UK cops bust man allegedly linked to Collins Aerospace attack

Editorial note: Metacurity included an item in yesterday's edition that, based on Secret Service messaging and news outlets' reporting, suggested the Secret Service had uncovered and dismantled a dangerous cell phone technology network capable of knocking out cell service in the New York region. In fact, as experts have subsequently revealed, what the authorities dismantled was what is known as an ordinary SIM farm, a common technology setup used by scammers in Asia and elsewhere to transmit mass phone calls and texts. I will have more to say on how things got so garbled in tomorrow's Metacurity.

If you value Metacurity, please consider signing up for a paid subscription.

If you can't swing a paid subscription, please consider donating what you can. Thank you.

British police said a man had been arrested as part of an investigation into a ransomware attack against Collins Aerospace, owned by RTX, which knocked check-in systems at airports offline and caused widespread travel disruption across Europe.

The National Crime Agency said in a statement that the man, in his 40s, was arrested on Tuesday on suspicion of offences under the Computer Misuse Act and had since been released on conditional bail.

"Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing," NCA Deputy Director Paul Foster said.

It remained unclear which criminal group was behind last week's hack. An NCA spokesperson declined to provide further details.

It's unclear which cybercriminals were behind the attack, but according to researchers at Cyfirma, they had already infiltrated Collins Aerospace by the end of 2024. Cyfirma considers Alixsec, Scattered Spider, and the Rhysida ransomware group as plausible actors behind the incident. (James Pearson and Muvija M / Reuters and Günter Born / BornCity)

Related: BBC News, CNN, The Independent, Planet Radio, Telegraph, London Evening Standard

CISA revealed in an advisory that attackers breached the network of an unnamed US federal civilian executive branch (FCEB) agency last year after compromising an unpatched GeoServer instance.

The security bug (tracked as CVE-2024-36401) is a critical remote code execution (RCE) vulnerability patched on June 18, 2024. CISA added the flaw to its catalog of actively exploited vulnerabilities roughly one month later, after multiple security researchers shared proof-of-concept exploits online demonstrating how to gain code execution on exposed servers.

While the cybersecurity agency did not provide any details on how the flaws were being exploited in the wild, threat monitoring service Shadowserver observed CVE-2024-36401 attacks starting on July 9, 2024, while OSINT search engine ZoomEye was tracking over 16,000 GeoServer servers that were exposed online.

Two days after the first attacks were detected, threat actors gained access to a US federal agency's GeoServer server and compromised another one roughly two weeks later. In the next stage of the attack, they moved laterally through the agency's network, breaching a web server and an SQL server.

"On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation," CISA said.

"Once inside the organization's network, the cyber threat actors primarily relied on brute force techniques [T1110] to obtain passwords for lateral movement and privilege escalation. They also accessed service accounts by exploiting their associated services."

The threat actors remained undetected for three weeks until the federal agency's Endpoint Detection and Response (EDR) tool alerted its Security Operations Center (SOC) to the breach, flagging a file as suspected malware on the SQL Server on July 31, 2024.

CISA uses network defenders to expedite patching critical vulnerabilities (especially those added to its Known Exploited Vulnerabilities catalog), ensure security operations centers continuously monitor EDR alerts for suspicious network activity, and strengthen their incident response plans. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, Infosecurity Magazine

On the heels of the Shai-Hulud attack, a self-replicating worm that infiltrated the npm ecosystem via compromised maintainer accounts by injecting malicious post-install scripts into popular JavaScript packages, GitHub announced it is implementing a set of defenses against supply chain attacks on the platform.

Among the defenses are two-factor authentication for local publishing, granulated tokens that will have a limited lifetime of seven days, expanded and encouraged adoption of trusted publishing, and removal of the option to bypass 2FA for local publishing, among other new defenses.

Ruby Central also announced tighter governance of the RubyGems package manager to improve its supply-chain protections.

