Weekly Cybersecurity News Recap : Palo Alto Networks, Zscaler, Jaguar Land Rover, and Cyber Attacks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Welcome to your weekly cybersecurity briefing. In a digital landscape where the only constant is change, this past week has been a stark reminder that vigilance is not just a best practice, but a necessity for survival.

From corporate giants making strategic moves to protect the cloud to sophisticated threat actors breaching the defenses of iconic brands, the cyber battleground remains as active as ever, demanding our full attention.

This week, Palo Alto Networks made headlines by releasing an emergency patch for a critical zero-day vulnerability discovered in its PAN-OS software, affecting its GlobalProtect gateways. The vulnerability allowed for unauthenticated remote code execution, sending ripples of urgency throughout the industry as IT teams scrambled to apply the fix.

Our deep dive explores the technical specifics of this exploit, the rapid response from Palo Alto’s Unit 42, and the immediate steps security teams must take to mitigate this significant threat before it can be widely exploited in the wild.

On the proactive front, Zscaler countered the growing threat of AI-driven phishing attacks by unveiling a new suite of features for its Zero Trust Exchange. Their latest research report, also released this week, highlights a substantial increase in sophisticated, context-aware phishing emails over the last quarter.

We will break down how Zscaler’s new AI-powered capabilities aim to detect and block these evasive threats in real-time, offering a new layer of defense in the fight against social engineering and credential theft.

In a significant blow to the automotive sector, Jaguar Land Rover (JLR) confirmed it suffered a major data breach. The incident resulted in the exfiltration of sensitive employee data and internal engineering documents.

While JLR has stated that customer financial information was not compromised, the breach raises serious questions about supply chain security and the protection of intellectual property within the manufacturing industry. We will analyze the attack vector, the potential fallout for JLR, and the lessons other organizations in the sector must learn from this high-profile incident.

Beyond these major stories, we are also tracking a surge in DDoS attacks targeting financial institutions and new warnings from CISA about state-sponsored actors targeting critical infrastructure. In this edition, we provide in-depth analysis of each of these events, offering expert commentary and actionable insights to help you fortify your organization’s defenses.

Threats

Hackers Exploit Email Marketing Services for Phishing

Cybercriminals are increasingly using legitimate email marketing platforms to bypass security filters and deliver malicious content. By leveraging the trusted domains of these services, attackers can disguise phishing attempts and increase the likelihood of their emails reaching inboxes. These campaigns often use the platform’s own click-tracking and URL redirection features to send users to harmful websites after they click on a seemingly safe link. One notable incident involved a data breach at Mailchimp, where hackers gained access to customer accounts and data. Read More

macOS Security Features Turned Against Users

A sophisticated attack trend involves exploiting macOS’s built-in security features to spread malware. Attackers are finding ways to abuse tools like Keychain for credential theft, bypass System Integrity Protection (SIP) for persistent infections, and trick users into granting permissions through Transparency, Consent, and Control (TCC). Other features being manipulated include Gatekeeper, which verifies downloaded apps, and File Quarantine, which flags files from the internet. Read More

Commercial Spyware Vendors Are a Major Source of Exploits

A report from Google’s Threat Analysis Group (TAG) highlights the significant role of commercial spyware vendors in the creation and distribution of sophisticated surveillance tools. These companies are responsible for a large number of 0-day exploits that target products from companies like Google and Apple. The report notes that the private sector is now a major player in developing some of the most advanced cyber capabilities, selling them as “turnkey espionage solutions” to government customers. Read More

New “TinyLoader” Malware Targets Windows Systems

A stealthy malware loader known as TinyLoader is actively targeting Windows users. It spreads through shared network drives and deceptive shortcut files, acting as an initial access point for more dangerous malware such as RedLine Stealer and DCRat. TinyLoader can move laterally across networks and also infect systems via removable media like USB drives. Once it gains administrator rights, it can hijack file associations to ensure it runs every time a user opens a common file type, like a .txt file. Read More

