Daily Brief

Asahi Group Holdings, Japan's largest brewery, faced a cyberattack disrupting its distribution systems, affecting operations solely within Japan. The attack led to the shutdown of Asahi's shipping and call center systems, impacting domestic market operations, which account for half of its profits. No personal or commercial data theft has been reported, and Asahi is actively investigating the incident while working to restore operations. The company has not provided a timeline for recovery, raising concerns about prolonged operational disruptions and financial impacts. European and other international operations remain unaffected, isolating the issue to Japanese facilities. The attack reflects a growing trend of cybercriminals targeting prominent food and beverage companies, with past incidents costing firms millions in lost business. Industry estimates suggest that while some companies pay ransoms, many do not regain access, highlighting the risks of negotiating with cybercriminals.

The Medusa ransomware group approached BBC cybersecurity correspondent Joe Tidy, offering him financial incentives to facilitate a breach of the broadcaster's network. The group proposed using Tidy's laptop to gain access, promising 15% of any ransom paid, with a potential increase to 25% if successful. Medusa, known for double-extortion tactics, has been linked to over 300 attacks on U.S. critical infrastructure, as reported by CISA. The group employs initial access brokers and targets organizations through cybercrime forums and darknet marketplaces. Tidy was targeted with MFA bombing, a tactic to overwhelm users with authentication requests to gain unauthorized access. Upon realizing the threat, Tidy alerted the BBC's information security team, leading to his disconnection from the network as a precaution. The incident highlights the persistent risk of insider threats and the need for robust internal security protocols to counteract such recruitment attempts.

Trend Micro reports the EvilAI campaign uses AI-themed tools to distribute malware across sectors such as manufacturing, government, healthcare, and retail, affecting regions globally including the U.S., Europe, and AMEA. Attackers employ deceptive software that mimics legitimate applications, leveraging valid digital signatures to evade detection by users and security systems. The campaign's primary aim is to conduct reconnaissance, exfiltrate sensitive data, and maintain encrypted communications with command-and-control servers using AES-encrypted channels. Techniques include using newly registered websites, malicious ads, SEO manipulation, and promoted download links to propagate malware. EvilAI acts as a stager, gaining initial access and establishing persistence while evading analysis by mimicking real software and using code-signing certificates. Expel and other cybersecurity firms have identified shared infrastructure and multiple code-signing certificates, indicating a sophisticated operation possibly involving a malware-as-a-service provider. The campaign's evolution includes weaponizing seemingly benign applications and abusing digital code signing, challenging traditional endpoint defenses and exploiting user trust.

Jaguar Land Rover (JLR) suffered a severe cyberattack, disrupting IT systems and halting production across multiple plants, with data reportedly stolen by attackers. The UK Government is providing a £1.5 billion loan guarantee through the Export Development Guarantee program to help JLR restore its supply chain and stabilize operations. The loan guarantee facilitates JLR in securing a substantial commercial bank loan, offering better terms than possible independently, to aid in supply chain recovery. The attack was claimed by a group linked to Scattered Spider, Lapsus$, and ShinyHunters, who allegedly deployed ransomware and leaked internal data. JLR has begun a phased restart of operations, working with cybersecurity experts, the UK’s NCSC, and law enforcement to ensure secure resumption. The incident underscores the vulnerability of critical sectors and the importance of robust cyber insurance, which JLR reportedly lacked at the time of the attack. This event highlights the strategic importance of government support in protecting national industries and safeguarding jobs during cybersecurity crises.

Baroness Manningham-Buller, ex-MI5 head, suggests the UK is in an undeclared conflict with Russia, citing cyberattacks and intelligence operations as key indicators. Russian cyber activities, including sabotage and espionage, have intensified post-Ukraine invasion, targeting UK infrastructure and allies. The National Cyber Security Centre recently identified a Russian-linked malware campaign aimed at stealing Microsoft credentials, attributed to APT28. APT28, associated with Russia's GRU, has been active against governments and firms supporting Ukraine, reflecting broader geopolitical tensions. Historical tensions between the UK and Russia are underscored by past incidents, including the assassination of Alexander Litvinenko in London. The Baroness dismisses the notion of rivalry between MI5 and MI6, emphasizing a collaborative relationship in addressing these threats. The ongoing cyber hostilities suggest a need for heightened vigilance and strategic cybersecurity measures to protect national interests.

