top of page

Cybersecurity Weekly Update: 1–8 September 2025

  • Writer: SOC Team
    SOC Team
  • Sep 9
  • 3 min read
ree

1. Jaguar Land Rover Hit by Disruptive Cyber‑Attack

What happened?Jaguar Land Rover (JLR), the UK’s largest carmaker, experienced a serious cyber incident on 2–5 September. The company proactively shut down its digital systems across multiple UK manufacturing and retail sites, including Halewood, Solihull, Merseyside, and Wolverhampton. Employees were told to stay home while systems were restored.(The Guardian)Data breach? There’s no evidence of customer data compromise so far.(The Guardian, Reuters)Why it matters: Operational paralysis at a global automaker underscores the vulnerability of production infrastructure in defence, automotive, and supply‑chain‑connected sectors. Immediate recommendations include system segmentation, manual process continuity planning, and robust incident response coordination.(The Guardian)

2. Android Security Patch: 84 Vulnerabilities Fixed (Including 2 Active Zero‑Days)

Details: Google’s September 2025 Android update addresses 84 security flaws. Notably:

  • CVE‑2025‑38352 (kernel elevation of privilege) and CVE‑2025‑48543 (runtime bypass) were actively exploited.(Tom's Guide)

  • Multiple Qualcomm-related vulnerabilities patched.Recommendation: Users—and especially organizations managing device fleets in education and healthcare—should update to security patch level 2025‑09‑01 or 2025‑09‑05 immediately, enable protections like Google Play Protect, and avoid sideloading unverified apps.(Tom's Guide)

3. U.S. Federal Cyber Information‑Sharing Bill Nears Renewal

Update: The Cybersecurity Information Sharing Act (CISA), a key law enabling safe public–private threat intelligence exchange, is set to expire on 30 September 2025. A successor—now titled Wimwag—has moved through the House, extending protections to 2035 and updating language for modern threats.(The Wall Street Journal)Status & concerns: The bill still requires Senate approval. Some lawmakers, such as Senator Rand Paul, are pushing for additional provisions over content moderation concerns.Why it matters: Renewing and strengthening threat intelligence sharing is vital for finance, defence, and public sector resilience globally. Delays or weakening could leave critical infrastructure more exposed.(The Wall Street Journal)

4. Global Threat Landscape: Supply‑Chain, APTs, and Malware Surges (Cyware Intelligence Briefing)

The Cyware Weekly Threat Intelligence Report (2–5 September) outlines a spectrum of rising threats:

  • SBOM guidance: A coalition of 15 nations released Software Bill of Materials (SBOM) guidance to fortify software supply-chain security.

  • APT29 disrupted: Amazon dismantled a watering‑hole campaign by APT29 (Midnight Blizzard) targeting Microsoft 365 users, in concert with Cloudflare and Microsoft.

  • New zero‑day & malware strains:

    • Sitecore exploit of a reused ASP.NET key leading to WeepSteel malware deployment.

    • Iranian APT phishing over 50 embassies via hijacked emails.

    • SVG‑based phishing targeting Colombia’s judicial system.

    • macOS CVE‑2025‑24204, enabling keychain compromise via gcore utility.

    • XWorm – a stealthy backdoor using .lnk files and packing to evade detection.

    • Stealerium infostealer variant campaigns; raises concern over open‑source malware leverage.

    • Malware campaigns from Lazarus (PondRAT, ThemeForestRAT, RemotePE) targeting DeFi organizations via social engineering.(cyware.com)

Why it matters: These findings highlight the evolving cyber threat environment—from supply-chain gaps to multi-stage malware and supply-side attacks. Sectors like finance, healthcare, education, and defence must boost email security, SBOM adoption, and threat visibility.

5. Additional Global Trends & Developments

  • Ransomware ripple effects: Ransomware continues causing supply-chain disruptions—evident in Sweden’s municipalities and beyond.(Digital Forensics Magazine)

  • Critical vulnerability exploited in SAP S/4HANA (CVE‑2025‑42957): A severe command‑injection flaw allowing ABAP code execution and superuser creation. Immediate patching, network segmentation, and RFC monitoring are essential.(diesec.com)

  • Bridgestone cyberattack: The tire giant experienced production disruption in North America with no data compromise reported—echoes of JLR risks.(diesec.com)

Key Recommendations for the Week

Action

Why It Matters

Patch urgently – Android, SAP, Sitecore, macOS

Active exploitation ongoing; high-impact sectors at risk

Improve supply-chain transparency – adopt SBOMs

Prevent downstream compromise in software dependencies

Update threat-sharing systems – prepare for CISA/Wimwag

Ensure continued collaboration with government agencies

Harden vendor and manufacturer controls

Production-critical sectors need segmentation and manual fallback

Elevate phishing and malware defences

New malware (SVG, XWorm, Stealerium) and targeting trends demand robust email and endpoint security

Looking Ahead

  • Will both JLR and Bridgestone fully recover and what long-term security measures will emerge?

  • Will the U.S. Senate pass the Wimwag bill in time to maintain uninterrupted cybersecurity intelligence sharing?

  • Can SBOM guidance from the 15-country coalition spark widespread adoption across South African and European industries?

  • Which malware families or APT campaigns will escalate next, and how can proactive defence be furthered?

Feel free to connect for strategic insights tailored to your organisation’s cybersecurity needs.Stay informed, stay secure.



bottom of page