Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Sep-2025 03:50:06 JST Kevin Beaumont

   The lapsus guys continue to go nuts on IRC^H^H^HTelegram https://www.bbc.co.uk/news/articles/c4gqepe5355o

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 02-Sep-2025 22:23:01 JST Kevin Beaumont

     Jaguar Land Rover have contained their network and stopped production after what appears to be a ransomware incident. VPNs and network border in UK all down.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 02-Sep-2025 22:32:31 JST Kevin Beaumont

     in reply to

     Jaguar Land Rover moved their cybersecurity and IT functions to TCS two years ago 🫡

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 02-Sep-2025 23:27:20 JST Kevin Beaumont

     in reply to

     Jaguar Land Rover is ransomware, I can see network traffic from infrastructure used by multiple e-crime groups over the past week.

     They (JLR) appear to be doing contain to eradicate, i.e. all UK border services shut, Windows infrastructure offline etc.

   • Embed this notice
     J$ (js@mastodon.nl)'s status on Tuesday, 02-Sep-2025 23:34:24 JST J$

     in reply to

     @GossiTheDog JLR allowed Windows in their infrastructure. Those seeking to celebrate the same achievements should follow the lead.

     The rest of us: keep the leper colony at bay.

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 02-Sep-2025 23:38:26 JST 翠星石

     in reply to

     • Christoffer S.
     @nopatience @GossiTheDog Windows is not cheap - it has extremely expensive "license" fees, things break all of the time and there is also the cost of getting hit by ransomware.
     
     The cost of breaking all of microsoft's shackles over the short term just seems expensive compared to continuing to use windows.
   • Embed this notice
     Christoffer S. (nopatience@swecyb.com)'s status on Tuesday, 02-Sep-2025 23:38:28 JST Christoffer S.

     in reply to

     @GossiTheDog Cheap will almost always prevail, until it doesn't.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 03-Sep-2025 04:50:28 JST Kevin Beaumont

     in reply to

     Jaguar Land Rover latest from the outside looking in.

     AS205756 aka JAGUAR LAND ROVER AUTOMOTIVE PLC is shut down - UK network only (however it hosts their most important infrastructure).

     Staff have been told not to turn up to manufacturing facilities.

     Tata Motors (parent company) appears to be online still but looks like a mess on Shodan, e.g. lots of SAP Netweaver boxes dangling directly off the internet.

   • Embed this notice
     Mark Koek (mkoek@mastodon.nl)'s status on Wednesday, 03-Sep-2025 05:09:30 JST Mark Koek

     in reply to

     @GossiTheDog Did a Red Team against a TCS-run SOC once. So easy it wasn’t even funny.

   • Embed this notice
     apth (apth@infosec.exchange)'s status on Wednesday, 03-Sep-2025 05:43:25 JST apth

     in reply to

     @GossiTheDog I would love to hear a little bit about what you're using to see that network traffic, as an aspiring CTI nerd

   • Embed this notice
     Alameals (alameals@cyberplace.social)'s status on Wednesday, 03-Sep-2025 18:36:55 JST Alameals

     in reply to

     @GossiTheDog Any claimed responsibility for this yet?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 03-Sep-2025 19:25:25 JST Kevin Beaumont

     in reply to

     JLR - network border all still offline. Liverpool Echo reports factory production still at all stop.

   • Embed this notice
     Alex (alex02@cyberplace.social)'s status on Wednesday, 03-Sep-2025 23:02:24 JST Alex

     in reply to

     @GossiTheDog they must like the party van.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 03-Sep-2025 23:02:25 JST Kevin Beaumont

     in reply to

     The lapsus$ guys are taking credit for the Jaguar Land Rover thing, speed run to see how many times they can get v&'d in 5 years.

   • Embed this notice
     Alex (alex02@cyberplace.social)'s status on Wednesday, 03-Sep-2025 23:05:20 JST Alex

     @GossiTheDog these kids have no idea how badly they're ruining their future. I have a misdeamnor cuz I took a plea deal and I still got majorily fucked. I bet they think becoming infamous like the kids in the 90's and early 2000's will make them rich and famous while landing jobs with zero effort.