Harrods, a UK luxury retail giant, reported a data breach affecting 430,000 e-commerce customers due to a compromised third-party supplier. The breach exposed names, contact details, and internal marketing tags, but did not include passwords, payment information, or order histories. Harrods proactively notified affected customers and is working with authorities to manage the breach's impact. The incident is separate from a previous attack in May linked to the Scattered Spider group. The threat actor attempted to extort Harrods, but the company refused to engage with them. Customers are advised to be cautious of phishing and social engineering attempts following the breach. Harrods continues to support affected customers and coordinate with relevant authorities to mitigate risks.

Intruder's security team initiated research to determine if AI could expedite the creation of vulnerability checks without compromising quality, addressing the challenge of keeping pace with attackers. Initial tests using large language models to generate Nuclei templates proved inadequate, producing outputs with invalid syntax and weak matchers. Transitioning to an agentic AI approach, which utilizes tools and reference materials, resulted in significantly improved template quality, resembling manual engineer outputs. The AI agent, named GregAI, assists in prioritizing vulnerabilities and generating reports, reducing backlog and freeing engineers for more in-depth research. Successful applications include creating checks for exposed admin panels and unsecured Elasticsearch instances, filling gaps left by major scanners. Challenges persist, such as the agent's occasional need for manual corrections and limitations in output efficiency, necessitating ongoing human oversight. Intruder remains cautious about claims of full automation, viewing AI as a productivity tool that requires expert supervision to ensure high-quality, reliable vulnerability checks.

Cybersecurity agencies have identified active exploitation of two zero-day vulnerabilities affecting Cisco firewalls, enabling attackers to deploy new malware families, RayInitiator and LINE VIPER. The vulnerabilities, CVE-2025-20362 and CVE-2025-20333, allow threat actors to bypass authentication and execute malicious code, posing a critical risk to affected systems. The attack campaign is linked to the ArcaneDoor threat cluster, attributed to a suspected China-linked group, UAT4356, indicating potential nation-state involvement. Organizations using Cisco firewalls are urged to prioritize patching these vulnerabilities to mitigate risks and prevent unauthorized access or data breaches. The sophistication of the new malware families suggests an evolution in tactics, emphasizing the need for enhanced detection and response capabilities. Security teams should review their current defenses, focusing on authentication and access controls, to bolster resilience against similar exploit attempts. This incident illustrates the rapid exploitation of disclosed vulnerabilities, highlighting the importance of timely patch management and proactive threat intelligence.

A recent survey of 282 security leaders reveals that AI adoption in Security Operations Centers (SOCs) has transitioned from experimental to essential due to overwhelming alert volumes. Organizations are processing an average of 960 alerts daily, with large enterprises facing over 3,000, creating an operational crisis where critical threats may go uninvestigated. The survey indicates that 40% of security alerts remain uninvestigated, and 61% of teams have ignored alerts that later became critical incidents, highlighting a significant operational breakdown. AI solutions are increasingly prioritized, with 55% of security teams already using AI for triage and investigation, and 60% planning to evaluate AI-powered SOC solutions within the year. AI is expected to handle 60% of SOC workloads in the next three years, focusing on triage, detection tuning, and threat hunting to enhance operational efficiency and reduce analyst burnout. Barriers to AI implementation include data privacy concerns, integration complexity, and the need for explainability, but momentum towards AI-driven SOCs is evident. The future SOC model envisions AI managing routine tasks, allowing human analysts to concentrate on complex investigations, thereby improving security posture and operational outcomes.

UK Energy Minister Ed Miliband criticized Elon Musk's X platform, suggesting the government consider leaving due to its role in promoting violence and disinformation. Miliband's comments were made during the Labour Party conference, where he labeled Musk a "dangerous person" for inciting governmental overthrow and street violence. Amnesty International reported that X played a central role in spreading misinformation that fueled racially charged violence in the UK following a tragic incident in Southport. Despite concerns, many governments and organizations continue to use X for communication, though some, like Southampton and Barcelona, have exited citing misinformation issues. The platform's algorithm and Musk's personal influence are accused of exacerbating the spread of disinformation to millions of users, raising concerns over public discourse integrity. Calls for action extend beyond the UK, with U.S. advocacy groups urging federal agencies to abandon X's AI, Grok, due to safety and ideological bias concerns. The ongoing debate around X's influence on public discourse and misinformation highlights the complex challenges of balancing free speech with societal safety.

