Robert Grupe's AppSecNewsBits 2025-09-20

September 20, 2025

This Week's Highlights:

EPIC
- Shai-Hulud worm infects 25 npm packages, including CrowdStrike's
- Cloudflare DDoSed itself with React useEffect hook blunder
- Microsoft’s Entra ID vulnerabilities could have been catastrophic
- How weak passwords and other failings led to catastrophic breach of Ascension
- Jaguar Land Rover supply chain workers must get Covid-style support, says union
- Careless engineer stored recovery codes in plaintext, got whole org pwned
- Former FinWise employee may have accessed nearly 700K customer records
HACKING
- Target-rich environment: Why Microsoft 365 has become the biggest risk
- Children hacking their own schools for 'fun', watchdog warns
APPSEC
- NIST explains how post-quantum cryptography push overlaps with existing security guidance
- NIST Publishes SP 800-227: Recommendations for Key-Encapsulation Mechanisms
- NIST relaunches 1-to-N fingerprint biometrics matching evaluations
- NIST SP 800-63-4 Digital Identity Guidelines
- NIST injects $3 million to boost workforce development and education, as cybersecurity jobs shortfall nears 500,000
VENDORS
- Top 10 Best DAST Platforms 2025
- 12 dark web monitoring tools
LEGAL
- Two UK teens charged in connection to Scattered Spider ransomware attacks
- Scattered Spider teen cuffed after buying games and meals with extortion bitcoin

 

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Shai-Hulud worm infects 25 npm packages, including CrowdStrike's
A new cyberattack has rocked the npm ecosystem, with the Shai-Hulud worm infecting at least 187 open-source packages—including 25 from security firm CrowdStrike. The worm spreads itself by sneaking into postinstall scripts, grabbing environment variables, cloud credentials, and GitHub tokens using TruffleHog, and then uploading that sensitive info to a public GitHub repo called "Shai-Hulud." With those stolen tokens, it pushes malicious updates to every npm package managed by the affected account.
The Shai-Hulud worm emerged just days after unknown attackers launched a broad phishing campaign that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments.
Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method. “Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”
[rG: This is an evoling story, with some places now reporting affected repositories in the hundreds. Those that fail to learn from history are doomed to repeat it. Remember 2021 Log4Shell? The lesson there was that organizations need to ensure that they have centrally managed 3rd party components in a central Binary Management System that runs SCA scans daily to provide alerting, instant vulnerabilty risk reporting and remediation guidance. Also all apps need to be designed so that secrets are not exposed in code and that credentials can automatically be reset within an hour. GenAI is only accelerating attacks on software supply chains, with npm being a popular target. The days of just 'good enough' vulnerability scanning prior to production release passed years ago.]

 

Cloudflare DDoSed itself with React useEffect hook blunder
Cloudflare has confessed to a coding error using a React useEffect hook, notorious for being problematic if not handled carefully, that caused an outage for the platform's dashboard and many of its APIs.
The outage was on September 12, lasted for over an hour, and was triggered by a bug in the dashboard, which caused repeated, unnecessary calls to the Tenant Service API.
This API is part of the API request authorization logic and therefore affected other APIs. The core issue was a React useEffect hook with a "problematic object in its dependency array."
The useEffect hook is a function with parameters including a setup function that returns a cleanup function, and an optional list of dependencies. The setup function runs every time a dependency changes. The useEffect hook is powerful but often overused. The documentation is full of warnings about misuse and common errors, and encouragement to use other approaches where possible. Performance pitfalls with useEffect are common.

 

Microsoft’s Entra ID vulnerabilities could have been catastrophic
Microsoft’s Entra ID (formerly Azure Active Directory) that could have allowed attackers to gain global administrator access across nearly all Azure tenants. The flaws involved legacy systems—specifically Actor Tokens and the outdated Azure AD Graph API—which failed to properly validate tenant access, enabling cross-tenant impersonation. Microsoft responded swiftly, issuing a global fix within days and confirming no evidence of exploitation. [rG SSDLC: Emphasising the importance of detailed system security design reviews with threat modeling to be able to proactively identify security vulnerabilities prior to production use.]

 

How weak passwords and other failings led to catastrophic breach of Ascension
Ascension's ransomware breach caused life-threatening disruptions at 140 hospitals and put the medical records of 5.6 million patients into the hands of the attackers.

Causes

  • Ascension did not use Managed Service Accounts (MSAs), which automatically rotate strong, random passwords.