“NotDoor” Backdoor Deployed Through Outlook

The Russian state-sponsored group APT28 (also known as Fancy Bear) is using a new backdoor called “NotDoor” to target organizations through Microsoft Outlook. The malware is disguised within legitimate Outlook macros and can exfiltrate data, upload files, and execute commands on an infected system. It achieves persistence by modifying Outlook’s registry settings to disable security warnings and enable macros to run on startup. Read More

“GhostRedirector” Manipulates Search Results via IIS

A hacking group dubbed “GhostRedirector” has been compromising Windows servers to manipulate search engine results for financial benefit. The attackers deploy a malicious module for Microsoft’s Internet Information Services (IIS) web server. This allows them to intercept and redirect web traffic or inject unwanted content into search results. The malicious module can be difficult to detect as it integrates deeply with the server’s legitimate functions. Read More

Fake Microsoft Teams Sites Used to Distribute Malware

Threat actors are weaponizing fake Microsoft Teams websites and even initiating Teams calls to trick users into installing malware. In some cases, attackers impersonate IT support staff during calls to convince victims to execute malicious PowerShell commands, leading to the deployment of ransomware. Another campaign uses a fake Teams site to distribute the “Odyssey” information-stealing malware for macOS. Read More

“GPUGate” Malware Leverages Google Ads and GPUs

A sophisticated malware campaign named “GPUGate” is abusing Google Ads and GitHub to deliver malware. The attack begins with malicious ads in Google search results for terms like “GitHub Desktop”. A novel aspect of this attack is its use of the computer’s Graphics Processing Unit (GPU) to perform certain operations, which helps it evade detection by security software that primarily focuses on the CPU. Read More

Cyber Attacks

Record-Breaking 11.5 Tbps DDoS Attack Hits the Web

A massive UDP flood Distributed Denial-of-Service (DDoS) attack has been recorded, reaching an unprecedented 11.5 terabits per second (Tbps). This attack highlights the escalating scale of DDoS threats facing organizations. Read More

Hackers Weaponize Hexstrike-AI to Exploit Zero-Day Flaws

Threat actors are now leveraging a new AI-powered offensive security framework named Hexstrike-AI. The tool is being used to automatically scan for and exploit previously unknown “zero-day” vulnerabilities, significantly speeding up the attack process. Read More

“Dire Wolf” Ransomware Emerges with Double Extortion Tactics

A new and sophisticated ransomware strain, dubbed “Dire Wolf,” has impacted 16 firms across the globe since May 2025. This ransomware employs double extortion methods, advanced encryption, and anti-recovery tactics to pressure victims into paying. Read More

Colombian Threat Actors Use SWF and SVG Files to Evade Detection

A malware campaign originating from Colombia is using a multiphase attack that leverages Adobe Flash (SWF) and Scalable Vector Graphics (SVG) file formats. This technique allows the attackers to bypass traditional security detection measures. Read More

AI Platforms Exploited in Microsoft 365 Phishing Campaigns

Cybercriminals are increasingly taking advantage of the trust that organizations place in artificial intelligence platforms. These platforms are being used in sophisticated phishing campaigns to steal Microsoft 365 credentials. Read More

NightshadeC2 Botnet Employs “UAC Prompt Bombing”

A new botnet, identified as NightshadeC2, has been observed using a novel technique called “UAC Prompt Bombing.” This method allows it to bypass Windows Defender security measures and was first seen in early August 2025. Read More

Critical SAP S/4HANA Vulnerability Under Active Exploitation

A critical security flaw in SAP S/4HANA is being actively exploited by attackers. The vulnerability allows individuals with low-level user access to escalate their privileges and gain full control over the affected SAP systems. Read More

Vulnerabilities

MediaTek Patches Dozens of Chipset Flaws

MediaTek released its September 2025 security bulletin, addressing multiple high and medium-severity vulnerabilities across more than 60 chipsets. The flaws, found in modem and firmware components, could lead to denial-of-service attacks or remote privilege escalation if exploited. The vulnerabilities include out-of-bounds writes, out-of-bounds reads, and use-after-free bugs. MediaTek confirmed that device manufacturers received the patches in July and there is no evidence of these vulnerabilities being exploited in the wild. Read more

