Robert Grupe's AppSecNewsBits 2025-09-27

September 27, 2025

This Week's AppSec News Highlights:

Epic Fails

1. Jaguar Land Rover hack ‘has cost 30,000 cars and threatens supply chain’

2. Ransomware attack linked to museum break-in and theft of golden exhibits

3. Viral call-recording app Neon goes dark after exposing users’ phone numbers, call recordings, and transcripts

4. Collins Aerospace working on restoring software for airlines hit by cyberattack

5. ‘An attacker's playground:’ Crims exploit GoAnywhere perfect-10 bug

6. Supermicro server motherboards can be infected with unremovable malware

7. Third time's the charm? SolarWinds (again) patches critical Web Help Desk RCE

8. OnePlus ignores Android bug that exposes texts

9. Microsoft, SentinelOne, and Palo Alto Networks Withdraw from 2026 MITRE ATT&CK Evaluations

Software Supply Chain Security

1. CISA: Widespread Supply Chain Compromise Impacting npm Ecosystem

2. Npm Package Hides Malware in Steganographic QR Codes

3. GitHub moves to tighten npm security amid phishing, malware plague

4. Open Source Turmoil: RubyGems Maintainers Kicked Off GitHub

5. OpenSSF warns that open source infrastructure doesn't run on thoughts and prayers

6. Fifty Years of Open Source Software Supply-Chain Security

Hacking

1. SIM city: Feds say 100,000-card farms could have killed cell towers in NYC

2. UK chancellor Putin the blame on Russia for cyber chaos, but evidence says otherwise

AppSec

1. CISA Releases Advisory on Lessons Learned from an Incident Response Engagement

Vendors

1. Shoplifters could soon be chased down by drones

2. Kali Linux 2025.3 released with 10 new tools, Wi-Fi enhancements

Legal

1. Salesforce facing 15 lawsuits after Salesloft breach

Different

1. Why day and night are not equally 12 hours on the equinox

 

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response 

Jaguar Land Rover hack ‘has cost 30,000 cars and threatens supply chain’
The company said that production would be halted for another week until at least October 1, which increased concerns that a full return to production could be months away.
The company shut down its global plants at the end of August due to the massive attack on its systems. The company directly employs more than 30,000 people, and it is estimated that approximately 200,000 workers in the supply chain depend on work from JLR.
There has been uncertainty over the extent of the cyberattack and exactly how the company has been affected, as well as who is responsible for it.

 

Ransomware attack linked to museum break-in and theft of golden exhibits
Dozens of French museums fell victim to a ransomware attack in August 2024, and the nation’s Natural History Museum copped another attack in July 2025.
The Museum’s systems were so damaged that it reportedly cancelled an exhibition. Last week the Museum discovered that thieves had broken into its minerals display section by using an angle grinder to cut through a door, before wielding a blowtorch to open a case containing gold specimens worth about $705,000.
The heist was possible because the July cyberattack broke the Museum’s alarms and video surveillance systems.

 

Viral call-recording app Neon goes dark after exposing users’ phone numbers, call recordings, and transcripts
The viral call-recording app Neon, which paid users to share phone call data for AI training, was abruptly taken offline after a major security flaw exposed users’ phone numbers, call recordings, and transcripts to anyone with basic technical access. TechCrunch discovered the vulnerability during testing and found that Neon’s servers lacked safeguards to prevent unauthorized data access. Although the app’s founder, Alex Kiam, shut down the servers and notified users of a pause, he did not disclose the breach in his communications. It remains unclear whether the app will return or face scrutiny from Apple and Google over compliance with their developer guidelines.

 

Collins Aerospace working on restoring software for airlines hit by cyberattack
Collins Aerospace experienced a disruption on September 19 to its MUSE system, an airport platform that supports passenger check-in, baggage processing and boarding operations at several European airports. The ransomware attack knocked check-in systems offline and caused widespread travel disruptions. British police said on Wednesday they had arrested a man as part of their investigation into the incident.
Berlin airport, one of the affected sites, said it was struggling to restore its check-in and baggage handling systems, warning of further delays and cancellations on Wednesday.

 

‘An attacker's playground:’ Crims exploit GoAnywhere perfect-10 bug
Security researchers have confirmed that threat actors have exploited the maximum-severity vulnerability affecting Fortra's GoAnywhere managed file transfer (MFT), and chastised the vendor for a lack of transparency. GoAnywhere MFT is deployed by organizations in the Fortune 500, and that there were more than 20,000 instances still exposed to the internet.
Fortra disclosed it on September 18, but did not confirm whether it was actively being exploited under its "Am I Impacted?" section. This is not 'just' a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators — it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025.
Attackers trigger the pre-auth deserialization bug to achieve remote code execution (RCE) capability, then create backdoor admin accounts and web users before executing multiple follow-on payloads.

