Jaguar Land Rover cyber attack set to become UK’s costliest at £1.9bn

The cyber attack on Jaguar Land Rover (JLR) is projected to cost £1.9bn, making it the most economically damaging cyber incident in UK history, according to the Cyber Monitoring Centre (CMC). The hack, which began in late August, halted JLR’s production for five weeks, disrupting global operations and affecting 5,000 businesses across its supply chain. Full recovery is not expected until January 2026.

The CMC has classified the incident as a Category 3 external event, signifying significant disruption, though not the most severe. It warned that the attack should serve as a wake-up call for all organisations to identify and secure critical networks. While JLR has not confirmed the nature of the attack, experts suggest the impact could worsen if it involved ransomware or data destruction. The CMC’s estimate includes losses borne by JLR, suppliers, and the wider local economy.

Chinese threat groups exploit Microsoft SharePoint zero-day

Hackers linked to China have exploited a zero-day vulnerability in Microsoft SharePoint, tracked as CVE-2025-53770, in attacks against government, education, telecom, and finance sectors worldwide. The flaw, affecting on-premise SharePoint servers, was disclosed on 20 July and patched by Microsoft the following day after evidence of active exploitation.

According to Symantec, the ToolShell vulnerability was leveraged to deploy webshells for persistent access, followed by side-loading multiple malware strains including Zingdoor, ShadowPad, and KrustyLoader, which installed the Sliver post-exploitation framework. The campaigns compromised organisations across the Middle East, South America, Africa, the US, and Europe.

Researchers say attackers used legitimate security software, such as Trend Micro and BitDefender executables, to evade detection and conducted credential theft via tools like ProcDump and Minidump. The attacks, attributed to Chinese groups including Budworm and Violet Typhoon, highlight ongoing exploitation of critical enterprise systems for espionage and data theft.

Iranian threat group MuddyWater targets MENA governments with phoenix backdoor

Iran-linked threat actor MuddyWater has launched a new cyber espionage campaign targeting more than 100 government and diplomatic organisations across the Middle East and North Africa, according to a report from Group-IB. Using a compromised email account accessed through NordVPN, the group distributed phishing emails that appeared to be legitimate diplomatic correspondence.

Victims were tricked into opening malicious Word documents and enabling macros, triggering the deployment of the Phoenix v4 backdoor via a loader dubbed FakeUpdate. Once installed, the malware allowed attackers to gather system data, maintain persistence, and remotely control infected systems.

Researchers found the command-and-control server also hosted credential stealers and remote monitoring tools, suggesting wider intelligence-gathering operations. Active since 2017, MuddyWater is believed to be affiliated with Iran’s Ministry of Intelligence and Security. This campaign highlights the group’s evolving sophistication, blending custom malware with legitimate software to increase stealth and persistence across its targets.

Experian Netherlands fined €2.7m for GDPR breaches

Experian Netherlands has been fined €2.7 million (£2.3 million) by the Dutch Data Protection Authority (AP) for violating the General Data Protection Regulation (GDPR). The watchdog found the credit and analytics firm unlawfully collected personal data from multiple public and private sources, including telecom and energy companies, without informing or obtaining consent from individuals.

The AP’s investigation began after complaints from people facing higher deposits and interest rates linked to Experian’s undisclosed credit checks. The regulator concluded that Experian used the data to build an extensive database on millions of Dutch citizens and failed to justify its need for the information.

Experian acknowledged its wrongdoing and will not appeal the decision. The company has ceased operations in the Netherlands and committed to deleting all stored personal data by the end of 2025. The AP’s ruling underscores growing regulatory pressure on credit agencies to uphold GDPR transparency standards.

Hackers exploit Adobe commerce ‘SessionReaper’ flaw in mass attacks

Hackers are actively exploiting the critical SessionReaper vulnerability (CVE-2025-54236) in Adobe Commerce, with hundreds of attack attempts already recorded. Researchers have described it as one of the most severe vulnerabilities ever found in the platform’s history.

SessionReaper allows attackers to hijack customer account sessions via Adobe Commerce’s REST API without user interaction. Despite Adobe issuing an emergency patch on 8 September, Researchers report that around 62% of Magento-based stores remain unpatched. Over 250 exploitation attempts were detected in a single day, with attacks largely originating from five known IP addresses.

Most attacks so far deploy PHP webshells or probe system configurations. Experts warn that recent technical analyses shared online could accelerate further exploitation. Administrators are urged to immediately apply Adobe’s security update or recommended mitigations to prevent session takeovers and potential data breaches.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.