Airport Arrests, Billion-Dollar Shutdowns, and Nation-State Infrastructure Attacks

📰 Welcome Back, Security Gang

Top of the weekend, security gang! James Azar here with your comprehensive wrap-up of what turned out to be one of the most consequential weeks in cybersecurity this year. If you missed any of our shows this week - whether you were celebrating Rosh Hashana with us or just caught up in the daily grind - this digest will get you up to speed on the stories that are reshaping how we think about cyber risk.

This wasn’t just another week of CVEs and patches. We witnessed cyber attacks cross definitively into the realm of economic warfare and national security. From billion-dollar industrial shutdowns to nation-state plots targeting the very infrastructure that keeps cities running, the events of September 22-26 will be studied for years to come.

Coffee cup cheers to everyone who stayed with us through the packed episodes - let’s dive into what happened and what it means for defenders everywhere.

🏛️ Critical Infrastructure & Nation-State Attacks

✈️ Europe Airport Attack Solved - Hard-Bit Gang Identified The Collins Aerospace attack that crippled Heathrow, Brussels, and Berlin airports has been attributed to the Hard-Bit ransomware gang. UK authorities arrested a 40-year-old man in West Sussex, though he was released on bail. What’s concerning is that Collins struggled with reinfections even after cleanup attempts, showing how persistent these “incredibly basic” ransomware variants can be when targeting critical infrastructure.

📡 Secret Service Foils Massive UN Telecom Plot During the UN General Assembly, Secret Service dismantled a sophisticated attack infrastructure consisting of over 100,000 SIM cards within 35 miles of the UN building. The system could have sent 30 million text messages per minute, essentially creating a DDoS attack on Manhattan’s cellular networks. This was a well-funded, nation-state operation costing millions that could have crippled emergency communications during the city’s most vulnerable moment.

🚗 JLR Shutdown Creates Unprecedented Economic Impact Jaguar Land Rover extended their shutdown into October, losing $67-94 million daily with total losses expected to reach billions. With 180,000 jobs directly and indirectly affected, this represents the first cyber attack where we’re seeing true macroeconomic impact. As one UK politician said, it’s a “cyber shockwave ripping through industrial heartlands.”

“This may be one of the first ever cyber attacks where we see the actual economic impact of it and a significant economic impact at that. This will be a case study that we will talk about for years to come.” James Azar

🐉 Chinese Espionage Campaigns Intensify Two major Chinese operations dominated headlines: BrickStorm malware maintained 393-day average dwell times in US tech and legal organizations, while Red November (Storm-2077) systematically targeted government and defense contractors globally using Go-based backdoors and Cobalt Strike.

🔧 Major Vulnerabilities & Critical Patches

🔥 Cisco Firewall Zero-Days (ArcaneDoor Campaign) Cisco released emergency patches for two firewall vulnerabilities (CVE-2025-20333, CVE-2025-20362) actively exploited by Chinese threat actors in the ArcaneDoor campaign. The attackers modified device ROM for persistence and targeted discontinued ASA 5500-X series devices. CISA issued Emergency Directive ED 25-03 requiring federal agencies to forensically analyze all Cisco devices within 24 hours.

⚡ SolarWinds Third Attempt at Web Help Desk Fix SolarWinds released their third hotfix for CVE-2025-26399, a perfect 9.8 CVSS deserialization RCE vulnerability. This is a patch bypass of a patch bypass - the original flaw was exploited within days of their first attempt in August 2024.

🌐 CISA Reveals Year-Old GeoServer Exploitation Chinese actors exploited CVE-2023-25157 against federal agencies just 10 days after it was added to the KEV catalog, deploying China Chopper web shells and using Dirty COW for privilege escalation.

“Find you someone that loves you the way China loves Ivanti. I mean, if you want happiness in this life, you find that same amount of love, that same amount of cuddliness of attention of awareness of exploitation.” James Azar

📦 Supply Chain & Developer Security

📱 GitHub Overhauls NPM Security Following the Shy Hulud worm that compromised 500+ packages, GitHub is implementing MFA-enforced publishing, short-lived tokens, and trusted publishing via CI/CD workflows with cryptographic attestations.

🎯 Malicious NPM Package Exfiltrates Emails A perfect replica of the legitimate ‘postmark-mcp’ package operated cleanly for 15 versions before adding email exfiltration in version 1.0.16. The malicious package recorded 1,500 downloads and potentially exfiltrated thousands of emails before being removed.