 

Supermicro server motherboards can be infected with unremovable malware
Vulnerabilities can be exploited to install firmware similar to ILObleed, an implant discovered in 2021 that infected HP Enterprise servers with wiper firmware that permanently destroyed data stored on hard drives. Even after administrators reinstalled the operating system, swapped out hard drives, or took other common disinfection steps, ILObleed would remain intact and reactivate the disk-wiping attack. The exploit the attackers used in that campaign had been patched by HP four years earlier but wasn’t installed in the compromised devices.
CVE-2024-10237, a high-severity vulnerability that enabled attackers to reflash firmware that runs while a machine is booting still vulnerable after incomplete January patch.

 

Third time's the charm? SolarWinds (again) patches critical Web Help Desk RCE
SolarWinds is a name that needs no introduction in IT and cybersecurity circles. The infamous 2020 supply chain attack, attributed to Russia's Foreign Intelligence Service (SVR), allowed months-long access into multiple Western government agencies and left a lasting mark on the industry.
In 2024, the software vendor twice tried to patch the newer unauthenticated remote deserialization vulnerability. And now, here we are with yet another patch (CVE-2025-26399) addressing the very same flaw, an unauthenticated, AJAXproxy deserialization remote code execution (RCE) bug in its Web Help Desk ticketing and asset management software.

 

OnePlus ignores Android bug that exposes texts
The vulnerability operates silently — users receive no alerts when their SMS or MMS data is accessed or transmitted elsewhere. Exploitation requires zero user interaction.
Tracked as CVE-2025-10184 with 8.2 severity rating. The issue stems from the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection.
Multiple versions of OxygenOS contain this security flaw. Since OxygenOS 11 devices remain unaffected in their tests, researchers believe the vulnerability was introduced with OxygenOS 12, released on December 7, 2021.
Although Rapid7 only used OnePlus phones in its tests, it believes the issue extends to additional OEMs, given that the vulnerable component is within Android itself.
Rapid7 said OnePlus has not responded to numerous attempts to work with it on remediating the issue, the first of which was made on May 1.

 

Microsoft, SentinelOne, and Palo Alto Networks Withdraw from 2026 MITRE ATT&CK Evaluations
The MITRE ATT&CK Evaluations are widely regarded as a crucial industry benchmark, providing transparent and objective assessments of security product capabilities against simulated real-world attack scenarios. For years, strong performance in these evaluations has been a key marketing and validation tool for vendors. However, all three are citing a strategic reallocation of resources toward internal innovation and customer-focused initiatives.

 

What’s Weak This Week:

  • CVE-2025-20333 Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability:
    allows for remote code execution. This vulnerability could be chained with CVE-2025-20362. Related CWE: CWE-120

  • CVE-2025-20362 Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability:
    missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333. Related CWE: CWE-862

  • CVE-2025-10585 Google Chromium V8 Type Confusion Vulnerability:
    type confusion vulnerability in the V8 JavaScript and WebAssembly engine. Related CWE: CWE-843

SOFTWARE SUPPLY CHAIN

CISA: Widespread Supply Chain Compromise Impacting npm Ecosystem
A self-replicating worm—publicly known as “Shai-Hulud”—has compromised over 500 packages. After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials. The cyber actor then targeted GitHub Personal Access Tokens (PATs) and application programming interface (API) keys for cloud services, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. CISA urges organizations to implement the following recommendations to detect and remediate this compromise:

  • Conduct a dependency review of all software leveraging the npm package ecosystem.

    • Check for package-lock.json or yarn.lock files to identify affected packages, including those nested in dependency trees.

  • Search for cached versions of affected dependencies in artifact repositories and dependency management tools.

  • Pin npm package dependency versions to known safe releases produced prior to Sept. 16, 2025.

  • Immediately rotate all developer credentials.

  • Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms like GitHub and npm.

  • Monitor for anomalous network behavior.

  • Block outbound connections to webhook[.]site domains.

  • Monitor firewall logs for connections to suspicious domains.

  • Harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and auditing repository webhooks and secrets.

  • Enable branch protection rules, GitHub Secret Scanning alerts, and Dependabot security updates.

 

Npm Package Hides Malware in Steganographic QR Codes
Researchers discovered the malicious package, called "fezbox," on the npm. The package is supposed to be a "JavaScript/TypeScript utility library of common helper functions, organized by feature modules so you can import only what you need." Instead, the package hides a payload that it executes from within a QR code that could steal username and password credentials from Web cookies within the browser. It also included other layers of obsfucation, demonstrating how threat actors continue to improve their obfuscation techniques.

