Good Morning Security Gang!
Happy Monday,
Today’s show is loaded: a cyberattack disrupts flights in Europe, a critical Microsoft Entra ID flaw raises alarms, new macOS malware campaigns are spreading via fake GitHub repos, Russia consolidates its top spy groups against Ukraine, North Korea pushes new click-fix lures, Ivanti and Fortra patch critical zero-days, MI6 goes on the dark web to recruit spies, and UK police nab two Scattered Spider members.
Double espresso in hand—let’s get rolling.
✈ Europe Flight Chaos After Airport Cyberattack
Collins Aerospace, a U.S.-based software provider owned by RTX, suffered a cyberattack that disrupted check-in systems at Heathrow, Berlin Brandenburg, and Brussels airports. While self-check-in kiosks and baggage drops stayed functional, airline counters were down, leading to cancellations and delays through the weekend. Brussels managed to keep 85% of flights departing with manual backups—an example of resilience planning in action. As I stressed: “Resiliency isn’t a magic word—it’s everything.”
🔑 Microsoft Entra ID Flaw Could Expose Every Tenant
A researcher uncovered a critical flaw in Microsoft Entra ID (formerly Azure AD) involving an undocumented token (“actor tokens”) and CVE-2025-55241 in the Azure AD Graph API. This combo could have granted attackers global admin rights across every Entra ID tenant, without leaving traces in logs. Microsoft patched the issue on September 4th, but the implications are massive—Entra ID underpins M365, Salesforce, Dropbox, AWS, SAP, and Google logins.
🖥 Fake GitHub Repos Spread macOS Infostealers
Threat actors are running an SEO poisoning campaign, creating fraudulent GitHub repos posing as legitimate apps like LastPass for macOS. Victims are tricked into copying malicious terminal commands, which deploy the Atomic Stealer (AMOS) malware. It’s another reminder that user actions drive most infections—social engineering is still the weakest link.
"Every time, every time, every time this happens, it's always user driven at the end of the day. Always someone on the user side doing something to give them this access." James Azar
🇷🇺 Russia Consolidates Turla & Gamaredon for Ukraine Attacks
ESET reported that Russia has merged its top FSB-linked groups, Turla and Gamaredon, to coordinate attacks against Ukraine. Turla focuses on precision intelligence, while Gamaredon uses large-scale compromise campaigns. By combining, Moscow is escalating its cyber warfare playbook as the Ukraine war drags into year four.
🇰🇵 North Korea Deploys BeaverTail & Invisible Ferret Malware
North Korea’s APTs are pushing new click-fix phishing lures delivering the BeaverTail stealer and Invisible Ferret backdoor. Targets include crypto traders and Web3 job seekers. The malware is disguised as video-conferencing tools or job apps, with binaries compiled for Windows, Mac, and Linux. DPRK remains laser-focused on crypto theft to fund its regime.
🛡 Ivanti EPMM Exploited by China Nexus
CISA revealed active exploitation of Ivanti EPMM vulnerabilities (CVE-2025-4427, CVE-2025-4428) by Chinese espionage groups since May. Attackers used API endpoints to run reconnaissance, fetch files, and extract LDAP creds.
Each of the analyzed malware sets included a distinct loader but with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system:
Set 1:
web-install.jar (Loader 1)
ReflectUtil.class - included on Loader 1, manipulates Java objects to inject and manage the malicious listener in the set
SecurityHandlerWanListener.class - malicious listener that could be used to inject and execute code on the server, to exfiltrate data, and establish persistence
Set 2:
web-install.jar (Loader 2)
WebAndroidAppInstaller.class - a malicious listener in Loader 2, that the threat actor could use to inject and execute code, create persistence, and exfiltrate data
Ivanti patched in May, but many organizations lagged classic example of why China “loves” Ivanti so much.
"Find you someone that loves you the way China loves Ivanti. I mean, if you want happiness in this life, you find that same amount of love, that same amount of cuddliness of attention of awareness of exploitation." James Azar
⚙ Fortra GoAnywhere Zero-Day Patched
Fortra patched CVE-2025-10035, a perfect CVSS 10.0 deserialization flaw in GoAnywhere MFT. Attackers could achieve unauthenticated RCE with forged license responses. Patch to versions 7.8.4 or 7.6.3 immediately—exploitation is considered trivial.
🕵 FBI Warns of Fake IC3 Website
The FBI warned criminals are impersonating its IC3.gov cybercrime portal. Fake sites may trick victims into handing over sensitive details, which attackers then use for secondary fraud. Always verify IC3.gov before reporting incidents.
🇬🇧 MI6 Launches Dark Web Portal to Recruit Spies
MI6 unveiled a new onion site on the dark web for would-be informants to share sensitive intel on terrorism, instability, or hostile state activity. The agency is going digital in its recruitment, releasing multilingual instructions via YouTube. Outgoing MI6 chief Sir Richard Moore called it a “virtual door open to the brave.”
👮 Scattered Spider Members Arrested
Two UK men, 18-year-old Owen Flowers and 23-year-old Talaha Jabir, were arrested for roles in Scattered Spider intrusions, including Transport for London and U.S. healthcare firms. Jabir controlled wallets holding $36M in crypto; he faces 95 years in prison. Authorities continue to crack down on the group behind MGM and Caesars breaches.
🧠 James Azar’s CISO Take
Today’s show reinforces two truths: resilience and governance define outcomes. Brussels kept 85% of flights moving because it had backup plans, while others collapsed. Microsoft’s Entra flaw shows how fragile global identity systems are when governance lapses. In both cases, the cost of downtime isn’t theoretical—it’s business and national security.
The other theme is the weaponization of trust. From fake GitHub repos to Ivanti exploits to MI6 recruiting on the dark web, trust is the new battlefield. Attackers exploit it, defenders must defend it, and governments are trying to reclaim it. For CISOs, this means monitoring not just endpoints but ecosystems of trust—tokens, repos, portals, and vendor platforms. That’s where tomorrow’s threats live.
✅ Action Items
✈ Audit resiliency plans for airport-like scenarios—manual ops matter.
🔑 Confirm Microsoft Entra ID tenants patched post–Sept 4th.
🖥 Block SEO poisoning campaigns; train staff not to run terminal commands blindly.
🇷🇺 Track Russia’s Turla + Gamaredon collaborations in Ukraine.
🇰🇵 Harden defenses for Web3/crypto orgs against DPRK lures.
🛡 Patch Ivanti EPMM (CVE-2025-4427/4428) and Fortra GoAnywhere (CVE-2025-10035).
🕵 Verify IC3.gov before submitting cybercrime reports.
👮 Track legal fallout of Scattered Spider arrests—expect disruption but not dismantling.
That's it for today's show. We'll be back tomorrow at 9 AM Eastern with all the latest. To all our Jewish friends watching, Shana Tova - may this be a very sweet year as we celebrate the Jewish New Year.
Until then, stay cyber safe!