   • Embed this notice
     Alex (alex02@cyberplace.social)'s status on Thursday, 04-Sep-2025 00:19:36 JST Alex

     in reply to

     @GossiTheDog o_O

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Sep-2025 00:19:38 JST Kevin Beaumont

     in reply to

     I can see ecrime infrastructure was talking to this at JLR https://beta.shodan.io/host/185.193.35.39

     It's a SAP Netweaver box. The Lapsus$ kids have been running around with a SAP exploit for a while, prior thread reference: https://cyberplace.social/@GossiTheDog/115005311849134541

   • Embed this notice
     Alex (alex02@cyberplace.social)'s status on Thursday, 04-Sep-2025 00:20:53 JST Alex

     in reply to

     @GossiTheDog imagine bragging about this being so easy when they probably bought the exploit with bitcoin.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Sep-2025 00:20:55 JST Kevin Beaumont

     in reply to

     The lapsus$ guys also posted this screenshot, on an internal Jaguar Land Rover SAP box last night:

   • Embed this notice
     Jon PENNYCOOK (jonpsp@mstdn.social)'s status on Thursday, 04-Sep-2025 00:41:40 JST Jon PENNYCOOK

     @GossiTheDog have they really still got servers in the ford.com domain after all these years?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Sep-2025 05:42:35 JST Kevin Beaumont

     in reply to

     To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

     There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Sep-2025 20:50:39 JST Kevin Beaumont

     in reply to

     Liverpool Echo reports Jaguar Land Rover production still isn't running, with factory stop told to stay at home, and report it impacts all manufacturing locations. https://www.liverpoolecho.co.uk/news/liverpool-news/update-jaguar-land-rover-shut-32411513

     Separately, the network border is also still offline (I have monitoring in place to see when they come back online).

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Sep-2025 20:54:53 JST Kevin Beaumont

     in reply to

     If anybody runs into a LAPSUS$ incident at their org hit me up on Signal, I can try to help profile their MO as been there, done that.

     They'll frequently not even bother to deploy ransomware, they'll also do crazy things (and like to write about poo, and send people poo packages in the mail). It's basically like fighting Mr Bean, who is also good at computers.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Sep-2025 21:09:59 JST Kevin Beaumont

     in reply to

     This isn't anything against the LAPSUS guys btw as they're basically having a five year ninja fight with Mandiant, DART, cyber standards and law enforcement while playing teenage Mr Bean and lets be honest... that's pretty funny and eye opening.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 04-Sep-2025 22:47:15 JST Kevin Beaumont

     in reply to

     ITV reports Jaguar Land Rover has shut down car production in the UK, Slovakia, China, India and Brazil.
     https://www.itv.com/news/2025-09-04/jaguar-land-rover-temporarily-halts-all-car-production-following-cyber-attack

   • Embed this notice
     Gary Parker :party_porg: (witewulf@cyberplace.social)'s status on Thursday, 04-Sep-2025 23:20:19 JST Gary Parker :party_porg:

     in reply to

     @GossiTheDog

   • Embed this notice
     Stephan (erlenmayr@chaos.social)'s status on Friday, 05-Sep-2025 00:36:00 JST Stephan

     in reply to

     @GossiTheDog That does not sound like ransomware any more. That sounds like an SAP migration.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 05-Sep-2025 03:11:19 JST Kevin Beaumont

     in reply to

     ITV News 6pm lead story on Jaguar Land Rover

     Key take away is anonymous source at JLR saying they may need UK government support for motor sector off the back of the incident.

     https://www.youtube.com/watch?v=V4xQz0iKK4g

   • Embed this notice
     Just_Patch_It (just_patch_it@cyberplace.social)'s status on Friday, 05-Sep-2025 06:03:21 JST Just_Patch_It

     in reply to

     @GossiTheDog well I’m glad I don’t have that shit hanging off my edge.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 05-Sep-2025 20:50:22 JST Kevin Beaumont

     in reply to

     JLR is keeping all factory production suspended today, tomorrow, Sunday and at least Monday (possibly longer) in UK, Slovakia, China, India and Brazil.
     https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-staff-until-32413174

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 05-Sep-2025 20:57:00 JST Kevin Beaumont

     in reply to

     JLR direct employ 32k people in the UK so I imagine there's going to be ripple effects on the wider economy off the back of this one the longer it goes on.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 05-Sep-2025 21:08:48 JST Kevin Beaumont

     in reply to

     Meanwhile the LAPSUS guys were busy posting large numbers of US defense Top Secret marked documents last night. They've seen been deleted from Telegram.