This ecosystem also suffered from similar problems recently, such as a campaign with 60 malicious Ruby gems that were downloaded 275,000 times, and another one typosquating the Fastlane project for Telegram. (Bill Toulas / Bleeping Computer)

Related: GitHub, Ruby Central, Dark Reading, Help Net Security, eSecurity Planet, The Register, r/cybersecurity

In a filing with the SEC, US gaming and casino operator Boyd Gaming Corporation disclosed it suffered a breach after threat actors gained access to its systems and stole data, including employee information and data belonging to a limited number of other individuals.

Boyd Gaming disclosed that it recently suffered a cyberattack in which attackers gained access to its systems. 

The company states that it worked with external cybersecurity experts to respond to the attack and notified law enforcement.

However, the threat actors were able to steal data from the company's systems, which includes information about employees and individuals. (Lawrence Abrams / Bleeping Computer)

Related: SEC, NewsNet5, CyberInsider, ReadWrite, KTNV, GuruFocus, CDC Gaming, Casino.org

Ransomware gang Inc took credit for an August 2025 data breach at the Pennsylvania Attorney General’s office.

At the end of last month, the PA AG announced it suffered a ransomware attack on August 11 that prevented staff access to archived emails, files, and internal systems. The office said at the time that staff were unable to access litigation data. A judge suspended civil trial litigation and some criminal matters until mid-September.

Inc on September 20, 2025, claimed responsibility for the attack and said it stole 5.7 TB of data. To prove its claim, Inc posted sample images of what it says are documents stolen from the Attorney General’s office.

The Pennsylvania Attorney General has not verified Inc’s claim. It did say that it refused to pay a ransom demand. The AG says it has notified a few individuals that their information might have been compromised in the breach. (Paul Bischoff / Comparitech)

Related: Inquirer, Philly Voice, HackRead, Pennsylvania Attorney General

A new artificial intelligence tool designed to crack down on fraud has helped the UK government recover almost £500m over the last year, the BBC can reveal.

More than a third of the money clawed back related to fraudulent activity during the Covid-19 pandemic, with other cash being recouped from unlawful council tax claims and illegal subletting of social housing.

The government will announce later that a new AI tool, which has helped to identify the fraud, will now be licensed to other countries, including the US and Australia. Civil liberties campaigners have previously criticized the Labour government for its use of AI in trying to counter fraud.

The Cabinet Office says the £480m recovered in the 12 months from April 2024 is the largest sum ever reclaimed by government anti-fraud teams in a single year. The savings have been made by cross-referencing information held by different government departments, as well as using a new AI tool.

Ministers say the savings will now be used to recruit nurses, teachers, and police officers. Of the total sum recovered, £186m was related to Covid fraud. (Jack Fenwick / BBC News)

Related: GOV.uk, Euronews, Tech Digest

Cloudflare has mitigated a distributed denial-of-service (DDoS) attack that peaked at a record-breaking 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps).

The incident lasted 40 seconds and is by far the largest ever mitigated.

Despite the short assault period, the volume of traffic directed at the victim was enormous, roughly equivalent to streaming one million 4K videos simultaneously.

The packet rate of 10.6 Bpps can be translated to roughly 1.3 web page refreshes per second from every person on the planet. (Bill Toulas / Bleeping Computer)

Related: Security Affairs

Security researcher TwoSevenOneThree (Zero Salarium) found a new method and proof-of-concept tool called EDR-Freeze that demonstrates how evading security solutions is possible from user mode with Microsoft's Windows Error Reporting (WER) system.

Existing EDR disabling methods operate based on the “Bring Your Own Vulnerable Driver” (BYOVD) technique, where attackers take a legitimate but vulnerable kernel driver and exploit it for privilege escalation.

Key drawbacks in the BYOVD attacks include the need to smuggle the driver to the target system, bypass execution protections, and wipe kernel-level artifacts that could expose the operation.

EDR-Freeze is described as a much stealthier method that requires no kernel driver, works entirely from the user mode, and leverages legitimate Windows components that are present by default in the operating system. (Bill Toulas / Bleeping Computer)

Related: Zero Solarium, SC Media, Techzine

Social media app TikTok has been collecting sensitive information from hundreds of thousands of Canadians under 13 years old, a joint investigation by privacy authorities found.

