The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that an Oracle E-Business Suite flaw tracked as CVE-2025-61884 is being exploited in attacks, adding it to its Known Exploited Vulnerabilities catalog.

CVE-2025-61884 is an unauthenticated server-side request forgery (SSRF) vulnerability in the Oracle Configurator runtime component, which was linked to a leaked exploit used in July attacks.

CISA is now requiring federal agencies to patch the security vulnerability by November 10, 2025.

Oracle disclosed the flaw on October 11, giving it a 7.5 severity rating and warning that it was easily exploitable and could be used to gain "unauthorized access to critical data or complete access to all Oracle Configurator accessible data."

However, Oracle has not disclosed that the vulnerability was previously exploited, despite BleepingComputer confirming that the update blocks the exploit leaked by ShinyHunters and the Scattered Lapsus$ extortion group. (Lawrence Abrams / Bleeping Computer)

Related: CISA, Techzine, CRN, Security Week, SC Media, TechInformed, Security Affairs

A developer, "Jay Gibson," who until recently built surveillance technologies for Western government hacking tools maker Trenchant, may be the first documented case of someone who builds exploits and spyware being targeted with spyware. 

At Trenchant, Gibson worked on developing iOS zero-days, meaning finding vulnerabilities and developing tools capable of exploiting them that are not known to the vendor who makes the affected hardware or software, such as Apple.  

“I have mixed feelings of how pathetic this is, and then extreme fear because once things hit this level, you never know what’s going to happen,” he told TechCrunch.  

But the ex-Trenchant employee may not be the only exploit developer targeted with spyware. According to three sources who have direct knowledge of these cases, there have been other spyware and exploit developers in the last few months who have received notifications from Apple alerting them that they were targeted with spyware. 

Without a full forensic analysis of Gibson’s phone, ideally one where investigators found traces of the spyware and who made it, it’s impossible to know why he was targeted or who targeted him.  

But Gibson told TechCrunch that he believes the threat notification he received from Apple is connected to the circumstances of his departure from Trenchant, where he claims the company designated him as a scapegoat for a damaging leak of internal tools.  (Lorenzo Franceschi-Bicchierai / TechCrunch)

Researchers at Darktrace report that China's Salt Typhoon gang appears to have successfully attacked a European telecommunications firm.

In the intrusion, the suspected spies exploited a buggy Citrix NetScaler Gateway appliance in the first week of July 2025 to gain access to the telecom's network, according to the AI-powered security shop's research team.

While Darktrace doesn't say which flaw(s) the suspected Chinese snoops abused to break in, Citrix had a busy summer patching security holes in its NetScaler Gateway products that had already been found and exploited by attackers.

After compromising the Citrix NetScaler appliance, the Salt Typhoon miscreants pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the client's Machine Creation Services (MCS) subnet component. "Initial access activities in the intrusion originated from an endpoint potentially associated with the SoftEther VPN service, suggesting infrastructure obfuscation from the outset," Darktrace’s threat hunters said.

"Based on overlaps in TTPs, staging patterns, infrastructure, and malware, Darktrace assesses with moderate confidence that the observed activity was consistent with Salt Typhoon/Earth Estries (ALA GhostEmperor/UNC2286)," the researchers wrote. (Jessica Lyons / The Register)

Related: Darktrace, HackRead, WebProNews, gbhackers, Infosecurity Magazine, Help Net Security, Computing, TechRadar, Security Affairs, Industrial Cyber

Earlier this year, TikTok quietly changed its policies about when and how it would share data with governments, making it easier for the company to share users’ personal information with governments and “regulatory authorities.” 

As the company negotiated terms with the Trump Administration that would allow its app to continue operating in the US, it added language to its policies that covered data sharing not just with law enforcement, but also with “regulatory authorities, where relevant,” and weakened promises to inform users about government requests for their private data.

The Stored Communications Act limits the kinds of information that tech companies can disclose about their users’ communications without a court order, but DHS and ICE have nonetheless begun demanding data — including, in at least one case, “usernames, phone numbers, IP addresses, and other identifying information” — from platforms. The demands have come in the form of administrative subpoenas, which an ICE or DHS agent signs, but not a judge. Administrative subpoenas don’t carry the same legal burden as judicial ones, and companies can’t face legal consequences for ignoring them unless a judge orders them to comply. They also generally cannot prevent companies from communicating with users about requests for their information.

