Hackers linked to M&S breach claim responsibility for Jaguar Land Rover cyber-attack

Jaguar Land Rover (JLR), Britain’s largest carmaker, has confirmed a major cyber-attack that forced production to halt at key sites this week. The disruption, which affected both manufacturing and retail systems, is claimed by a Telegram channel linked to English-speaking hacker groups Scattered Spider, Lapsus$, and ShinyHunters. The channel posted screenshots allegedly showing JLR’s internal IT systems alongside media coverage of the incident.

JLR stated there is no evidence customer data has been compromised but said it had proactively shut down systems to contain the impact. Suppliers have reportedly suffered major disruption, with potential losses in the tens of millions due to halted production lines.

The attack is the latest in a series of high-profile incidents involving Scattered Spider, which has also targeted M&S, Co-op and Harrods. UK authorities are investigating, with the National Crime Agency confirming it is monitoring the situation closely.

Workiva hit in Salesforce-linked data breach

Cloud-based SaaS provider Workiva has confirmed that attackers accessed a third-party customer relationship management (CRM) system and stole limited customer data. The breach exposed business contact details including names, email addresses, phone numbers, and support ticket content.

Workiva, whose platform supports financial reporting, compliance, and audit processes, counts 85% of Fortune 500 companies among its 6,305 customers, including Google, Delta, T-Mobile, and Santander. The company stressed that its own platform and customer data within it were not compromised. Impacted customers have been warned to remain alert for potential spear-phishing attempts.

The incident is linked to a wider wave of Salesforce-related breaches attributed to the ShinyHunters extortion group. Using tactics such as vishing and stolen OAuth tokens, the group has infiltrated Salesforce instances at major companies including Cloudflare, Google, Cisco, Adidas, and Zscaler. Workiva has reminded customers that all communications will only be made via its official support channels.

Hackers weaponise HexStrike-AI to exploit Citrix flaws

Check Point Research has warned that hackers are increasingly adopting HexStrike-AI, an open-source AI-powered offensive security framework, to exploit newly disclosed Citrix vulnerabilities. The tool, originally designed for red teaming, integrates AI agents to autonomously run over 150 cyber security tools for automated penetration testing and vulnerability discovery.

Since its release on GitHub last month, where it has attracted 1,800 stars and over 400 forks, HexStrike-AI has gained significant traction on dark web forums. Threat actors reportedly used it to exploit Citrix NetScaler ADC and Gateway flaws (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) within hours of disclosure, enabling remote code execution and the deployment of webshells. Some compromised appliances are already being advertised for sale.

According to ShadowServer, nearly 8,000 endpoints remain exposed to CVE-2025-7775. Check Point cautions that AI-driven automation could reduce exploitation timelines from days to minutes, leaving administrators with even less time to patch.

Cloudflare blocks record-breaking 11.5 Tbps DDoS attack

Cloudflare has confirmed it mitigated the largest distributed denial-of-service (DDoS) attack on record, which peaked at 11.5 terabits per second (Tbps) and lasted around 35 seconds. The attack, initially traced to Google Cloud before being linked to a mix of IoT devices and multiple cloud providers, was a UDP flood capable of overwhelming most online services.

In the same disclosure, Cloudflare noted that its systems had automatically blocked hundreds of “hyper-volumetric” attacks in recent weeks, with another peaking at 5.1 billion packets per second (Bpps). For comparison, the company’s last record-breaking incident in June 2025 reached 7.3 Tbps, while October 2024 saw a peak of 3.8 Tbps—highlighting the accelerating scale of these attacks.

Cloudflare plans to release a detailed report on the campaign but warned that such large-scale attacks, powered by botnets leveraging cloud infrastructure, are becoming more frequent. For now, its defences remain strong enough to keep pace.

Hackers attempt $130m theft via Brazil’s Pix system

Evertec has disclosed that hackers attempted to steal $130 million from its Brazilian subsidiary, Sinqia S.A., after breaching its environment on the country’s real-time payments system, Pix. The incident occurred on 29 August 2025 and was revealed in a U.S. SEC filing.

Upon detecting suspicious activity, Sinqia halted transaction processing and brought in external cyber forensics experts. The attackers, using stolen credentials from an IT vendor account, tried to conduct unauthorised business-to-business transfers involving two financial institutions. Local reports named HSBC, though the bank stressed that no customer funds or data were affected.

Evertec confirmed that some of the stolen funds have already been recovered, with recovery efforts ongoing. While no personal data appears to have been compromised, the Central Bank of Brazil has revoked Sinqia’s Pix access until further assurances are provided. Evertec warned the financial and reputational impact of the incident “could be material.”

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.