Summary5 min read

Cyber Security Headlines – September 22, 2025

Host: Steve Prentiss
Podcast: CISO Series
Main Theme:
A roundup of the latest and most pressing stories in global cybersecurity, focusing on significant attacks, technical vulnerabilities, criminal tactics, and the evolving threat landscape, with updates and expert commentary.

Key Discussion Points & Insights

1. European Airport Cyberattack Causes Mass Disruption

Incident Summary:
Major airports—including London Heathrow, Berlin, and Brussels—experienced widespread disruption due to a cyberattack taking down the airport check-in and baggage systems.
Technical Impact:
- The attack targeted the Muse software platform, used for shared check-in and boarding gate management.
- Staff reverted to “pen and paper”; numerous flights canceled.
- Software developed by Collins Aerospace, owned by RTX Corporation (formerly Raytheon).
Operational Fallout:
- Ongoing restoration efforts.
- Significant passenger delays and travel chaos.
Quote:

"[The attack] took out the airport's check in and baggage systems, forcing staff to resort to pen and paper... and many travelers to wait or make other plans." – Steve Prentiss [00:19]

2. SMS Scammers Deploy Fake Cell Towers in Global Scheme

Technique:
Scammers use portable SMS “blaster” devices, effectively mobile fake cell towers, to push out up to 100,000 phishing SMS messages per hour to all nearby phones.
Exploitation:
- Active in Asia Pacific, Western Europe, South America.
- Does not require knowledge of phone numbers; works by simulating a cell tower to force phone connection.
Challenges:
- Legitimate cell carriers claim “no power or ability to prevent this.”
Quote:

"The SMS blaster simulates a cell tower, essentially forcing any phone in its vicinity to connect with it." – Steve Prentiss [01:30]

3. Mal Terminal: GPT-4 Powered Ransomware & Reverse Shells

Research Insight:
SentinelOne identifies Mal Terminal, an early malware embedding large language model capabilities.
Capabilities:
- Dynamically generates ransomware code or a reverse shell using OpenAI GPT-4.
- Described as the first of its class (“LLM-embedded malware”).
Current Status:
- No evidence of deployment in the wild; potentially just a proof-of-concept or Red Team tool.
Quote:

"It uses OpenAI GPT4 to dynamically generate ransomware code or a reverse shell." – Steve Prentiss [02:43]

4. Scattered Spider: $115M Extorted Despite Arrests

Criminal Success:
The Scattered Spider group extorted at least $115 million over three years, even after multiple arrests and pretending to go dark.
Methods:
- Social engineering: calling a company's help desk for password resets.
- Account takeover, data theft, and then encrypting critical systems.
High Profile Ransoms:
- Individual ransoms reached $25M and $36.2M.
Quote:

"The scattered spider method remains consistent: calling a victim's company's help desk, asking for a password reset, then taking over an administrative account..." – Steve Prentiss [04:20]

5. FBI Warns of Fake FBI Reporting Sites

Spoofing Attack:
- Cybercriminals have created fraudulent versions of the FBI Internet Crime Complaint Center (IC3) site.
- Sites use typo-squatting and mimic FBI design, even reproducing official scam warnings.
Risks:
These sites could be used to scam or steal personal data from visitors.
Quote:

"...in one instance, the fake site includes an FBI warning, the same one as on the legitimate IC3 site, warning of scammers impersonating FBI IC3 employees..." – Steve Prentiss [05:21]

6. Critical Vulnerability in GoAnywhere MFT Revealed

Vulnerability:
- Maximum severity flaw in GoAnywhere MFT's license servlet (file transfer tool).
- Allows remote command injection due to deserialization of untrusted data.
- Exploitable in low-complexity, no-user-interaction attacks.
Patch Released:
Users urged to update.
Quote:

"The flaw... can be exploited remotely in low complexity attacks that don't require user interaction." – Steve Prentiss [06:00]