 

GitHub moves to tighten npm security amid phishing, malware plague
GitHub, which owns the npm registry for JavaScript packages, says it is tightening security in response to recent attacks.
Many existing authentication methods will be removed "in the near future," including legacy classic tokens and one-time passwords for two-factor authentication (2FA). Token lifetimes will also be shortened, with a switch to trusted publishing and 2FA-enforced local publishing by default.
Trusted publishing was first adopted by the PyPI package index and is designed for automated workflows. Using OpenID Connect, the package repository verifies that a package comes from a trusted source and issues a short-lived token, avoiding the risks of long-lived tokens that can be stolen. Currently npm trusted publishing only supports GitHub Actions and GitLab CI/CD (continuous integration and delivery) pipelines.
Other package repositories have also added support for trusted publishing, including RubyGems, crates[.]io for Rust, and NuGet for .NET – this last one introduced yesterday by Microsoft.

 

Open Source Turmoil: RubyGems Maintainers Kicked Off GitHub
The RubyGems community is upset after maintainers were kicked off the GitHub repository.
Ruby Central also cited software supply chain attacks as requiring “proactive steps to safeguard the rubygem ecosystem end to end. As a result of these concerns, Ruby Central’s board voted to temporarily remove “certain administrative and commit privileges until agreements could be put in place.”
Ruby Central posted an explanation for its actions, citing security concerns and related fiduciary duty as the driver for this decision. “As the nonprofit steward of this infrastructure, Ruby Central has a fiduciary duty to safeguard the supply chain and protect the long-term stability of the ecosystem. In consultation with legal counsel and following a recent security audit, we are strengthening our governance processes, formalizing operator agreements, and tightening access to production systems. Moving forward, only engineers employed or contracted by Ruby Central will hold administrative permissions to the RubyGems[.]org service.”

 

OpenSSF warns that open source infrastructure doesn't run on thoughts and prayers
The Open Source Security Foundation (OpenSSF) has had enough of being the unpaid janitor of the world's software supply chain.
Package registries like Maven Central, PyPI, crates[.]io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors.

 

Fifty Years of Open Source Software Supply-Chain Security
The fact that the 1974 Multics review anticipated many of the problems we face today is evidence that these problems are fundamental and have no easy answers. We must work to make continuous improvements to open source software supply-chain security, making attacks more difficult and expensive.
There are important steps we can take today, such as adopting software signatures in some form, making sure to scan for known vulnerabilities regularly, and being ready to update and redeploy software when critical new vulnerabilities are found. More development should be shifted to safer languages that make vulnerabilities and attacks less likely. We also need to find ways to fund open source development to make it less susceptible to takeover by the mere offer of free help. Relatively small investments in OpenSSL and XZ development could have prevented both the Heartbleed vulnerability and the XZ attack.

 

rG: This is a decades long issue. Manufacturers are ultimately liable for their products’ safety, quality, and reliability – no matter the providence of their constituent components. Volunteers who provide components at no-cost, as-is, have no responsibility to provide development, maintenance, or support; nor can they have any expectation of future renumeration. There are copyright, licensing, regress legal tools that simply are not being used and enforced. So long as there are willing unpaid contributors, and manufacturers who accept the risks, this isn’t going to altruistically resolve itself.

 

HACKING

SIM city: Feds say 100,000-card farms could have killed cell towers in NYC
The US Secret Service has dismantled a network of SIM farms in and around New York City. The network – or at least the parts the Secret Service has discovered – was massive, consisting of more than 300 colocated SIM servers, controlling more than 100,000 SIM cards, set up at multiple locations. All of the facilities the Secret Service discovered were located throughout the New York Tri-state area (NY, New Jersey, and Connecticut) but all within 35 miles of the UN headquarters building in NYC.
While the Secret Service wouldn't go into detail citing the active nature of the investigation, it did say that the SIM farms "were used to conduct multiple telecommunications-related threats directed towards senior US government officials" in recent months.