   • Embed this notice
     greem (greem@cyberplace.social)'s status on Friday, 05-Sep-2025 21:53:52 JST greem

     in reply to

     @GossiTheDog the docs, or the LAPSUS folks?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 06-Sep-2025 05:18:17 JST Kevin Beaumont

     in reply to

     One surprising thing with the Jaguar Land Rover incident - they've only isolated JAGUAR LAND ROVER AUTOMOTIVE PLC (AS205756), the UK network. The India, China etc networks are still online.

     When I dealt with LAPSUS elsewhere they entered via a different country network/biz unit and then pivoted to target country/biz unit.

   • Embed this notice
     Seven (creativegamingname@cyberplace.social)'s status on Saturday, 06-Sep-2025 05:55:31 JST Seven

     in reply to

     @GossiTheDog this whole event is... extra.

     But you caught me with the IRC^H^H backspace.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 07-Sep-2025 05:46:46 JST Kevin Beaumont

     in reply to

     JLR UK have got one internet facing system back online - wslx.jlrext.com

     Single factor auth only because that's how automotives roll. If you visit direct IP, it's still branded Ford - Ford sold the business in 2008.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 09-Sep-2025 06:43:12 JST Kevin Beaumont

     in reply to

     Just checked in on JLR - factory production won't be resuming tomorrow (day 7).

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 10-Sep-2025 02:23:09 JST Kevin Beaumont

     in reply to

     Jaguar Land Rover car production is still shut down tomorrow, day 8. I’ve checked the network border, everything except one system in UK is also still offline.

   • Embed this notice
     Just_Patch_It (just_patch_it@cyberplace.social)'s status on Wednesday, 10-Sep-2025 10:16:03 JST Just_Patch_It

     in reply to

     @GossiTheDog that’s $40 million gone poor, just in sales profits.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 10-Sep-2025 19:52:07 JST Kevin Beaumont

     in reply to

     JLR are keeping car production closed until least this weekend. They also say “some data was impacted”, whatever that means.

     https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-issues-crisis-32447659

   • Embed this notice
     Khleedril (khleedril@cyberplace.social)'s status on Wednesday, 10-Sep-2025 22:21:12 JST Khleedril

     in reply to

     @GossiTheDog It will be funny if cars start rolling off the production lines with manufactured dents in them.

   • Embed this notice
     Alex (alex02@cyberplace.social)'s status on Thursday, 11-Sep-2025 04:49:44 JST Alex

     in reply to

     @GossiTheDog is this why uk keeps getting pwned by kids?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 11-Sep-2025 04:49:45 JST Kevin Beaumont

     in reply to

     JLR shouldn't feel bad, Tata Motors (their parent) is way worse shape. They've even got Exchange Server with OWA internet facing without MFA.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 11-Sep-2025 04:49:46 JST Kevin Beaumont

     in reply to

     JLR have started switching border routers back on (don't ask me why SNMP, NTP and SSH are internet facing).

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 11-Sep-2025 04:55:32 JST Kevin Beaumont

     in reply to

     • Alex

     @alex02 I don't think it's particularly a UK issue, the whole cyber industry is basically a box ticking compliance failure. The UK's probably pivoted too hard on data theft legislation though, over prevention and protection.

   • Embed this notice
     Alex (alex02@cyberplace.social)'s status on Thursday, 11-Sep-2025 04:57:21 JST Alex

     in reply to

     @GossiTheDog I was making a joke... xD

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 11-Sep-2025 05:13:14 JST Kevin Beaumont

     in reply to

     • Alex
     • lfzz

     @lfzz @alex02 yeah, it's getting worse in the trenches across the board. Orgs are going to end up buying Security Copilot because MS are really good at upselling to CIOs.. and end up losing a good portion of their security staff to pay for it. It's a mess.

   • Embed this notice
     lfzz (lfzz@mastodon.social)'s status on Thursday, 11-Sep-2025 05:13:15 JST lfzz

     in reply to

     • Alex

     @GossiTheDog @alex02 wait do you mean the overstaffed audit team is actually useless checkbox generator while I can't even get a junior hired because "security team are expensive" and we should be able to automate/ai/buzzworddujours our work away? I am very shocked!