  • Microsoft Active Directory Kerberos permitted outdated RC4/NTLM, instead of AES, allowed attackers to exploit insecure cryptographic hashing.

  • Attackers leveraged Kerberoasting to extract service tickets and perform offline password cracking.

  • Excessive privileges allowed lateral movement from a single compromised device to domain-wide access.

  • Lack of tiered asset isolation and role-based access controls.

  • No separation between legacy systems and critical infrastructure. Allowed infected contractor laptop to access sensitive Active Directory components.

  • Attackers remained undetected for up to three months. Indicates lack of monitoring for lateral movement, ticket requests, and anomalous behavior. Failure to Implement Security-in-Depth and Zero Trust. No layered defenses to contain breaches. Network assumed internal trust, violating zero-trust principles.

Impacts

  • Attackers gained control of Ascension’s central identity and access management system.

  • Systems were encrypted, locking out medical personnel from critical tools and records.

  • Disruption of patient care coordination, medication tracking, and surgical procedures.

  • Weeks-long disruptions across Ascension’s healthcare network.

  • Ascension’s internal failings now under public and governmental scrutiny. [rG: Critical for organizations to regularly evaluate their own maturity/confidence to prevent these networks and implementation fundamental shortcomings.]

 

Jaguar Land Rover supply chain workers must get Covid-style support, says union
The UK's chief automotive workers' union is calling on the government to establish a Covid-esque furlough scheme for the thousands of individuals who face losing their jobs due to the cyber-related downtime at Jaguar Land Rover. Unite said it's already received reports that layoffs have begun for some workers across JLR's supply chain.
Furlough schemes were common during the earlier months of the Covid-19 pandemic, allowing companies to retain staff while the government covered up to 80 percent of their salaries, with a £2,500 ($3,395) monthly cap.
The costs for any organization experiencing extended periods of downtime are high, but for a business that produces around 1,000 cars per day, across sites in the UK, China, India, and Slovakia, the impact is devastating. JLR is likely shouldering costs between £5 million and £10 million (c $6-13 million) for every day it remains on lockdown, meaning the potential losses – so far – are in the £65 million to £130 million ($88-176 million) region.

 

Careless engineer stored recovery codes in plaintext, got whole org pwned
After breaking in via the org's SonicWall VPN, the attacker found a plaintext file containing Huntress recovery codes located on an internal security engineer's desktop. These recovery codes serve as a backup method for bypassing multi-factor authentication (MFA) and regaining account access.
Naturally, the ransomware crew used these codes to access the Huntress portal, and then they started resolving active incident reports and de-isolating hosts, even initiating uninstalls of Huntress agents. Closing the alerts allowed the attackers to remain hidden for longer, thus giving them more time to snoop around the compromised environment, and they also attempted to remove the organization's endpoint security tools.

 

Former FinWise employee may have accessed nearly 700K customer records
A US fintech biz is writing to nearly 700,000 customers because a former employee may have accessed or acquired their data after leaving the company. The incident took place on May 31, 2024, but was only detected on June 18 this year.

 

What’s Weak This Week: AppSec Fails - Critical Vulnerabilities

 

HACKING

Target-rich environment: Why Microsoft 365 has become the biggest risk
Microsoft 365 now finds itself in the crosshairs for having "won" the email and collaboration war. With over 400 million paid Office 365 seats worldwide and countless organizations relying on its integrated suite of applications, Microsoft 365 represents the ultimate target-rich environment for threat actors.
Each application — Outlook, SharePoint, Teams and OneDrive — represents a potential entry point, and their tight integration means compromising one service provides pathways to others. This creates "lateral movement opportunities." An attacker gaining access through phishing in Outlook can pivot to exfiltrate SharePoint data, manipulate OneDrive documents or join confidential Teams meetings.
Standard Microsoft 365 backups often lack the granular recovery options needed to respond to sophisticated attacks, and worse, they can actually store and preserve malicious content that becomes a future attack vector.
When scanning URLs in Microsoft 365 email backups, analysts discovered that 40% contained phishing links that had been dutifully preserved alongside legitimate business communications. Even more alarming, over 200,000 backed-up emails contained malware attachments. These findings expose a critical flaw in traditional backup approaches: Organizations are not just storing their data — they're creating permanent archives of the very threats designed to destroy them.
[rG: This is just a small partial list of Microsoft integrated applications that require Zero Trust implementation, monitoring, and incident recovery business continuity strategies.]