Historically, tech giants have tried to make sure their users have an opportunity to challenge demands for their private information in court. And in recent months, people challenging ICE subpoenas have had some success. Both Facebook and Instagram recently received subpoenas from ICE demanding information about the people behind anonymous accounts tracking and reporting on ICE agents’ identities and movements. The apps’ parent company, Meta, notified the users behind the accounts, and in at least one case, the firm shared a redacted copy of a subpoena with a user. Both users then successfully challenged their subpoenas before judges, who told Meta not to hand over their data to the government without a court order. (In a previous life, I held content policy positions at Facebook and Spotify.)

One of the recent changes to TikTok’s policies, though, could make it harder for some people to challenge ICE subpoenas seeking their data. The change eliminates the company's promise to give notice to users before it turns over their data to the government. Without notice, a person whose data is being requested doesn’t have a chance to contest the subpoena.

Until April 25, 2025, TikTok’s website said, “It is our policy to notify TikTok users before disclosing their data to law enforcement.” But now, the company says only that it will tell users about requests for their data “where required by law,” rather than as a matter of policy. The new policy also says the company will tell people if it discloses their data, rather than before it discloses their data — a difference with stark consequences for anyone hoping to challenge and prevent a disclosure before it occurs. (Emily Baker-White / Forbes)

Related: r/chicago, r/technology, Slashdot

A landmark UN cybercrime convention aimed at curbing offenses that cost the global economy trillions of dollars annually is set to be signed by representatives from dozens of states in Hanoi this weekend, despite criticism over human rights risks.

The convention, which would come into force after 40 states ratify it, is an unprecedented move that the United Nations expects will make responses to cybercrime quicker and more effective.

Activists, major technology companies, and the UN High Commissioner for Human Rights have warned about possible abuses from its vague language on crime, with some saying it would facilitate rather than combat illegal activities.

The list of signatories has not been released, though the European Union and Canada are set to sign the pact, which they said included safeguards to protect human rights. The US State Department declined to say whether a US representative will attend the signing ceremony. (Francesco Guarascio / Reuters)

Related: United Nations Office on Drugs and Crime

The UK's data protection regulator declined to launch an investigation into a leak at the Ministry of Defense that risked the lives of thousands of Afghans connected with the British Armed Forces.

The MoD was responsible for the accidental data breach, which took place in February 2022 and is likely to have cost more than £850 million. Evidence of the breach only came to light in July this year after a government superinjunction, imposed in August 2023, was lifted.

According to a report [PDF] from the National Audit Office (NAO), the MoD first became aware of the data breach in August 2023 when personal details of ten individuals from the dataset were posted to Facebook.

Speaking to MPs this week, Information Commissioner John Edwards, who oversees government data protection, said his office decided not to launch an investigation into the historic leak after meeting with MoD officials.

"During those sessions – because of the classification – no notes could be taken, so when my colleague made the decision to take no further action, and he informed me of that, we didn't document it immediately. It was only after the superinjunction was lifted that we recorded a formal decision and put that into the system," he said.

Appearing before the House of Commons Science, Innovation and Technology Committee, Edwards denied that the superinjunction prevented note-taking or an investigation. "It's just that information systems make it quite difficult to store classified material and to make a meaningful decision."

He said that after the superinjunction was lifted, the Information Commissioner's Office (ICO) – a non-departmental government body under the Department for Science, Innovation and Technology (DSIT) – reviewed the information available and decided there was no reason to impugn that original decision. (Lindsay Clark / The Register)

Related: Arab News, Independent

The Korean government unveiled a sweeping set of cybersecurity measures aimed at preventing hacking and data leaks, following a string of major breaches at telecommunications and financial firms.

Though the plan underscores national urgency, it is already drawing concern from industry officials who say it shifts too much responsibility — and risk — onto the private sector.

Led by the National Security Office, the initiative brings together key ministries, including the Ministry of Science and ICT, to overhaul critical IT systems that serve the public. It also includes efforts to foster cybersecurity talent and strengthen domestic defense capabilities.

The government described the plan as an immediate action roadmap, promising to release a long-term national security strategy later this year.

“Relevant ministries will closely monitor the implementation of these measures to ensure their effectiveness,” Science Minister Bae Kyung-hoon said during a briefing. “The government will remain fully committed to building a resilient information security framework that supports Korea’s rise as a global AI leader.” (Jo He-rim / The Korea Herald)

Related: The Investor, Yonhap News Agency, KoreaJoongAng Daily

Researchers at Symantec report that hackers believed to be associated with China have leveraged the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunication service providers, and finance organizations.