🇰🇵 North Korean Developer Identity Theft Ring ESET revealed that North Korea’s DeceptiveDevelopment campaign not only steals cryptocurrency but harvests developer identities to supply fraudulent IT workers (tracked as WageMole) who use stolen credentials to land remote jobs at western companies.

🏢 Data Breaches & Privacy Issues

🎰 Boyd Gaming Breach Las Vegas-based Boyd Gaming disclosed a breach affecting employee and limited customer data with no operational impact, meaning cyber insurance will likely cover costs.

💰 Amazon Pays $2.5B for Prime Dark Patterns Amazon settled FTC claims for using deceptive enrollment practices and difficult cancellation processes (internally called “Iliad”) to trap 35 million users in Prime subscriptions.

👮 Law Enforcement & Regulatory Wins

🕸️ Scattered Spider Arrests Continue Two UK men - Owen Flowers (18) and Talaha Jabir (23) - were arrested for Transport for London and US healthcare attacks. Jabir controlled $36 million in crypto wallets and faces 95 years in prison.

🌍 Interpol Recovers $439M in Global Crackdown Operation HAECHI across 40+ countries froze 68,000 bank accounts and 400 crypto wallets, targeting romance scams, BEC, and gambling-linked laundering. Portugal alone arrested 45 suspects.

✅ Critical Action Items

• Patch immediately: Cisco ASA/Firewall devices (CVE-2025-20333, CVE-2025-20362), SolarWinds Web Help Desk (CVE-2025-26399)

• Audit npm packages: Review all MCP servers and postmark-related packages for version 1.0.16

• Strengthen supply chain: Implement GitHub’s trusted publishing workflows and enhanced MFA

• Review business continuity: Calculate potential daily losses from extended shutdowns like JLR

• Monitor Chinese TTPs: Watch for BrickStorm, Red November indicators and long-dwell-time campaigns
  Harden perimeter devices: Accelerate patching SLAs for edge appliances and VPN gateways

• Verify developer identities: Screen remote workers more thoroughly given North Korean infiltration tactics

• Test emergency communications: Ensure backup systems work if cellular networks are compromised

🧠 James Azar’s CISO Take

This week demonstrated that cyber has officially crossed into the realm of economic warfare and national security. JLR’s billion-dollar losses aren’t just about IT systems failing - they’re about entire supply chains collapsing and national economic indicators being affected by single incidents. When politicians start calling these “cyber shockwaves ripping through industrial heartlands,” you know we’ve entered a new era where cyber resilience isn’t optional, it’s existential. The Secret Service’s prevention of that telecom attack during the UN General Assembly shows what happens when nation-states move from espionage to infrastructure disruption.

The sophistication gap is widening dangerously in China’s favor. With 393-day average dwell times for BrickStorm and systematic targeting of our most critical perimeter devices, they’re playing a completely different game than our patch-and-pray approach. Meanwhile, our own supply chains remain vulnerable to everything from basic npm typosquatting to sophisticated identity theft rings supplying fraudulent workers. The good news is that initiatives like GitHub’s npm overhaul and coordinated law enforcement actions like Interpol’s $439 million recovery show that defenders are finally adapting. But when attackers can exploit known vulnerabilities within 10 days of KEV listing while our average patch times stretch into months, we’re still losing the race that matters most.

Leave a comment

🎙️ Until Next Week, Security Gang

That’s a wrap on what may go down as one of the most significant weeks in cybersecurity history. The stories we covered this week aren’t just technical incidents - they’re economic case studies, national security events, and wake-up calls for every organization that thinks cyber risk is someone else’s problem.

Next week, we’ll be diving deeper into the fallout from these major incidents and tracking the latest developments in the ongoing investigations. Make sure you’re subscribed to cyberhubpodcast.com to catch all our live shows at 9 AM Eastern, and don’t forget to connect with us on social media for real-time updates.

Remember, in a world where a single ransomware attack can cost billions and nation-states are targeting the invisible infrastructure that keeps cities running, staying informed isn’t just professional development - it’s survival.

Stay cyber safe, security gang!

📧 Forward this newsletter to your security team | 🔗 Share on LinkedIn | 💬 We love feedback - connect with us on social media