The investigation, launched by the federal privacy commissioner and his counterparts in Quebec, British Columbia, and Alberta, looked into the video app's privacy practices as they relate to younger users and whether "valid and meaningful" consent is being obtained for the collection, use, and disclosure of personal information.

TikTok's terms of service prohibit users under the age of 13 (14 in Quebec) from using the platform.

However, "as a result of TikTok's inadequate age-assurance measures, the company collected the personal information of a large number of Canadian children, including information that the offices consider to be sensitive," said the report.

It also found TikTok failed to adequately explain its collection and use of biometric information, such as facial and voice data, in the context of its video, image, and audio analysis. (Catharine Tunney / CBC News)

Related: Reuters, BBC News, Globe and Mail, MobileSyrup, Associated Press, One America News Network, Vancouver Sun, Global News, Office of the Privacy Commissioner of Canada, Hacker News (ycombinator), r/technology

In a case that has riveted public attention in Greece, four people, two Israelis and two Greeks, are being tried today at the Athens Criminal Court for the "violation of telephone communication secrecy" and face a maximum five-year prison sentence.

Their trial, initially scheduled for March, was postponed by six months.

Three of the defendants are former executives of the Greek company Intellexa, which marketed the Predator spyware in Greece. Predator allows hackers to access messages, photos, and even remotely activate the microphone or camera of the infected device.

In 2023, Intellexa was added to a list of companies banned in the United States as a threat to national security, alongside Cytrox, which developed Predator in North Macedonia.

One of the main victims of the scandal, Greek financial journalist Thanassis Koukakis, told AFP it was "a true violation of the rule of law".

The case, uncovered by Koukakis in early 2022, rattled the conservative government of Kyriakos Mitsotakis, leading to resignations by the head of Greece's EYP National Intelligence Service as well as the prime minister’s top aide and nephew.

Koukakis has filed a civil lawsuit in the trial after being placed under surveillance by EYP with the spyware. (AFP)

Related: ekathimerini, Greek City Times, Neos Kosmos, BBC News

Researchers at the Atlantic Council’s Digital Forensic Research Lab say a Russian group sanctioned by the European Union and wanted by the US government is behind an influence operation known as REST Media targeting upcoming elections in Moldova.

REST Media is an online news outlet launched in June whose posts have quickly amassed millions of views on social media, and it is actually the work of Rybar, a known Russian disinformation outfit connected to other documented influence campaigns against Western countries and Russian foes like Ukraine.

REST’s content, spread through its website and social media sites like Telegram, X, and TikTok, often hammered Moldova’s pro-EU party, the Party of Action and Solidarity, with claims of electoral corruption, vote selling, and other forms of misconduct. The site also sought to explicitly cast Moldova’s anti-disinformation efforts as a form of government censorship.

The new research demonstrates that REST “is more than just another clone in Russia’s information operations ecosystem," according to DFR Lab.

“It provides granular detail on how actors, such as Rybar, adapt, regenerate, and cloak themselves to continue their efforts to influence,” the authors wrote. “From shared FTP configurations to sloppy metadata, the evidence points to REST being part of a broader strategy to outlast sanctions through proxy brands and technical obfuscation.” (Derek B. Johnson / CyberScoop)

Related: DFR Lab

A survey of cybersecurity bosses conducted by Gartner has shown that 62 percent reported attacks on their staff using AI over the last year, either by the use of prompt injection attacks or faking out their systems using phony audio or video generated by AI.

The most common attack vector is deepfake audio calls against staff, with 44 percent of businesses reporting at least one instance of this happening, six percent of which resulted in business interruption, financial loss, or intellectual property loss. Those loss rates drop to two percent when an audio screening service is used.

For video deepfakes, the figure was slightly lower, 36 percent, but still five percent of those also caused a serious problem. (Iain Thomson / The Register)

Related: Gartner, Infosecurity Magazine

Best Thing of the Day: Good News for Uvalde's School Children

Uvalde Consolidated Independent School District (UCISD) has restored most critical systems, including internet, phones, and HVAC access control, following a recent ransomware attack.

Worst Thing of the Day: Here's Your Brain on Workslop

Company employees are using AI tools to create "workslop," which is low-effort, passable-looking work that ends up creating more work for their coworkers.

Closing Thought