Robert Grupe's AppSecNewsBits 2025-09-13

September 13, 2025

In This Week's Highlights:

Epic Fails

  • Jaguar Land Rover extends shutdown after cyber attack

  • Plex suffers security incident exposing user data and urging password resets

  • Apple slips up on ChillyHell macOS malware, lets it past security . . . for 4 years

  • Microsoft: Anti-spam bug blocks links in Exchange Online, Teams

Hacking

  • Chinese Hackers Pretended to Be a Top U.S. Lawmaker During Trade Talks

  • Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack

  • US warns hidden radios may be embedded in solar-powered highway infrastructure

AppSec

  • NIST Enhances Security Controls for Improved Patching

  • What Is OSCAL? A NIST-Backed Framework for Financial Institutions

  • HHS Unveils Version 3.6 of the Security Risk Assessment Tool

  • New cybersecurity rules land for Defense Department contractors

Legal

  • Court rejects Verizon claim that selling location data without consent is legal

  • US Senator says Microsoft should be probed for 'gross cybersecurity negligence' after hospital ransomware attacks

  • Former WhatsApp Security Chief Sues Meta, Citing Major Privacy Risks
    Different

  • Flush door handles are the car industry’s latest safety problem

 

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Jaguar Land Rover extends shutdown after cyber attack
Jaguar Land Rover's (JLR) UK factories are now expected to remain closed until at least Wednesday after work was disrupted by a cyber attack August 31st.
The car plants at Halewood and Solihull and its Wolverhampton engine facility, along with production facilities in Slovakia, China and India, have been unable to operate since the company fell victim to the cyber attack. Staff who work on the production lines have been told to remain at home.
The production stoppage has had a significant impact on the company's suppliers, with some understood to have told their own staff not to come into work. As well as forcing the factories to stop building cars, it also left dealerships unable to register new cars and garages that maintain JLR vehicles unable to order the parts they needed.
A group of young hackers who have been behind other attacks on UK businesses including M&S earlier this year have also claimed responsibility for the JLR attack.

 

Plex suffers security incident exposing user data and urging password resets
In an email sent to subscribers, the popular media server company confirmed that an unauthorized third party gained access to one of its databases. The breach exposed emails, usernames, and hashed passwords.
Plex emphasized that passwords were encrypted following best practices, so attackers cannot simply read them. The company also reassured users that no credit card data was compromised, since Plex does not store that information on its servers.
Still, out of caution, it is requiring all account holders to reset their credentials.

 

Apple slips up on ChillyHell macOS malware, lets it past security . . . for 4 years 
ChillyHell, a modular macOS backdoor believed to be long dormant, has likely been infecting computers for years while flying under the radar. The malware, written in C++ and developed for Intel architectures, was originally reported by Mandiant in 2023.
But despite being documented, ChillyHell wasn't flagged as malicious. In fact, the sample uncovered by Jamf's researchers is developer-signed and passed Apple's notarization process in 2021. Despite not making it to VirusTotal until 2025, this sample has remained notarized up until now.
In addition, the notarized sample has been hosted publicly on Dropbox since 2021, indicating that it has likely been infecting victims while remaining undetected over the last four years.

 

Microsoft: Anti-spam bug blocks links in Exchange Online, Teams
The issues began impacting Exchange Online and Microsoft Teams users on September 5th, when Redmond said that admins might see alerts titled "A potentially malicious URL click was detected involving one user," even though the URLs had already been confirmed as safe.
While Microsoft engineers have partially resolved these false positive issues, they are still working to address the impact caused by more URLs being disabled by its faulty anti-spam models. Microsoft has addressed similar issues since the start of the year, resulting in emails being incorrectly tagged as spam or quarantined.
For instance, in May, Microsoft resolved another issue causing a machine learning model to incorrectly flag emails from Gmail accounts as spam in Exchange Online.
Redmond fixed another machine-learning bug that mistakenly flagged Adobe emails in Exchange Online as spam one month earlier, as well as an Exchange Online false positive that caused anti-spam systems to incorrectly quarantine some users' emails in March.
Microsoft adds malicious link warnings to Teams private chats
Microsoft will introduce these new warnings for messages containing URLs that have been flagged as spam, phishing, or malware, for all Microsoft Defender for Office 365 (MDO) and Microsoft Teams enterprise customers.
The new link protection feature will begin rolling out with a public preview for desktop, Android, web, and iOS users in September 2025 and is expected to reach general availability in November 2025, according to a recent Microsoft 365 roadmap entry.
[rG: Well, we'll see how this new functionality handles AppSecNewsBits. Historically, anti-spam agents have used 'hacking' words frequency and URLs quantity counts to rate messages as potential spam; which has incorrectly classified these emails as spam.]