The security flaw affects on-premise SharePoint servers and was disclosed as an actively exploited zero-day on July 20, after multiple hacking groups tied to China leveraged it in widespread attacks. Microsoft released emergency updates the following day.

The issue is a bypass for CVE-2025-49706 and CVE-2025-49704, two flaws that Viettel Cyber Security researchers had demonstrated at the Pwn2Own Berlin hacking competition in May, and can be leveraged remotely without authentication for code execution and full access to the file system.

Microsoft previously said that ToolShell was exploited by three Chinese threat groups, Budworm/Linen Typhoon, Sheathminer/Violet Typhoon, and Storm-2603/Warlock ransomware.

Symantec says that ToolShell was used to compromise various organizations in the Middle East, South America, the US, and Africa, and the campaigns leveraged malware typically associated with the Salt Typhoon Chinese hackers.

Symantec says that its findings indicate that the ToolShell vulnerability was exploited by a larger set of Chinese threat actors than was previously known. (Bill Toulas / Bleeping Computer)

Related: Symantec

On the first day of Pwn2Own Ireland 2025, security researchers exploited 34 unique zero-days and collected $522,500 in cash awards.

The highlight of the day was Bongeun Koo and Evangelos Daravigkas of Team DDOS chaining eight zero-day flaws to hack the QNAP Qhora-322 Ethernet wireless router via the WAN interface and gain access to a QNAP TS-453E NAS device. For this successful attempt, they won $100,000 and are now in second place on the Master of Pwn leaderboard with 8 points.

Synacktiv Team, Sina Kheirkhah of the Summoning Team, the DEVCORE Team, and Stephen Fewer of Rapid7 have also earned $40,000 each after gaining root on the Synology BeeStation Plus, the Synology DiskStation DS925+, the QNAP TS-453E, and the Home Assistant Green, respectively.

STARLabs, Team PetoWorks, Team ANHTUD, and Ierae researchers hacked the Canon imageCLASS MF654Cdw multifunction laser printer four times, while STARLabs also hacked the Sonos Era 300 smart speaker to earn $50,000, and Team ANHTUD exploited the Phillips Hue Bridge to collect $40,000 in cash.

Sina Kheirkhah and McCaulay Hudson of the Summoning Team have used an exploit chain combining two zero-days to gain root on a Synology ActiveProtect Appliance DP320 and win another $50,000.

Summoning Team won a total of $102,500 during the first day of the competition and is at the top of the Master of Pwn leaderboard with 11.5 points. (Sergiu Gatlan / Bleeping Computer)

Related: Zero Day Initiative, Security Week

The 2025 Global Threat Landscape Report findings from ExtraHop states that the average ransomware payment has increased to $3.6m this year, up from $2.5m in 2024 – a 44% surge despite a decline in the overall number of attacks.

The report surveyed 1800 IT and security leaders across seven countries, who reported an average of five to six ransomware incidents over the past year, down roughly 25% from 2024.

While the number of attacks dropped, the damage intensified. Seventy percent of affected organizations paid the ransom, and payouts in critical sectors were significantly higher than average. Healthcare and government agencies faced the most significant financial burdens, both with payouts of nearly $7.5m, while finance averaged $3.8m per incident.

The report attributes this escalation to increasingly disciplined adversaries. Groups such as RansomHub, LockBit, and DarkSide continue to dominate, refining their methods to maximize leverage.

“The combination of sophisticated attackers and a broader attack surface is a dangerous one,” ExtraHop wrote. (Alessandro Mascellino / Infosecurity Magazine)

Related: BetaNews, ExtraHop

Heywood Healthcare, a North Central Massachusetts nonprofit healthcare system with two community hospitals, has taken its IT network offline and is diverting ambulance patients as it continues to respond to a cyberattack that hit last week.

Heywood said it is continuing to care for inpatients at its 134-bed Heywood Hospital in Gardner, Massachusetts, and its 25-bed critical access community hospital, Athol Hospital, in nearby Athol. But the hospitals are not accepting emergency care patients transported by ambulance. Radiology and laboratory services are also affected.

Local ambulance service, Central Massachusetts Emergency Medical Systems Corp. in Holden, Massachusetts on its Facebook page advised the community over the weekend that because Heywood and Athol hospitals CAT scan imaging services "will be down until further notice," ambulances should transport stroke patients "to the next nearest primary stroke service hospital per state primary stroke service list." (Marianne Kolbasuk McGee / DataBreachToday)

Related: The Cyber Express, Athol Daily News, The HIPAA Daily Journal

Verisure reported a cyber incident to police after it discovered a data breach at a subsidiary, just over a week after the Swedish security services provider debuted on the Stockholm stock exchange.