Critical Next.js Flaw Allows Authorization Bypass

A critical vulnerability, CVE-2025-29927, has been discovered in the popular Next.js web development framework. The flaw allows attackers to bypass authorization mechanisms and gain access to restricted areas, such as admin panels. By manipulating the x-middleware-subrequest header, an attacker can trick an application into skipping security checks. Vercel, the company behind Next.js, has released patches to address the issue, which is estimated to affect over 300,000 services. Read more

Azure Active Directory Flaw Exposes Sensitive Credentials

A significant vulnerability in Azure Active Directory (Azure AD) configurations allows for the exposure of application credentials, such as ClientId ClientSecret. Attackers who obtain these credentials can impersonate trusted applications, access sensitive data across Microsoft 365 services like SharePoint and OneDrive, and even deploy malicious apps to establish persistent backdoors. The issue stems from credentials being inadvertently exposed in configuration files. Read more

MobSF Security Tool Vulnerable to Malicious File Uploads

A critical flaw (CVE-2023-37576) was discovered in the Mobile Security Framework (MobSF), a widely used open-source tool for mobile app security testing. The vulnerability, found in version 4.4.0, was due to improper path validation, which allowed authenticated attackers to upload and execute malicious files on the system running MobSF. This path traversal vulnerability could turn the security tool into a vector for system compromise. The issue has since been patched. Read more

PoC Exploit Released for IIS Remote Code Execution Flaw

A proof-of-concept (PoC) exploit has been released for a critical remote code execution (RCE) vulnerability (CVE-2025-53772) in Microsoft’s Internet Information Services (IIS) Web Deploy tool. The vulnerability is caused by the unsafe deserialization of HTTP header content, allowing an authenticated attacker to execute arbitrary code. This follows other campaigns targeting older IIS vulnerabilities, such as a buffer overflow flaw (CVE-2017-7269) in IIS 6.0 that was used to install cryptocurrency miners. Read more

CISA Warns of Actively Exploited WhatsApp Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a zero-day vulnerability in WhatsApp (CVE-2025-55177) that is being actively exploited. The flaw, categorized as an incorrect authorization issue, allows attackers to manipulate the device synchronization process to send malicious content from a controlled URL. This could lead to data theft or device compromise, potentially through zero-click attacks. The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches. Read more

Google Releases Chrome 140 With Key Security Fixes

Google has rolled out Chrome 140, which includes patches for six security vulnerabilities. The fixes address medium-severity flaws in components like the Toolbar (CVE-2025-9865), Extensions (CVE-2025-9866), and Downloads (CVE-2025-9867). These vulnerabilities could have led to unexpected browser behavior or security risks like privilege escalation. The update was released for Windows, macOS, and Linux. Read more

New “Namespace Reuse” Vulnerability Hits Major AI Platforms

A novel AI supply-chain attack method called “Model Namespace Reuse” has been discovered, affecting platforms like Microsoft Azure AI, Google Vertex AI, and Hugging Face. The vulnerability allows attackers to upload a malicious AI model using the same name as a legitimate but deleted or abandoned one. When a project attempts to pull the model by name, it inadvertently downloads the malicious version, leading to remote code execution (RCE) in the victim’s environment. Read more

Sitecore Zero-Day Vulnerability

Information regarding the “Sitecore zero-day vulnerability” from the provided link could not be retrieved at this time. Read more

Data Breach

Palo Alto Networks, Zscaler, Cloudflare, and PagerDuty Hit by Supply Chain Attack

A sophisticated supply chain attack targeting the Salesloft Drift application has impacted several major technology companies, including Palo Alto Networks, Zscaler, Cloudflare, and PagerDuty. The attackers exploited compromised OAuth tokens to gain unauthorized access to the companies’ Salesforce customer relationship management (CRM) environments and exfiltrate data.