 

What’s Weak This Week:

  • CVE-2025-5086 Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability:
    Could lead to a remote code execution. Related CWE: CWE-502 

 

HACKING

Chinese Hackers Pretended to Be a Top U.S. Lawmaker During Trade Talks
Several trade groups, law firms and U.S. government agencies had all received an email appearing to be from the committee’s chairman, Rep. John Moolenaar (R., Mich.), asking for input on proposed sanctions with which the legislators were planning to target Beijing. “Your insights are essential,” the email read, asking the groups to review a draft of the legislation attached to the message. But why had the chairman sent the message from a nongovernment address?
The FBI and the Capitol Police are investigating the Moolenaar emails, and cyber analysts traced the embedded malware to a hacker group known as APT41—believed to be a contractor for Beijing’s Ministry of State Security.

 

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack
Attackers sent a deceptive email impersonating npm support, urging Junon to update his two-factor authentication (2FA) credentials. The email threatened account lockout and linked to a fake login page that harvested credentials.
Once inside the maintainer’s account, the attackers published new versions of popular packages—like chalk, debug, and ansi-styles—with malicious code embedded in the index.js files. The injected malware acted as a browser-based interceptor, hooking into JavaScript functions (fetch, XMLHttpRequest, wallet APIs) to monitor and redirect cryptocurrency transactions to attacker-controlled wallets.
Only apps freshly installed during a ~2.5-hour window were affected, and only if they included the compromised packages directly or transitively.

 

US warns hidden radios may be embedded in solar-powered highway infrastructure
The devices, along with the electronic systems that manage rechargeable batteries, could be seeded with rogue communications components that would allow them to be remotely tampered with. Maliciously installed communications devices secreted inside them could be used to trigger surges or send rogue commands.
[rG: Or more generally, more IoT devices for hackers to exploit.]

 

APPSEC, DEVSECOPS, DEV

NIST Enhances Security Controls for Improved Patching
The overall goal is to reduce the attack window. The Security and Privacy Control catalog updates aim to mitigate risks in the software development and deployment process. In addition to technical content revisions, NIST added three main changes:

  1. Logging syntax:
    This defines an electronic format for recording security-related events to support better incident response. Defining data formats facilitates automation and helps teams reconstruct security-related incidents more quickly.

  2. Root cause analysis:
    This change specifies conducting a review to find the cause of an issue or failure with the software update, coming up with an action plan, and implementing it.

  3. Design for cyber resiliency:
    This recommendation involves designing systems for survivability — the ability to anticipate, withstand, respond to, and recover from attack while maintaining critical functions.

 

What Is OSCAL? A NIST-Backed Framework for Financial Institutions
The Open Security Controls Assessment Language (OSCAL) is a standardized, machine-readable framework developed by the National Institute of Standards and Technology (NIST) to improve the efficiency and consistency of security compliance processes.
For financial institutions, which must comply with a complex web of regulations such as the Gramm-Leach-Bliley Act, the Payment Card Information Data Security Standard (PCI DSS), the Sarbanes-Oxley (SOX) Act and emerging state-level cybersecurity mandates, OSCAL provides a universal language for assessing and reporting security controls.
Traditionally, compliance documentation has been handled manually with word processors and spreadsheets — a process prone to human error, delays and data silos. OSCAL replaces these outdated methods with structured, machine-readable formats that streamline workflows and enable automation.

