In today’s cybersecurity news…
European airport disruption due to cyberattack check-in and baggage software
Disruptions and delays continue at several major airports including London’s Heathrow, Berlin and Brussels. The attack took out the airports’ check-in and baggage systems, forcing staff to resort to pen and paper, and forcing many airlines to cancel flights. The cyberattack specifically targeted the Muse software platform, which “allows different airlines to use the same check-in desks and boarding gates at an airport, rather than requiring their own.” Muse is developed by Collins Aerospace, which itself is owned by the aerospace and defense conglomerate RTX Corporation, formerly known as Raytheon Technologies. Efforts to restore systems continued into Sunday.
(BBC News)
SMS scammers now using mobile fake cell towers
A report in Wired shows how scammers are now using “SMS blasters” which work like a portable cell tower, tricking peoples’ phones into connecting with them as they drive by. This enables the scammers to send out up to 100,000 SMS messages per hour containing dangerous links. This technique, which is currently active in some Asia-Pacific nations, Western Europe and South America, can impersonate any sender, and does not need to access actual phone numbers to send its messages. This is because the SMS blaster simulates a cell tower, essentially forcing any phone in its vicinity to connect with it.
(Wired)
GPT-4-powered MalTerminal malware creates ransomware and Reverse Shell
Researchers at SentinelOne are describing what they call “the earliest example known to date of a malware that bakes in Large Language Model (LLM) capabilities.” Named MalTerminal and described by the SentinelLABS research team at the LABScon 2025 security conference last week, this is an emerging category of malware called LLM-embedded malware, the first example of this being PromptLock. As for MalTerminal itself, it uses OpenAI GPT-4 to dynamically generate ransomware code or a reverse shell, but the researchers say there is no evidence of it having been deployed in the wild, raising the possibility that it could also be a proof-of-concept malware or red team tool.”
Scattered Spider has a good year
Despite multiple arrests and even pretending to shutter its doors, the Scattered Spider cybercriminal operation “was able to extort at least $115 million from dozens of victims over the last three years and also breached a U.S. federal court network,” according to a Justice Department complaint unsealed this week. Some of this data appears to come from the FBI, which traced payments, stolen data, and hacking tools to specific servers owned and registered to one of the individuals arrested last week. Two of the victims paid out big time – ransoms of $25 million and $36.2 million. The Scattered Spider method remains consistent: calling a victim company’s help desk, asking for a password reset, then taking over an administrative account and then using that access to steal data before encrypting critical systems.
Huge thanks to our sponsor, Conveyor
Endless spreadsheets, portals, and questions—always when you least expect them.
Conveyor brings calm to the storm. With AI that auto-fills questionnaires and a trust center that shares all your docs in one place, you’ll feel peace where there used to be panic.
Find your security review zen at www.conveyor.com.
FBI warns of fake FBI reporting sites
Cybercriminals are impersonating the FBI’s Internet Crime Complaint Center (IC3) website for what may be described as “possible malicious activity.” Although not sharing too many specifics, the agency suggests that these spoofed websites “could be used by attackers in financial scams or to steal the visitors’ personal information.” Most of these spoofed sites are using typosquatting techniques to fool users. BleepingComputer points out that in one instance, the fake site includes an FBI warning – the same one as on the legitimate IC3 site, “warning of scammers impersonating FBI IC3 employees to ‘help’ recover lost funds.”
Fortra warns of maximum severity flaw in GoAnywhere MFT’s License Servlet
The security technology company “has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT’s License Servlet that can be exploited in command injection attacks.” GoAnywhere MFT is a file transfer tool. The flaw, which has a CVE number, is caused by “a deserialization of untrusted data weakness and can be exploited remotely in low-complexity attacks that don’t require user interaction. While Fortra stated that the vulnerability was discovered over the weekend, it didn’t specify who reported it or whether the flaw has been exploited in attacks.”
ChatGPT can be prompted to solve CAPTCHAs
According to Dorian Schultz of the AI security company SPLX, ChatGPT can be made to solve CAPTCHAs despite being prevented from doing so according to its own policies. Schultz first convinced ChatGPT-4o that the exercise was designed to only identify fake CAPTCHAs. He then copy pasted the discussion from this exercise back into ChatGPT and referred to it as “our previous discussion,” which was sufficient to allow the application to solve some real one-click CAPTCHAs, logic-based CAPTCHAs, and text-recognition ones. It [still] had more difficulties solving image-based ones, requiring the user to drag and drop images or rotate them. The researchers suggest that this is one more step along the path toward making CAPTCHAs obsolete.
Jaguar Land Rover hack a lesson in the vulnerabilities of smart, connected factories
As the shutdown of Jaguar Land Rover (JLR) continues into another week, with longer delays possible, the severity and complexity of the hack is now being made clear. The company, which is owned by India’s Tata conglomerate, “outsourced JLR’s key computer systems, ranging from its networks to data connections, and, crucially, its cybersecurity,” to Tata Consultancy Services (TCS), including an upgrade of JLR factory systems to the latest software from the German company SAP. This was all done in the interest of creating a collection of highly efficient, high-volume factories for its signature automotive products. In short, according to an article in The Guardian, “the fact that everything is connected in JLR’s systems appears to have become a vulnerability. When it discovered the intrusion, the carmaker was unable to isolate factories or functions, forcing it to shut down most of its systems.