The November that never ended.

A Chinese state-sponsored group exploited enterprise devices in a global espionage effort. The UK Government guarantees £1.5 billion financing to help Jaguar Land Rover’s recovery efforts. A maximum-severity flaw in Fortra’s GoAnywhere Managed File Transfer product is under active exploitation. The AI boom faces sustainability questions. Akira ransomware bypasses MFA on SonicWall devices. Dutch teens are arrested for allegedly spying for Russia. Luxury retailer Harrods confirms a data breach. An Interpol crackdown targets African cybercrime rings. We’ve got our Monday business briefing. Brandon Karpf joins us to discuss the cybersecurity ecosystem in Japan. Cyber crooks offer a BBC journalist an early retirement package.

Today is Monday September 29th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A Chinese state-sponsored group exploited enterprise devices in a global espionage effort. 

A Chinese state-sponsored group known as RedNovember has carried out a sweeping espionage campaign from June 2024 through July 2025. The hackers targeted defense contractors, government agencies, and corporations worldwide, exploiting flaws in VPN appliances and firewalls faster than organizations could patch them.

Researchers at Recorded Future documented breaches of at least two US defense contractors, more than 30 Panamanian government agencies, and firms across Europe, Asia, and South America. Victims included aerospace manufacturers and law firms. RedNovember relied on publicly available tools like the Pantegana backdoor, Cobalt Strike, and SparkRAT to maintain persistent access, sometimes for months at a time.

The campaign highlights how quickly adversaries can weaponize newly disclosed vulnerabilities, underscoring the need for rapid patching and tighter monitoring of network infrastructure.

The UK Government guarantees £1.5 billion financing to help Jaguar Land Rover’s recovery efforts. 

The UK government will guarantee a £1.5 billion loan for Jaguar Land Rover after a cyberattack forced the automaker to halt production at plants in the UK, Slovakia, Brazil, and India. The attack disrupted supply chains, leaving some vendors unpaid and staff sent home. The five-year loan, arranged through a commercial bank and backed by UK Export Finance, is intended to stabilize suppliers. Officials signaled that further government assistance for JLR and its network of 120,000 UK-linked jobs remains possible.

A maximum-severity flaw in Fortra’s GoAnywhere Managed File Transfer product is under active exploitation. 

Hackers are actively exploiting a maximum-severity flaw in Fortra’s GoAnywhere Managed File Transfer product, tracked as CVE-2025-10035. The deserialization vulnerability, located in the License Servlet, allows attackers to inject commands remotely without authentication. Security firm WatchTowr Labs reports credible evidence of exploitation as early as September 10, eight days before Fortra publicly disclosed the flaw.

Attackers leveraged the bug to achieve remote command execution, create backdoor accounts, and deploy secondary payloads, including a repurposed SimpleHelp binary for persistence. Researchers also observed privilege-checking commands and attempts to enable lateral movement.

Admins are urged to patch immediately, restrict internet exposure of the Admin Console, and review logs for suspicious entries. 

The AI boom faces sustainability questions. 

The current artificial intelligence boom may be unsustainable, according to new research from Deutsche Bank and Bain & Company. Deutsche warned that AI-related capital expenditure has become so large it is effectively keeping the U.S. out of recession. Without tech spending, the bank said, the economy would be near contraction. Bain, meanwhile, projected an $800 billion shortfall in revenues needed to sustain AI’s demand for computing power by 2030, even factoring in efficiency gains.

This wave of spending has distorted financial markets, with half of the S&P 500’s gains this year tied to tech stocks. Analysts noted that growth is being driven not by AI’s output, but by building the infrastructure to power it. Some warn the market is dangerously concentrated in the “Magnificent 7” tech giants. Still, Goldman Sachs offered a more optimistic view, predicting significant long-term productivity gains once AI adoption matures.

Akira ransomware bypasses MFA on SonicWall devices. 

Akira ransomware operators are continuing to exploit SonicWall SSL VPN devices, successfully logging into accounts even when one-time password multi-factor authentication is enabled. Arctic Wolf researchers say the activity links back to CVE-2024-40766, an improper access control flaw patched in August 2024. However, attackers appear to be reusing credentials and possibly OTP seeds stolen before devices were updated.

Google Threat Intelligence Group has observed similar behavior, assessing with high confidence that stolen OTP seeds are enabling renewed access to patched appliances. Once inside, Akira affiliates move quickly, scanning networks, enumerating Active Directory, and targeting Veeam servers to extract backup credentials. They also deploy Bring-Your-Own-Vulnerable-Driver techniques to disable endpoint protection before encryption.