7. ChatGPT Trick Can Circumvent CAPTCHA Protections

Innovation:
Dorian Schultz (SPLX) demonstrated that by framing the context as “fake” CAPTCHAs and leveraging prior conversations, GPT-4 can solve a variety of real captchas (except complex image-based ones).
Implication:
Another step in making captchas potentially obsolete, and a new vector for automated account abuses.
Quote:

"Shultz first describes how he convinced ChatGPT4O that the exercise... was designed to only identify fake CAPTCHAs... sufficient to allow the application to solve some real one click captchas." – Steve Prentiss [06:45]

8. Jaguar Land Rover Shutdown: Modern Factory Vulnerabilities

Incident:
Prolonged outage at Jaguar Land Rover (JLR) exposes risks of interconnected, high-efficiency smart factories.
Cause:
- Outsourced IT operations to Tata Consultancy Services, including SAP factory system upgrades.
- When an intrusion was discovered, JLR couldn't isolate or segment its factory systems, forcing a full shutdown.
Lesson:
Over-connection increases exposure:

"...the fact that everything is connected in JLR's systems appears to have become a vulnerability." – Steve Prentiss [07:19]

Notable Quotes & Memorable Moments

“Forcing staff to resort to pen and paper…” – Steve Prentiss (on airport cyberattack) [00:23]
“The SMS blaster simulates a cell tower…” – Steve Prentiss [01:30]
“It uses OpenAI GPT4 to dynamically generate ransomware code or a reverse shell.” – Steve Prentiss [02:43]
“The scattered spider method remains consistent: calling a victim's company's help desk…” – Steve Prentiss [04:20]
“...the fact that everything is connected in JLR's systems appears to have become a vulnerability.” – Steve Prentiss [07:19]

Timestamps for Key Segments

Major Airport Cyberattack: [00:06] – [01:18]
SMS Fake Cell Tower Scam: [01:18] – [02:17]
GPT-4 Malware (Mal Terminal): [02:17] – [03:24]
Scattered Spider Extortion: [03:24] – [04:58]
Fake FBI Reporting Sites: [05:07] – [05:51]
GoAnywhere MFT Critical Flaw: [05:51] – [06:18]
ChatGPT CAPTCHA Circumvention: [06:18] – [06:54]
Jaguar Land Rover Factory Incident: [06:54] – [07:49]