   • Embed this notice
     Just_Patch_It (just_patch_it@cyberplace.social)'s status on Thursday, 11-Sep-2025 20:54:57 JST Just_Patch_It

     in reply to

     @GossiTheDog Clearly they don’t have an EASM program. Do they know their external footprint? NOT!

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 12-Sep-2025 05:40:49 JST Kevin Beaumont

     in reply to

     Jaguar Land Rover have told factory workers worldwide to stay home until at least next Wednesday, which will be 17 days since the cyber incident began. https://www.bbc.co.uk/news/articles/c3e712nvyz9o.amp

   • Embed this notice
     Infoseepage (infoseepage@mastodon.social)'s status on Friday, 12-Sep-2025 05:52:44 JST Infoseepage

     in reply to

     @GossiTheDog A car maker which cannot make cars doesn't seem like they're going to be a going concern for much longer. So many companies have made complex computer networks into a single point of failure for their entire line of business when they should be managed like the fucking Battlestar Galactica.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Sep-2025 02:21:55 JST Kevin Beaumont

     in reply to

     Unite are calling on the government to urgently intervene over the Jaguar Land Rover cyber incident, to introduce a furlough scheme for their suppliers.

     https://www.unitetheunion.org/news-events/news/2025/september/jlr-supply-chain-workers-impacted-by-cyberattack-must-receive-government-support-says-unite

   • Embed this notice
     Gary Parker :party_porg: (witewulf@cyberplace.social)'s status on Saturday, 13-Sep-2025 03:46:35 JST Gary Parker :party_porg:

     in reply to

     @GossiTheDog as a tax payer, but also a union member: screw that.

     JLR should have insurance to cover this.

   • Embed this notice
     Just_Patch_It (just_patch_it@cyberplace.social)'s status on Saturday, 13-Sep-2025 05:27:51 JST Just_Patch_It

     in reply to

     @GossiTheDog Have they not heard of Disaster Recovery? It’s also called “Business Continuity Plan” just in case I’m not clear.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Sep-2025 05:36:57 JST Kevin Beaumont

     in reply to

     • Gary Parker :party_porg:
     • greem

     @greem @WiteWulf yeah it’s exactly that, JLRs suppliers. Because JLR have ceased production, their downstream suppliers essentially have no work.

   • Embed this notice
     greem (greem@cyberplace.social)'s status on Saturday, 13-Sep-2025 05:36:59 JST greem

     in reply to

     • Gary Parker :party_porg:

     @WiteWulf

     It isn't JLR that's affected here though (although they are, and friends of mine who work for them are currently having nightmares) - it's their suppliers. By that argument, they should also have insurance.
     I guess tying a small company's entire output to one upstream behemoth used to be a safe bet, but not now.

     @GossiTheDog

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Sep-2025 15:07:04 JST Kevin Beaumont

     in reply to

     JLR have lost between £50m-£100m so far according to BBC estimates https://www.bbc.co.uk/news/articles/czdjn0lv64ro

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Sep-2025 15:18:10 JST Kevin Beaumont

     in reply to

     If anybody is interested, TCS’ website says JLR outsourced cybersecurity (not sure which bits) to it a few years ago.

     TCS also run security operations and monitoring for Co-op (my old team) along with their IT and IT helpdesk, and M&S secops monitoring, IT and IT helpdesk.

   • Embed this notice
     VessOnSecurity (bontchev@infosec.exchange)'s status on Saturday, 13-Sep-2025 15:32:44 JST VessOnSecurity

     in reply to

     @GossiTheDog I wonder how big the ransom was...

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Sep-2025 15:32:44 JST Kevin Beaumont

     in reply to

     • VessOnSecurity

     @bontchev they likely paid it

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 13-Sep-2025 17:01:25 JST Kevin Beaumont

     in reply to

     • Mark :unverified: :thisisfine:

     @sneakymonkey they aren’t, their suppliers are

   • Embed this notice
     Mark :unverified: :thisisfine: (sneakymonkey@infosec.exchange)'s status on Saturday, 13-Sep-2025 17:01:26 JST Mark :unverified: :thisisfine:

     in reply to

     @GossiTheDog

     I don’t get it..

     BBC news article,

     “However, the company made a pre-tax profit of £2.5bn in the year to the end of March, which implies it has the financial muscle to weather a crisis that lasts weeks rather than months.”

     But they call for Gov for furlough…