South Korean Gov't. Data Center Fire; BRICKSTORM Compromised US Orgs for Over a Year; UK Backs £1.5 Billion Loan Supporting JLR Recovery

Last week, SANS announced the renewal of its partnership as a Champion with Water-ISAC. The extended collaboration reflects a shared commitment to supporting the water and wastewater sector with practical training, research, and community engagement designed to counter increasingly aggressive cyber threats. The collaboration has advanced sector-specific research, including a SANS white paper, “Protecting Critical Water Systems with Five ICS Cybersecurity Critical Controls,” by Dean Parsons, and an associated five-part webinar series. Protecting Critical Water Systems with the Five ICS Cybersecurity Critical Controls (White paper): https://www.sans.org/white-papers/protecting-critical-water-systems-five-ics-cybersecurity-critical-controls

SANS 5 ICS Critical Controls for Water: https://www.sans.org/webcasts/sans-5-ics-critical-controls-for-water-control-1-ics-specific-incident-response-plan SANS Water & Wastewater Cybersecurity Partnership: https://www.sans.org/partnerships/water

Water-ISAC: https://www.waterisac.org/

Press Release: https://www.globenewswire.com/news-release/2025/09/26/3157122/0/en/Renewed-SANS-Institute-and-Water-ISAC-Partnership-Targets-Growing-Cyber-Threats-to-Water-Systems.html

ISACs are a great way to get more involved with your sector's community. Find out more here: https://www.nationalisacs.org/members

A fire at a government data center in Daejeon, South Korea, has disrupted the availability of hundreds of online government services, including a mobile identification system used by travelers and online postal and tax services. It took firefighters nearly 24 hours to extinguish the blaze at the National Information Resources Service (NIRS). The fire appears to have been caused by a lithium-ion battery explosion at the data center's backup power system. The Korea Herald writes, "Kim Ki-seon, chief of the Yuseong Fire Station in Daejeon, explained during a press briefing on Saturday that the blaze started during a procedure to shut off power ahead of relocating the batteries. NIRS had started the relocation as the UPS battery units were installed on the same floor as the servers, raising fire safety concerns."

Google Threat Intelligence Group (GTIG) has observed a backdoor malware campaign in which threat actors tracked as "UNC5221 and closely related, suspected China-nexus threat clusters," maintained long-term access to various US organizations' systems, exploiting vulnerable network appliances that did not support endpoint detection and response (EDR) tools. The intrusions notably targeted US "legal services, Software as a Service (SaaS) providers, Business Process Outsourcers (BPOs), and Technology [providers]" often employed by governments and large companies, and the average period of undetected access was 393 days. GTIG notes that logs were seldom retained long enough to help determine an initial access vector apart from a "focus on compromising perimeter and remote access infrastructure," especially VMware vCenter and ESXi hosts. The backdoor, dubbed "BRICKSTORM," disguises itself as legitimate software, and appears to use a unique command-and-control (C2) domain for each victim. The threat actors often accessed "the emails of developers, administrators, and individuals of likely strategic interest to China by abusing Microsoft Entra ID enterprise applications with elevated permissions," continuing to move through systems laterally and sometimes compromising SaaS providers' customers through their supply chains. "YARA rules have proven to be the most effective method for detecting BRICKSTORM," and GTIG also offers a script that will scan Unix systems for the malware without installing YARA. GTIG provides detailed threat hunting recommendations, suggesting that defenders look to attackers' tactics, techniques, and procedures (TTPs) rather than relying on "atomic IoCs," and urging organizations to maintain up-to-date asset inventories, always configuring devices for least privilege.

The UK Government has announced that it will guarantee a £1.5 billion (US$2.01 billion) commercial bank loan to Jaguar Land Rover (JLR) through the Export Development Guarantee (EDG), "to give certainty to its supply chain" while JLR's production lines remain shut down and its large network of suppliers have been cut off in the wake of a debilitating cyberattack. The government assumes up to 80% of the loan's risk, and JLR will have five years to pay it back. JLR's UK plants employ approximately 30,000 people, and the broader supply chain accounts for about 120,000 jobs. The attack first disrupted operations on August 31, 2025 and workers have been told to stay home since the following day; the loan was announced on September 28, and while no firm return date has been provided, JLR has tentatively predicted resuming some production by October 1. The BBC reports that this "is believed to be the first time that a company has received government help as a result of a cyber-attack."

