This briefing covers security developments from Wednesday, September 18th, 2025, reviewing eight articles from 0709 to 1816 hours UTC.
Threat Intelligence.
A major breakthrough occurred in the Scattered Spider investigation with charges filed against UK national Thalha Jubair for orchestrating over 120 ransomware attacks that netted more than 115 million dollars in ransom payments. Two teenagers, including 19-year-old Thalha Jubair from East London and 18-year-old Owen Flowers from Walsall, have been charged specifically in connection with the Transport for London cyber attack that caused 39 million pounds in damages and three months of service disruption. Meanwhile, CYFIRMA reports that India is currently under sustained multi-nation hacktivist attacks across various sectors.
Vulnerabilities.
Microsoft has patched a critical Entra ID vulnerability designated CVE-2025-55241 that could have provided Global Admin access to every Entra ID tenant worldwide. The flaw involved undocumented "Actor tokens" combined with improper validation in the legacy Azure AD Graph API, allowing cross-tenant access that bypassed all security policies including Conditional Access. CISA has issued an analysis report regarding malicious listeners targeting Ivanti Endpoint Mobile Management Systems, though specific technical details are currently unavailable. SonicWall has disclosed a MySonicWall Cloud backup file incident, with details available in their knowledge base.
Tools.
A new proof-of-concept tool called Obex has been released on GitHub that demonstrates techniques for blocking security monitoring DLLs during process initialization. The tool can prevent EDR and monitoring libraries from loading into processes by spawning applications under debug control and maintaining a configurable blocklist of unwanted modules. Additionally, the UK's National Cyber Security Centre has published an External Attack Surface Management buyer's guide to help organizations evaluate EASM solutions.