 

Children hacking their own schools for 'fun', watchdog warns
The UK Information Commissioner's Office (ICO) has issued a warning about what it calls the "worrying trend" of students hacking their own school and college IT systems for fun or as part of dares. Since 2022, the ICO has investigated 215 hacks and breaches originating from inside education settings and says 57% were carried out by children. [Mostly teenagers, with one incident where a 7-year-old was involved in a data breach and subsequently referred to the National Crime Agency's Cyber Choices programme to help them understand the seriousness of their actions.]

 

APPSEC, DEVSECOPS, DEV
NIST explains how post-quantum cryptography push overlaps with existing security guidance
The capabilities demonstrated in the project support several security objectives and controls identified in other NIST guidance documents. At the same time, responsible implementation of the demonstrated capabilities is dependent on adherence to several security objectives and controls identified in these risk framework documents.

 

 

 

NIST SP 800-63-4 Digital Identity Guidelines
The NIST framework’s 4th revision for its Digital Identity Guidelines shares the technical requirements for “meeting digital identity assurance levels for identity proofing, authentication, and federation,” which include security and privacy requirements and improved customer experience

 

NIST injects $3 million to boost workforce development and education, as cybersecurity jobs shortfall nears 500,000
Currently, there are more than 514,000 unfilled cybersecurity jobs in the U.S., with only about 74 qualified workers available for every 100 positions. With the newly awarded cooperative agreements, there are now 47 RAMPS communities established across 25 states. The 2025 recipients span regions across the country, with funding amounts tailored to support their cybersecurity workforce initiatives. In Arizona, the AZ Cyber Initiative received $199,100. Bristol Community College in Southern Massachusetts was awarded $177,776. The Coding School, which serves Delaware, Maryland, and Virginia, received $200,000, while the Cyber Bytes Foundation in Stafford County, Virginia, was also awarded $200,000. etc.
[rG: And yet there are many qualified professionals who aren't being hired. Financial and hiring practices adjustments, along promotional mentoring apprenticeships, can close this gap more effectively.]

 

VENDORS & PLATFORMS

Top 10 Best DAST Platforms 2025
Acunetix, Burp Suite, Rapid7 InsightAppSec, Invicti, AppCheck, Detectify, Intruder, Qualys WAS, OWASP ZAP, and HCL AppScan.

12 dark web monitoring tools
Brandefense, CrowdStrike Falcon Adversary OverWatch, CTM360 CyberBlindspot and ThreatCover, DarkOwl Vision UI, IBM X-Force Exchange, Malware Information Sharing Platform – MISP, Mandiant Digital Threat Monitoring, OpenCTI, Rapid7 Threat Command, Recorded Future Intelligence Cloud Platform, SOCRadar Advanced Dark Web Monitoring, ZeroFox Dark Web Monitoring.

 

LEGAL & REGULATORY

Two UK teens charged in connection to Scattered Spider ransomware attacks
Thalha Jubair, 19, of London, was part of Scattered Spider, the name of an English-language-speaking group that has breached the networks of scores of companies worldwide. After obtaining data, the group demanded that the victims pay hefty ransoms or see their confidential data published or sold. Owen Flowers, 18, from Walsall, West Midlands—were charged by UK prosecutors in connection with last year’s cyberattack on Transport for London. The agency, which oversees London’s public transit system, faced a monthslong recovery effort as a result of the breach. Flowers and other conspirators were responsible for a cyberattack on SSM Health Care and attempting to breach Sutter Health. Jubair faces US charges of computer fraud conspiracy, computer fraud, wire fraud conspiracy, wire fraud, and money laundering conspiracy. If convicted, he faces a maximum penalty of 95 years in prison.
Scattered Spider teen cuffed after buying games and meals with extortion bitcoin
Somebody took cryptocurrency from a wallet on a server that also held ransom funds and bought gaming gift cards tied to an account in Jubair's name, as well as food-delivery gift cards, which were then used to order takeout to the apartment complex where he lived.

 

China slaps 1-hour deadline on reporting serious cyber incidents
The rules apply to a broad category of "network operators," which in China effectively means anyone who owns, manages, or provides network services, and mandate that serious incidents be reported to the relevant authorities within 60 minutes – or in the case of "particularly major" events, 30 minutes. After the dust settles, a final postmortem must be submitted within 30 days, detailing causes, lessons learned, and where the blame lies.