 

UK chancellor Putin the blame on Russia for cyber chaos, but evidence says otherwise
UK chancellor Rachel Reeves suggested Moscow's fingerprints were on recent cyber incidents affecting major UK firms. The comments appeared to allude to the recent hacks on Marks & Spencer, Co-op, Harrods, and Jaguar Land Rover, though the chancellor stopped short of naming any specific cases.
Days prior to the interview, the UK's National Crime Agency announced that it had cuffed four suspects over the Marks & Spencer breach: three Brits and a Latvian. Investigators allege the quartet belong to Scattered Spider, an English-speaking social engineering crew that has plagued companies on both sides of the Atlantic. The NCA claimed it had also linked the four suspects to the recent attacks on Co-op and Harrods. Meanwhile, researchers believe that the group, rather than being run by Kremlin-sponsored operators, consists mainly of young miscreants from the UK and US, adept at SIM-swapping, phishing, and sweet-talking call center staff. The same group has also been linked to the recent Jaguar Land Rover cyberattack that shuttered factories across the UK and overseas for weeks, costing millions in lost production.
Authorities, meanwhile, have characterized Scattered Spider as a criminal gang, not a state-sponsored unit – unless the Kremlin has suddenly started hiring Mancunians and Californians to do its dirty work.

 

APPSEC, DEVSECOPS, DEV

CISA Releases Advisory on Lessons Learned from an Incident Response Engagement
CISA recommends organizations take the following actions:

  • Prioritize Patch Management: Expedite patching of critical vulnerabilities, particularly those listed in CISA’s Known Exploited Vulnerabilities catalog, with a focus on public-facing systems.

  • Strengthen Incident Response Plans: Regularly update, test, and maintain incident response plans, ensuring they include procedures for engaging third-party responders and deploying security tools without delay.

  • Enhance Threat Monitoring: Implement centralized, out-of-band logging and ensure security operations centers continuously monitor and investigate abnormal network activity to detect and respond to malicious activity effectively. 

 

VENDORS & PLATFORMS

Shoplifters could soon be chased down by drones
Flock Safety is pitching its police-style drone program to private businesses. It could bring aerial surveillance to shopping centers, warehouses, and hospitals.

 

  • Caido - The client side of caido (the graphical/desktop aka the main interface) - a web security auditing toolkit

  • Caido-cli - The server section of caido - a web security auditing toolkit

  • Detect It Easy (DiE) - File type identification

  • Gemini CLI - An open-source AI agent that brings the power of Gemini directly into your terminal

  • krbrelayx - Kerberos relaying and unconstrained delegation abuse toolkit

  • ligolo-mp - Multiplayer pivoting solution

  • llm-tools-nmap - Enables LLMs to perform network discovery and security scanning tasks using the nmap

  • mcp-kali-server - MCP configuration to connect AI agent to Kali

  • patchleaks - Spots the security fix and provides detailed description so you can validate - or weaponize - it fast

  • vwifi-dkms - Setup "dummy" wifi networks, establishing connections, and disconnecting from them 

 

LEGAL & REGULATORY

Salesforce facing 15 lawsuits after Salesloft breach
A number of the filings mention joint defendants including Salesforce customers TransUnion, Allianz Life Insurance, Farmers Insurance, Workday, and Pandora Jewelry.
The Johnson filing alleges that, in July, an unauthorized third party gained access to Salesforce's system by first breaching the GitHub of Salesloft, a third-party sales engagement platform in March 2025. "Salesloft's Drift platform is a tool that integrates with Salesforce. The breach of Salesloft's GitHub led to the theft of Drift OAuth tokens that were later used to gain access to Salesforce data.|From May through summer, a number of Salesforce-related breaches came to light in which attackers stole OAuth tokens from the third-party Salesloft Drift app.
Salesforce has denied that the security breaches were a result of any shortcomings in its systems. In its public notices, the company has said that its platform was not compromised.

 

And Now For Something Completely Different …

Why day and night are not equally 12 hours on the equinox
The definition of the equinox as being a time of equal day and night is a convenient oversimplification. For one thing, it treats night as simply the time the sun is beneath the horizon, and completely ignores twilight. If the sun were nothing more than a point of light in the sky and if the Earth lacked an atmosphere, then at the time of an equinox the sun would indeed spend one half of its path above the horizon and one half below. But in reality, atmospheric refraction raises the sun's disk by more than its own apparent diameter while it is rising or setting.
Thus, when we see the sun as a reddish-orange ball just sitting on the horizon, we're looking at an optical illusion. It is actually completely below the horizon.
In addition to refraction hastening sunrise and delaying sunset, there is another factor that makes daylight longer than night at an equinox: sunrise and sunset are defined as the times when the first or last speck of the sun's upper limb is visible above the horizon — not the center of the disk.
And this is why if you check your newspaper's almanac or weather page on and equinox and look up the times of local sunrise and sunset, you'll notice that the duration of daylight, or the amount of time from sunrise to sunset, still lasts a bit more than 12 hours, and not exactly 12 as the term "equinox" suggests.
At the North Pole the duration of 24-hour darkness lasts almost 11 weeks, not six months.