Fortra disclosed a critical deserialization of untrusted data vulnerability in their GoAnywhere Managed File Transfer (MFT) software on September 18, 2025, and released a patch the same day. Researchers at watchTowr Labs say they have observed "credible evidence" that the vulnerability has been actively exploited in the wild since at least September 10. In their analysis of the issue, researchers at Rapid7 maintain that it "is not just a single deserialization vulnerability, but rather a chain of three separate issues. This includes an access control bypass that has been known since 2023, the unsafe deserialization vulnerability CVE-2025-10035, and an as-yet unknown issue pertaining to how the attackers can know a specific private key." Users are urged to update to upgrade to Fortra GoAnywhere MFT version 7.8.4 or v7.6.3 (Sustain Release). The Fortra vulnerability was one of five vulnerabilities added to the US Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog on Monday, September 29, with a mitigation due date of October 20.

The recently-launched Neon call-recording app has been taken down, following a report from TechCrunch that logged-in users were able "to access the phone numbers, call recordings, and transcripts of any other user." Neon pays users who allow them to record their phone calls; Neon then sells the data to AI companies to be used in training their models. TechCrunch notified the app's "founder," who took down the Neon servers and started notifying users that the app would be paused, but Neon has not yet disclosed the security issue. The app can still be downloaded, but it is not currently functional. The app claims that it records only phone calls placed within the app, and records only one side of the conversation. Several US states require that all parties on phone calls consent to being recorded.

The US Cybersecurity and Infrastructure Security Agency (CISA) and partner agencies in six countries have published guidance for securing operational technology (OT) systems, titled “Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture.” The document "defines a principles-based approach for how operational technology (OT) organisations should build, maintain and store their systems understanding. It is aimed at cyber security professionals working in organisations that deploy or operate OT across greenfield and brownfield deployments. Integrators and device manufactures can also use these principles to ensure their solutions enable effective asset and configuration management." The five principles are: define processes for establishing and maintaining the definitive record; establish an OT information security management program; identify and categorize assets to support informed risk-based decisions; identify and document connectivity within your OT system; and understand and document third-party risks to your OT system. The document was developed by the UK National Cyber Security Centre (NCSC), the Australian Signals Directorate Australian Cyber Security Centre (ASD's ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (Cyber Centre), the US Federal Bureau of Investigation (FBI), New Zealand’s National Cyber Security Centre (NCSC-NZ), Netherlands National Cyber Security Centre (NCSC-NL) and Germany’s Federal Office for Information Security (BSI).

Microsoft Threat Intelligence has observed "limited attacks" involving a new variant of XCSSET, a type of modular malware first observed in 2020 that targets macOS systems by spreading through Xcode projects and executing once an infected project is built, then taking control of a variety of apps and exfiltrating information. The new variant notably monitors the clipboard for signs of copied digital wallet addresses and replaces them "with its own predefined set of wallet addresses," and has components that target Firefox for information theft. The malware hides itself in new ways as well, "using run-only compiled AppleScripts ... also add[ing] another persistence mechanism through LaunchDaemon entries." Microsoft shares IoCs and recommends mitigating the threat of this variant by ensuring operating systems and applications are up to date; inspecting and verifying all downloaded or cloned Xcode projects; checking that copied and pasted information is not tampered with; and using endpoint security tools. Microsoft analysts "shared these findings with Apple and collaborated with GitHub to take down repositories affected by XCSSET."

Authorities in the Netherlands have arrested two teenagers in connection with suspected espionage on behalf of Russia. According to the authorities, the two individuals were recruited via Telegram by a hacker with Russian ties; one of the teenagers allegedly walked past Europol, Eurojust, and the Canadian embassy while carrying a Wi-Fi sniffer. The individuals appeared before a magistrate judge on September 25; one is still in police custody, the other is under house arrest.

Japanese brewer Asahi Group Holdings, Ltd. has disclosed that it "is currently experiencing a system failure caused by a cyberattack, affecting operations in Japan." Asahi reports that it has suspended "order and shipment operations at group companies in Japan [and] call center operations, including customer service desks." In addition to its operations in Japan, Asahi owns global beer brands and has regional operations in Europe, Oceania, and Southeast Asia. The company has 30,000 employees.

In a blog post, Postmark writes that "a malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC’d emails to an external server." Researchers at Koi Security have described the malicious npm package as "the world’s first sighting of a real world malicious MCP server." Koi's risk engine "flagged postmark-mcp when version 1.0.16 introduced some suspicious behavior changes." Postmark's true MCP server is published in GitHub, not npm.