A spokesperson for the company said it recently detected unauthorized third-party access to data related to Alert Alarm—a business it previously acquired in Sweden that operates using a separate IT system from the main Verisure network.

The breach concerns data stored with Alert Alarm’s external billing partner in Sweden, it said.

“Based on a comprehensive review of the system’s logs, our findings show that the affected data was limited to names, addresses, email addresses, and social security numbers of approximately 35,000 current and former Alert Alarm customers in Sweden,” the spokesperson said. (Dominic Chopping / The Wall Street Journal)

Related: SC Media, The Record

ChatGPT introduced its own browser called ChatGPT Atlas, a Mac-only web browser with a variety of ChatGPT-enabled features, including an experimental "agent mode" where ChatGPT can take over navigating and interacting with the page for you, accompanied by a sparkle overlay effect.

The security and privacy risks involved here still feel insurmountable, and surely some experts won't be trusting any of these products until a bunch of security researchers have given them an extensive beating.

In particular, ChatGPT should explain the steps Atlas takes to avoid prompt injection attacks. Right now, it looks like the primary defense is expecting the user to carefully watch what the agent mode is doing at all times. (Simon Willison’s Weblog)

Related: AppleInsider, New York Times, Brave, 9to5Mac, Business Standard, Pittsburgh Post-Gazette, SiliconANGLE, Opera Newsroom, Livemint, Wired, BetterOffline, Hacker News: Newest, The Mac Observer, Tech-Economic Times, CyberInsider, The Tech Portal, Pixel Envy, Digital Information World, Axios, The Straits Times, MakeUseOf, Techstrong.ai, Digit, COINOTAG NEWS, The Indian Express, 9to5Mac, The Hans India, Forbes, Digit, Hindustan Times

Hundreds of public figures, including Nobel Prize-winning scientists, former military leaders, artists, and British royalty, signed a statement calling for a ban on work that could lead to computer superintelligence, a yet-to-be-reached stage of artificial intelligence that they said could one day pose a threat to humanity.

The statement proposes “a prohibition on the development of superintelligence” until there is both “broad scientific consensus that it will be done safely and controllably” and “strong public buy-in.”

Organized by AI researchers concerned about the fast pace of technological advances, the statement had more than 800 signatures from a diverse group of people. The signers include Nobel laureate and AI researcher Geoffrey Hinton, former Joint Chiefs of Staff Chairman Mike Mullen, rapper Will.i.am, former Trump White House aide Steve Bannon, and U.K. Prince Harry and his wife, Meghan Markle.

The statement adds to a growing list of calls for an AI slowdown at a time when AI is threatening to remake large swaths of the economy and culture. OpenAI, Google, Meta, and other tech companies are pouring billions of dollars into new AI models and the data centers that power them, while businesses of all kinds are looking for ways to add AI features to a broad range of products and services. (David Ingram / NBC News)

Related: Future of Life Institute, Future of Life Institute, Financial Times, The Guardian, CNBC, The Economic Times, Transformer, Bloomberg Law, Bloomberg, Times of India, Axios, Time, Futurism, CyberGuy, Futurism, TIME, Mercury News

The New York State Department of Financial Services (DFS), New York’s financial watchdog, issued new guidance on cybersecurity risks connected to third-party service providers.

The guidance comes as organizations become increasingly dependent on such providers, and cyberattacks involving third-party entities continue to grow.

“While third-party service providers have driven innovation and enabled significant efficiencies in our financial system, regulated entities are still ultimately accountable for protecting consumers and managing risk,” Kaitlin Asrow, acting superintendent of the NYDFS, said in a news release.

“To ensure the safe and secure operation of financial services and the protection of nonpublic information, entities must establish and maintain appropriate internal risk management controls when using third-party service providers.”

According to the release, the guidance does not impose new requirements or obligations on DFS-regulated entities but is designed to clarify requirements under DFS’s cybersecurity regulation and share best practices that entities should think about implementing. (PYMNTS)

Related: Department of Financial Services

During a legislative session held by Nevada’s interim finance committee last week, the state’s top technology official provided updates on the ransomware attack that disabled the state’s executive branch last August, including a hint of what may have caused the incident, what recovery will cost, and new work unfolding in the event’s fallout.