Summary Tone & Takeaways

The episode maintains a brisk, factual tone, emphasizing the escalating creativity and sophistication of threat actors. Across sectors—aviation, telecommunications, AI, manufacturing, and law enforcement—attackers leverage social engineering, hardware exploits, and vulnerabilities in ubiquitous software. The stories serve as sobering reminders: modern convenience and interconnection increase risk, and defensive strategies must continually evolve to meet changing threats.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Monday, September 22, 2025. I'm Steve Prentiss. European Airport disruption due to cyber attack on check in and baggage Software Disruptions and delays continue as of this recording at several major airports, including London's Heathrow and Berlin and Brussels. The cyber attack took out the airport's check in and baggage systems, forcing staff to resort to pen and paper, forcing many airlines to cancel flights, and of course, forcing many travelers to wait or make other plans. The cyber attack specifically targeted the Muse software platform, which allows different airlines to use the same check in desks and boarding gates at an airport rather than requiring their own. Muse is developed by Collins Aerospace, which itself is owned by the aerospace and defense conglomerate RTX Corporation, formerly known as Raytheon Technologies. Efforts to restore systems continued into Sunday SMS Scammers now using Mobile Fake Cell Towers A report in Wired shows how scammers are now using SMS blasters, which work like a portable cell tower, tricking people's phones into connecting with them as the towers themselves drive by. This enables the scammers to send out up to 100,000 SMS messages per hour containing dangerous links. The technique, which is currently active in some Asia Pacific nations as well as in Western Europe and South America, can impersonate any sender and does not need to access actual phone numbers to send its messages. This is because the SMS blaster simulates a cell tower, essentially forcing any phone in its vicinity to connect with it. Legitimate cell carriers say they have no power or ability to prevent this GPT4 powered Mal Terminal malware creates ransomware and Reverse shell Researchers at SentinelOne are describing what they call the earliest example known to date of a malware that bakes in large language model capabilities named Mal Terminal and described by the Sentinel Labs research team at the LabsCon 2025 security conference last week. This is an emerging CATE malware called LLM embedded Malware, the first example of this being Prompt Lock. As for Mal Terminal itself, it uses OpenAI GPT4 to dynamically generate ransomware code or a reverse shell. But the researchers say there is no evidence of it having been deployed in the wild, raising the possibility that it could also be a proof of Concept malware or Red Team tool. End quote Scattered Spider has a Good Year despite multiple arrests and even pretending to shutter its doors, the Scattered Spider cybercriminal operation was able to extort at least $115 million from dozens of victims over the last three years and also breach the US federal court network. This is according to a Justice Department complaint unsealed this week. Some of this data appears to come from the FBI, which traced payments, stolen data and hacking tools to specific servers owned and registered to one of the individuals arrested. Just last. According to these reports, two of the victims paid out big time ransoms of $25 million and $36.2 million. The scattered spider method remains consistent, calling a victim's company's help desk, asking for a password reset, then taking over an administrative account, and then using that access to steal data before encrypting critical systems. Huge thanks to our sponsor Conveyor if security questionnaires make you feel like you're drowning in chaos, you're not alone. Endless spreadsheets, portals and questions always when you least expect them, Conveyor brings calm to the storm. With AI that auto fills questionnaires and a trust center that shares all your documents in one place, you'll feel peace where there used to be panic. Find your security review zen@www.conveyor.com that is C O N V E Y-O-R.com FBI warns of Fake FBI Reporting Sites Cybercriminals are impersonating the FBI's Internet crime complaint center website for what may be described as possible malicious activity. Although not sharing too many specifics, the agency suggests that these spoofed websites could be used by attackers in scams or to steal the visitor's personal information, end quote. Most of these spoofed sites are using typo squatting techniques to fool the users, and leaping Computer points out that in one instance, the fake site includes an FBI warning, the same one as on the legitimate IC3 site warning of scammers impersonating FBI IC3 employees to help recover lost funds. Fortra warns of maximum severity flaw in GoAnywhere MFT's license servlet. The security technology company has released security updates to patch a maximum severity vulnerability in GoAnywhereMFT's license servlet that can be exploited in command injection attacks. GoAnywhereMFT is a file transfer tool. The flaw, which has a CVE number, is caused by a deserialization of untrusted data weakness and can be exploited remotely in low complexity attacks that don't require user interaction. While Fortress stated that the vulnerability was discovered over the weekend, it did not specify who reported it or whether the flaw has been exploited in attacks. ChatGPT can be prompted to solve captchas, according to Dorian Schultz of the AI security company SPLX ChatGPT can be made to solve CAPTCHAs despite being prevented from doing so according to its own policies. Shultz first describes how he convinced ChatGPT4O that the exercise they were undertaking was designed to only attend identify fake CAPTCHAs. He then copy pasted the discussion from this exercise back into ChatGPT and referred to it as our previous discussion, which was sufficient to allow the application to solve some real one click captchas, logic based captchas and text recognition ones. It still had some difficulties solving image based ones, requiring the user to drag and drop images or rotate them. However, the researchers suggest this may be one more step along the path towards making captchas obsolete. A lesson in the Vulnerabilities of Smart Connected Factories as the shutdown of Jaguar Land Rover JLR continues into another week, with longer delays possible, the severity and complexity of the hack is now being made clear. The company, which is owned by India's Tata conglomerate, outsourced JLR's key computer systems ranging from its networks to data connections and its cybersecurity to Tata Consultancy Services TCs, including an upgrade of JLR factory systems to the latest software from the German company SAP. This was all done in the interest of creating a collection of highly efficient, high volume factories for its signature automotive products. In short, according to an article in the Guardian, the fact that everything is connected in JLR's systems appears to have become a vulnerability. When it discovered the intrusion, the carmaker was unable to isolate factories or functions, forcing it to shut down most of its systems. End quote. If you have some thoughts on the news from today, or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[08:10]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories. Behind the Headlines.
[08:20]
B
Sam.