 

HHS Unveils Version 3.6 of the Security Risk Assessment Tool: What Covered Entities and Business Associates Need to Know
Anyone who has wrestled with the HIPAA Security Rule’s risk‐analysis requirement knows that the government’s free Security Risk Assessment (“SRA”) Tool can be a practical starting point—particularly for resource-constrained practices that cannot justify a commercial governance-risk-and-compliance platform.
Developed jointly by the Office for Civil Rights (“OCR”) and the Assistant Secretary for Technology Policy (“ASTP”), the SRA Tool walks the user through the core elements of a 45 C.F.R. § 164.308(a)(1)(ii)(A) risk analysis, prompting self-assessment questions on everything from facility access controls to encryption of data in transit.
The output—customized reports that catalogue vulnerabilities, likelihoods, impacts, and recommended remediation—can be invaluable if (or, more accurately, when) OCR knocks on the door.

 

New cybersecurity rules land for Defense Department contractors
The Pentagon finalized new cybersecurity rules requiring all defense contractors to comply with the Cybersecurity Maturity Model Certification (CMMC) by November 9. Vendors seeking contracts with the Pentagon under CMMC have to demonstrate clear evidence that they have conformed to cybersecurity standards set forth in the program, which was made official in October of last year. CMMC only applies to contractors working with information about federal contracts and controlled unclassified information.

 

LEGAL & REGULATORY

Court rejects Verizon claim that selling location data without consent is legal
The U.S. Court of Appeals for the 2nd Circuit upheld a $46.9 million fine against Verizon for selling customer location data without consent, rejecting the company’s claim that such data isn’t protected under federal law. Verizon had outsourced consent verification to third-party aggregators, which led to unauthorized law enforcement access.
The court ruled that device-location data qualifies as protected customer information under the Communications Act. This decision contrasts with a 5th Circuit ruling favoring AT&T, increasing the likelihood of Supreme Court review.

 

US Senator says Microsoft should be probed for 'gross cybersecurity negligence' after hospital ransomware attacks
Senator Ron Wyden has urged the FTC to investigate Microsoft for “gross cybersecurity negligence” following ransomware attacks on Ascension Healthcare. The breach reportedly began when a contractor clicked a malicious link via Bing, exploiting insecure default settings in Microsoft software. Attackers used an outdated encryption method (RC4) and a technique called Kerberoasting to gain privileged access. W
yden argues Microsoft’s failure to patch vulnerabilities and warn customers poses a national security risk.

 

Former WhatsApp Security Chief Sues Meta, Citing Major Privacy Risks
Attaullah Baig, former head of security for WhatsApp, filed a lawsuit against Meta, claiming the company ignored serious security and privacy vulnerabilities affecting billions of users. Thousands of Meta and WhatsApp employees could access sensitive user data — including profile pictures, contact lists, and location details — without proper oversight. He also claims the company turned a blind eye to large-scale account hacking, which he says reached more than 100,000 accounts a day. Baig repeatedly warned senior leaders, including Meta CEO Mark Zuckerberg, about the risks. Instead of addressing his concerns, the company allegedly retaliated by issuing negative performance reviews and ultimately fired him in February. 

 

And Now For Something Completely Different …

Flush door handles are the car industry’s latest safety problem
Chinese authorities have been concerned about retractable door handles for some time now and are reportedly close to banning them from 2027.
The electric vehicle manufacturer chose not to use conventional door locks in its cars, preferring to use IP-based electronic controls. While the front seat occupants have always had a physical latch that can open the door, it took some years for the automaker to add emergency releases for the rear doors, and even now that it has, many rear-seat Tesla passengers will be unaware of where to find or how to operate the emergency release.
A power failure also affects first responders' ability to rescue occupants, and Hull's article details a number of tragic fatal crashes where the occupants of a crashed Tesla were unable to escape the smoke and flames of their burning cars.
Flush-fit door handles fail far more often during side impacts than regular handles, delaying egress or rescue time after a crash. During heavy rain, flush-fit door handles have short-circuited, trapping people in their cars. Consumers have even reported an increase in finger injuries as they get trapped or pinched.