  • Palo Alto Networks confirmed that the incident was isolated to its CRM platform, and no company products or services were affected. The breach exposed business contact information and internal sales data. Read More
  • Zscaler also confirmed a data breach affecting customer data stored in Salesforce, including names, email addresses, and phone numbers. Zscaler has stated that its own products and infrastructure were not compromised. Read More
  • Cloudflare disclosed that the attackers accessed customer support case data between August 12 and August 17, 2025. The company warned that any sensitive information shared by customers in support tickets should be considered compromised. Read More
  • PagerDuty reported that the breach exposed customer contact information stored in its Salesforce instance. The company has found no evidence that its own platform or internal systems were accessed. Read More

Jaguar Land Rover Halts Production After Cyberattack

Luxury car manufacturer Jaguar Land Rover (JLR) was forced to halt production at its Halewood plant after a significant cybersecurity incident that impacted its global IT systems. The attack, which took place in early September 2025, caused severe disruptions to the company’s manufacturing operations. A group of hackers known as “Scattered Lapsus$ Hunters” has claimed responsibility for the attack. Read More

Bridgestone Manufacturing Disrupted by Cyberattack

Tire giant Bridgestone confirmed that a cyberattack in early September 2025 affected some of its manufacturing facilities in North America, leading to operational disruptions. The company stated that it responded quickly to contain the incident and believes no customer data was compromised. The full extent of the impact on the supply chain is still being investigated. Read More

Wealthsimple Discloses Customer Data Breach

Canadian financial services firm Wealthsimple announced that it suffered a data breach in late August 2025, resulting in unauthorized access to the personal information of a small percentage of its clients. The company has assured customers that their funds and account passwords remain secure. The breach was caused by a compromised third-party software package. Read More

Other News

Salesforce Bolsters Security with New Forensic Investigation Guide

Salesforce has released a comprehensive forensic investigation guide to help organizations detect, analyze, and respond to security incidents within their environments. The guide focuses on three core pillars for a thorough investigation: analyzing activity logs to track user actions, understanding user permissions to determine the potential impact of a breach, and utilizing backup data to identify data tampering. This initiative aims to provide a structured framework for companies to manage cyber incidents more effectively, especially after a series of sophisticated cyber campaigns. The guide highlights tools like Login History, Setup Audit Trail, and Event Monitoring to gain visibility into user activities. Read More

Wireshark Releases Version 4.4.9 with Critical Bug Fixes

The Wireshark team has launched version 4.4.9, a maintenance release focused on improving stability and reliability. This update for the popular network protocol analyzer addresses several critical bugs, including a security vulnerability in the SSH dissector that could cause the application to crash. The new version also includes updated support for various protocols and ensures a more stable experience for users, leading to more efficient network analysis. Read More

Nmap Celebrates 28 Years of Network Security Innovation

Nmap, the renowned network scanner, recently marked its 28th anniversary. Launched on September 1, 1997, as a simple port scanner, Nmap has evolved into an essential and comprehensive network security suite used by professionals worldwide. Over the years, it has incorporated advanced features like operating system and service version detection, the Nmap Scripting Engine (NSE) for automated tasks, and sophisticated host discovery techniques. Its continuous evolution has solidified its place as a critical tool for network discovery and security auditing. Read More

Microsoft to Discontinue Editor Browser Extensions

Microsoft has announced the retirement of its Editor browser extensions for both Edge and Chrome, effective October 31, 2025. The company plans to integrate the AI-powered writing assistance features, such as grammar and spelling checks, directly into the native proofing tools of the Microsoft Edge browser. This move is intended to streamline the user experience and eliminate the need for a separate extension. Read More

Mis-Issued TLS Certificates for 1.1.1.1 DNS Service Pose Security Risk

A potential security threat has emerged after it was discovered that three TLS certificates for the 1.1.1.1 DNS service, operated by Cloudflare and APNIC, were mis-issued. The certificates were issued in May 2025 by a subordinate certificate authority but were not discovered until four months later. DNS over TLS (DoT) is a protocol that encrypts DNS queries to prevent eavesdropping and tampering, and the mis-issuance of certificates could undermine this security measure. Read More

Google Services Experience Widespread Outages

Several Google services, including Gmail and YouTube, experienced significant outages across parts of Europe and some U.S. cities on Thursday morning. Monitoring sites reported a surge in complaints from countries like Greece, Bulgaria, Serbia, and Romania. The disruptions affected both personal and professional activities for many users. The cause of the outage has not yet been publicly disclosed by Google. Read More

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.