Harrods confirmed a data breach affecting 430,000 customers due to a security incident at a third-party supplier, involving unauthorized data access. The compromised data includes personal details such as names and contact information, but excludes passwords and financial details. Harrods has communicated with the responsible threat actor but has chosen not to engage in negotiations, focusing instead on customer support. The retailer has assured that its internal systems were not compromised and that the incident was isolated and contained by the supplier. Authorities have been notified, and Harrods is cooperating with ongoing investigations to address the breach. This breach is separate from a previous incident earlier this year, linked to the Scattered Spider group, which targeted multiple UK retailers. The National Crime Agency has arrested two individuals in connection with cyber activities, although not directly tied to the Harrods breach.

Jaguar Land Rover (JLR) received a £1.5 billion government-backed loan to mitigate the financial impact of a recent cyberattack affecting its operations and supply chain. The cyber incident led to significant operational disruptions, halting production since August 31, and threatening approximately 120,000 jobs within JLR and its supply chain. The attack's ripple effect has severely impacted local businesses and communities, with many suppliers initiating redundancy proceedings and small businesses experiencing revenue losses. The loan, facilitated by UK Export Finance, aims to stabilize JLR's financial position, protect jobs, and support the automotive sector's recovery. Business Secretary Peter Kyle emphasized the government's commitment to safeguarding the automotive industry and its workforce through strategic financial interventions. JLR's production plants are anticipated to restart operations by October 1, though uncertainties remain about the timeline and full recovery. This intervention marks a precedent in UK government support for private companies affected by cyber incidents, reflecting the growing importance of cybersecurity in national economic stability.

UK Prime Minister Keir Starmer announced plans for mandatory digital ID, aimed at curbing illegal migration by requiring digital identification for employment eligibility. The digital ID initiative will utilize smartphones, potentially reducing government costs compared to issuing physical cards, but raises privacy concerns regarding data storage and security. Privacy advocates argue the digital ID could lead to mass surveillance, while opponents highlight the lack of a strong justification for the initiative. The government plans to consult on the digital ID system's implementation, including solutions for individuals without smartphone access, with legislation potentially introduced next year. Historical context shows previous attempts at similar ID systems faced significant opposition and were ultimately scrapped, raising questions about the feasibility of the current plan. The initiative has sparked political debate, with opposition from several political parties, including Reform and the Conservatives, citing concerns over governmental control and privacy. The financial implications include potential costs of £1 billion for setup, adding to government expenditure amid existing fiscal challenges.

Microsoft identified a phishing campaign using AI-generated content to target U.S. organizations, exploiting SVG files to bypass security measures and steal credentials. Attackers utilized compromised business email accounts to distribute phishing emails disguised as legitimate file-sharing notifications, leveraging business-related language for obfuscation. The phishing emails employed a self-addressed tactic with hidden BCC recipients to evade basic detection systems, enhancing the campaign's stealth. SVG files were chosen for their ability to embed scripts and dynamic content, making them effective for delivering interactive phishing payloads. Once activated, the SVG files redirected users to a fake login page after a CAPTCHA verification, aiming to harvest user credentials. Microsoft's Security Copilot flagged and neutralized the threat, noting the unusual complexity and verbosity of the code, suggesting AI involvement. The campaign reflects a growing trend of AI-driven phishing tactics, with threat actors increasingly adopting these methods to enhance their attack strategies. Recent phishing incidents have also included attacks using .XLAM attachments and Telegram bot profiles, indicating evolving complexity in cybercrime tactics.

Cybersecurity researchers identified the first malicious Model Context Protocol (MCP) server embedded in an npm package, raising concerns over software supply chain vulnerabilities. The rogue npm package "postmark-mcp" mimicked an official Postmark Labs library, with a harmful version released on September 17, 2025, by developer "phanpak." The package was downloaded 1,643 times, silently forwarding emails to a personal server, exposing sensitive communications, including passwords and customer data. The malicious code involved a simple one-line change, demonstrating the ease with which supply chain attacks can occur in open-source ecosystems. Affected developers are advised to remove the package, rotate exposed credentials, and review email logs for unauthorized BCC traffic to the specified domain. This incident highlights the critical need for robust security measures in managing open-source dependencies, especially in business-critical environments. The discovery underscores the growing attack surface in software supply chains, emphasizing the importance of vigilant monitoring and security practices.