The committee ended that session advancing some of the new work planned, approving more than $300,000 in funding for two new cybersecurity initiatives, including an expansion of the state’s technical threat analysis program and greater support for an ongoing project to create a statewide security operations center. According to a state document, the former would be funded with $150,000 in federal funding the state is receiving through the State and Local Cybersecurity Grant Program. (Colin Wood / StateScoop)

Related: Nevada Legislature, Carson Now, The Nevada Independent

LA Metro signage may have been hijacked by online activists earlier this week, as the boards typically meant to display wait times and other messages instead displayed a threatening message.

Photos showed one of the digital reader boards at a bus stop at 6th Street and Vermont Avenue displaying a message that read “EMERGENCY WARNING. LEAVE IMMEDIATELY. RISK OF SUICIDE BOMB.”

The message was signed with a social media handle that some outlets have reported is a Turkish hacker group called the Mutarrif Siberislam that may also be responsible for hijacking public announcement systems at multiple airports in North America.

LA Metro officials said the digital signage boards at several bus stops were commandeered. The violent messages could be traced to a third-party content management system called Papercast, which it said was “compromised.” (Travis Schlepp / KTLA)

Related: r/LAMetro

TP-Link is warning of two command injection vulnerabilities in Omada gateway devices that could be exploited to execute arbitrary OS commands.

Omada gateways are marketed as full-stack solutions (router, firewall, VPN gateway) for small to medium businesses, and are constantly increasing in popularity.

Although the two security issues lead to the same result when triggered, only one of them, identified as CVE-2025-6542 with a critical severity rating of 9.3, can be exploited by a remote attacker without authentication.

The second flaw is tracked as CVE-2025-6541 and received a lower severity score of 8.6. However, it can be exploited only if the attacker can log into the web management interface.

“An arbitrary OS command may be executed on Omada gateways by the user who can log in to the web management interface or by a remote unauthenticated attacker,” reads TP-Link's advisory.

“Attackers may execute arbitrary commands on the device’s underlying operating system,” the company adds. (Bill Toulas / Bleeping Computer)

Related: TP-Link

Security specialists at Edera discovered and disclosed a high-severity vulnerability in an early and since-abandoned code for an open-source async tar archive library for the Rust programming language.

They fear that potential exploitation, which allows for remote code execution, could bear significant impacts due to widespread forking and a lack of visibility into the code’s use. 

“Given its presence in critical, widely-deployed tools like the uv package manager, the potential impact on build systems and production environments across many companies is substantial,” Alex Zenla, chief technology officer and co-founder at Edera, said.

The boundary-parsing vulnerability — CVE-2025-62518, which has a CVSS rating of 8.1 — affects the async-tar Rust library and many forks, including tokio-tar, the Python package manager uv, testcontainers, wasmCloud, astral-tokio-tar, and krata-tokio-tar. The most popular fork — tokio-tar — has more than 5 million downloads on crates.io and is no longer maintained, according to Edera.

Edera discovered the vulnerability during a development push on its internal platforms on Aug. 21. The cybersecurity company created patches the next day and worked to get the fixes into as many active forks and open-source projects as possible before it publicly disclosed the defect. (Matt Kapko / CyberScoop)

Related: Edera, Phoronix

Veeam Software, owned by private equity firm Insight Partners, agreed to buy Securiti AI for about $1.73 billion in cash and stock, adding software that helps secure corporate data used in artificial intelligence applications.

The deal is expected to close the first week of December and add to profit in the second half of 2026. (Dina Bass / Bloomberg)

Related: Channelweb, Blocks and Files, SiliconANGLE, Reuters, Pulse 2.0, Blocks and Files, Help Net Security, Business Wire, CyberScoop, Biz Journals

Dataminr, a New York-based company specializing in real-time threat intelligence, announced plans to acquire ThreatConnect, a cybersecurity threat intelligence provider, for $290 million.

The acquisition will combine Dataminr’s AI-powered analysis of public data with ThreatConnect’s internal threat management capabilities, creating what the companies describe as “Client-Tailored intelligence” that adapts to individual customer needs.

The merged technology would analyze both external public information and internal client data to provide context-specific threat assessments. (Greg Otto / CyberScoop)

Related: CRN, Dataminr, New York Times, Help Net Security, SiliconANGLE

Best Thing of the Day: Always Be Prepared

Scouting America and Scouts BSA launched two new merit badges on AI and cybersecurity.

Worst Thing of the Day: Cyber Agency on the Verge of a Nervous Breakdown

While companies scramble to respond to a major nation-state cyberattack, CISA, the top US cybersecurity agency's threat-sharing apparatus, has gone silent on providing guidance.

Closing Thought