Researchers stress that even fully patched systems remain at risk if credentials were compromised. SonicWall urges administrators to reset all VPN credentials and ensure devices are running the latest firmware.

Dutch teens are arrested for allegedly spying for Russia. 

Dutch police have arrested two 17-year-old boys accused of spying for Russia using WiFi sniffer devices near sensitive locations in The Hague, including Europol, Eurojust, and the Canadian embassy. According to De Telegraaf, the teens were recruited via Telegram and caught following a tip from the Dutch intelligence service AIVD. Europol confirmed awareness of the case but said its systems remain uncompromised, citing robust security safeguards.

Authorities believe the teens intercepted wireless traffic for reconnaissance, though the full extent of their activity is under investigation. One was reportedly arrested at home while doing homework, with parents unaware of his espionage involvement. The suspects remain in custody for at least two weeks as charges proceed. The case highlights a troubling escalation in Russian recruitment of European youths for low-level espionage and sabotage activities.

Luxury retailer Harrods confirms a data breach. 

Luxury retailer Harrods has confirmed that hackers contacted the company after stealing data tied to 430,000 customer records in a breach involving a third-party provider. The stolen information includes names, contact details, and loyalty card data but no passwords, payment details, or order histories. Harrods said it will not engage with the attackers and is focused on supporting affected customers while cooperating with authorities. The company emphasized that most shoppers are in-store, limiting the breach’s overall impact.

An Interpol crackdown targets African cybercrime rings. 

Interpol announced that 260 people were arrested across several African countries in a coordinated crackdown on online fraud networks. Authorities identified more than 1,460 victims who collectively lost $2.8 million through romance scams, sextortion, and related schemes. Police dismantled scam infrastructure and seized over 1,200 devices, including SIM cards and USB drives.

Ghana reported the most arrests, detaining 68 suspects and recovering $70,000 of $450,000 in losses. Senegalese police arrested 22 for impersonating celebrities to defraud victims, while Côte d’Ivoire identified nearly 810 sextortion victims tied to 24 suspects. Angola detained eight linked to cross-border fraud cases.

Interpol warned of a sharp rise in digital-enabled crimes across Africa, stressing that online platforms have expanded opportunities for exploitation, with both financial and psychological harm to victims.

Turning to our Monday business briefing, 

The cybersecurity market saw a wave of acquisitions this past week. Cyberbit acquired RangeForce to expand its live-fire training catalog, while Halon bought Germany’s eleven cyber security to strengthen its email threat intelligence offerings. Spreedly added fraud prevention firm Dodgeball, Spectrotel picked up Mosaic NetworX to boost secure networking, and EchoStor acquired CyberNorth to extend MSSP services. Other deals included Unico buying OwnID for passwordless authentication, DigiCert acquiring Valimail for zero-trust email, and Blue Mantis acquiring Canadian MSP Coreio.

On the funding side, Terra Security raised $30 million to advance AI-driven red teaming, and GDPR compliance startup Kertos closed a $16.5 million round. Silent Push secured $10 million for global expansion, Unit 221B raised $5 million to enhance threat intelligence collaboration, and Mycroft emerged from stealth with $3.5 million to accelerate compliance automation. Finally, Austin-based Eve Security raised $3 million to develop its AI-powered observability platform.

If business news is your thing be sure to check out our weekly cyber business brief, part of CyberWire Pro. All of the details on that are on our website, the cyberwire dot com. 

 

Cyber crooks offer a BBC journalist an early retirement package. 

BBC cyber correspondent Joe Tidy got a firsthand lesson in insider threat recruitment when a hacker calling himself “Syndicate” slid into his Signal inbox with a tempting pitch: hand over BBC credentials, get a cut of a multimillion-dollar ransom. The offer started at 15 percent, then sweetened to 25 percent and promises of early retirement.

The hackers, tied to ransomware group Medusa, even offered a “trust payment” in bitcoin—because nothing says reliable business partner like cyber criminals promising not to scam you. When Tidy stalled, the charm offensive shifted to harassment, with a barrage of MFA pop-ups flooding his phone.

Ultimately, Tidy walked away with no beachside villa, but a hard reset from BBC security. The crooks vanished, account deleted, as if ghosting was part of their benefits package. His takeaway: insider recruitment isn’t theoretical—it’s happening, and it can come knocking in your DMs.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.