Cyber Briefing: 2025.09.17

ChatGPT calendar flaw steals emails, SMBv1 update breaks shares, Scattered Spider resurfaces, DHS data leak, npm worm, JLR hit, RaccoonO365 down, MS support ending

Sep 17, 2025

👉 What's happening in cybersecurity today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. ChatGPT Calendar Flaw Lets Email Theft

An AI security firm has discovered a new vulnerability in a ChatGPT calendar integration that could be exploited to steal a user’s emails. The attack works when a user asks ChatGPT to check their calendar, which unknowingly activates a malicious prompt from a specially crafted calendar invitation, allowing an attacker to exfiltrate sensitive data.

2. Windows Update Breaks SMBv1 Shares

Microsoft's September 2025 security updates are causing connection problems for users accessing Server Message Block (SMB) v1 shares, affecting a wide range of Windows client and server platforms. A temporary fix involves allowing traffic on TCP port 445 to force connections to use TCP instead of NetBIOS over TCP/IP (NetBT).

3. Scattered Spider Returns Despite Exit

Cybersecurity researchers have linked a recent wave of cyber attacks on financial services to the group Scattered Spider, casting doubt on their claims that they had ceased operations.

For more alerts, click here!

Search Jobs

💥 Cyber Incidents

4. DHS Data Hub Leaked Sensitive Intel

A misconfigured internal platform used by the Department of Homeland Security (DHS) to share sensitive intelligence with government partners accidentally exposed national security data, including information on the surveillance of Americans, to thousands of unauthorized users. These users included private-sector contractors, foreign nationals, and federal employees who had no reason to access the sensitive information.

5. Worm Infects 180 npm Packages

A self-replicating worm, dubbed "Shai-hulud," is compromising packages on the npm Registry, a package manager for JavaScript. The worm steals authentication tokens from infected developers' computers and uses them to infect other packages, perpetuate its spread, and exfiltrate secrets from GitHub repositories by making them public.

6. Jaguar Land Rover Delays Restart After Cyberattack

Jaguar Land Rover (JLR) extended a production shutdown for another week after a recent cyberattack disrupted its systems. The company is currently investigating the breach, which a group calling themselves "Scattered Lapsus$ Hunters" has claimed responsibility for.

For more incidents, click here!

Click to Report

📢 Cyber News

7. RaccoonO365 Phishing Network Down

Microsoft's Digital Crimes Unit, working with Cloudflare, has taken down 338 websites linked to a phishing-as-a-service toolkit known as RaccoonO365. This coordinated effort disrupted an operation that stole over 5,000 Microsoft 365 credentials from victims in 94 countries.

8. Windows 10 Support Ends in 30 Days

Less than 30 days left until the end of support, Microsoft is urging Windows 10 users to upgrade. After October 14, Microsoft will no longer provide security updates or technical support for Windows 10.

9. Exchange 2016, 2019 Support Ends Soon

Microsoft is once again reminding administrators that support for Exchange 2016 and 2019 servers ends next month, on October 14, 2025. To avoid security risks and maintain support, the company urges users to either upgrade to Exchange Server Subscription Edition or migrate to Exchange Online.

For more news, click here!

Check Events

📈Cyber Stocks

In the early hours of Wednesday, September 17, 2025, cybersecurity stocks showed mixed movement as investors weighed persistent inflation concerns, cautious expectations ahead of the Federal Reserve’s upcoming policy decisions, and company specific developments shaping the sector. Some stocks found support from steady demand for security services, while others came under pressure from valuation worries and profit taking.

Cloudflare (NET) closed at $219.24, declining 2.91 percent as investors engaged in profit taking after its recent rally and considered the impact of higher infrastructure costs on margins.
Rapid7 (RPD) finished at $19.63, gaining 1.03 percent on modest analyst optimism and resilience in its threat detection offerings despite broader macroeconomic headwinds.
CrowdStrike (CRWD) ended at $444.98, holding steady as confidence in its endpoint security and AI driven threat protection platform was tempered by valuation concerns and slower growth expectations.
SentinelOne (S) settled at $17.87, falling 2.35 percent as investor scrutiny over margin expansion and competitive pressures in the endpoint market outweighed enthusiasm for its product roadmap.
Okta (OKTA) closed at $89.92, down 1.09 percent as concerns about slowing enterprise spending on identity solutions in a weaker economic climate pressured the stock despite its recurring revenue strength.

💡 Cyber Tip

💻 Windows Update Breaks SMBv1 Network Shares

Microsoft’s September 2025 security updates are breaking SMBv1 connections, preventing users from accessing shared files and folders over the outdated protocol. The issue affects both Windows client systems and server platforms when the update is applied to either side of the connection.

✅ What you should do

Apply Microsoft’s temporary workaround: allow traffic on TCP port 445 so SMB uses modern TCP instead of NetBIOS over TCP/IP
Begin migrating away from SMBv1 to newer versions like SMBv2 or SMBv3
Audit networks for devices still using SMBv1 and plan replacements or upgrades
Monitor Microsoft’s advisories for the permanent fix in upcoming patches

🔒 Why this matters

SMBv1 is a 30-year-old protocol tied to major exploits like EternalBlue, which powered WannaCry and NotPetya. These new update issues reinforce Microsoft’s long-standing guidance: fully remove SMBv1 to improve security and avoid future disruptions.