Jaguar Land Rover have contained their network and stopped production after what appears to be a ransomware incident.
-
I can see ecrime infrastructure was talking to this at JLR https://beta.shodan.io/host/185.193.35.39
It's a SAP Netweaver box. The Lapsus$ kids have been running around with a SAP exploit for a while, prior thread reference: https://cyberplace.social/@GossiTheDog/115005311849134541
The lapsus$ guys also posted this screenshot, on an internal Jaguar Land Rover SAP box last night:
-
The lapsus$ guys also posted this screenshot, on an internal Jaguar Land Rover SAP box last night:
The Lapsus$ screenshot of Jaguar is legit, jlrint.com is their internal AD name, also solihull is a sub AD well documented online etc. https://www.scribd.com/document/317755552/Networker-Errors-and-Resolutions
-
The Lapsus$ screenshot of Jaguar is legit, jlrint.com is their internal AD name, also solihull is a sub AD well documented online etc. https://www.scribd.com/document/317755552/Networker-Errors-and-Resolutions
The lapsus guys continue to go nuts on IRC^H^H^HTelegram https://www.bbc.co.uk/news/articles/c4gqepe5355o
-
The lapsus guys continue to go nuts on IRC^H^H^HTelegram https://www.bbc.co.uk/news/articles/c4gqepe5355o
To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.
-
To back up ReliaQuest - this is the exploit LAPSUS guys have running around with on SAP Netweaver, just had a look this evening after acquiring the exploit. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
There’s a metric ton - over 5 figures - of these boxes directly internet facing. Worse; from version printing, less than 5% are patched for the two CVEs being exploited.
Liverpool Echo reports Jaguar Land Rover production still isn't running, with factory staff told to stay at home, and report it impacts all manufacturing locations. https://www.liverpoolecho.co.uk/news/liverpool-news/update-jaguar-land-rover-shut-32411513
Separately, the network border is also still offline (I have monitoring in place to see when they come back online).
-
Liverpool Echo reports Jaguar Land Rover production still isn't running, with factory staff told to stay at home, and report it impacts all manufacturing locations. https://www.liverpoolecho.co.uk/news/liverpool-news/update-jaguar-land-rover-shut-32411513
Separately, the network border is also still offline (I have monitoring in place to see when they come back online).
If anybody runs into a LAPSUS$ incident at their org hit me up on Signal, I can try to help profile their MO as been there, done that.
They'll frequently not even bother to deploy ransomware, they'll also do crazy things (and like to write about poo, and send people poo packages in the mail). It's basically like fighting Mr Bean, who is also good at computers.
-
If anybody runs into a LAPSUS$ incident at their org hit me up on Signal, I can try to help profile their MO as been there, done that.
They'll frequently not even bother to deploy ransomware, they'll also do crazy things (and like to write about poo, and send people poo packages in the mail). It's basically like fighting Mr Bean, who is also good at computers.
This isn't anything against the LAPSUS guys btw as they're basically having a five year ninja fight with Mandiant, DART, cyber standards and law enforcement while playing teenage Mr Bean and lets be honest... that's pretty funny and eye opening.
-
This isn't anything against the LAPSUS guys btw as they're basically having a five year ninja fight with Mandiant, DART, cyber standards and law enforcement while playing teenage Mr Bean and lets be honest... that's pretty funny and eye opening.
ITV reports Jaguar Land Rover has shut down car production in the UK, Slovakia, China, India and Brazil.
https://www.itv.com/news/2025-09-04/jaguar-land-rover-temporarily-halts-all-car-production-following-cyber-attack -
ITV reports Jaguar Land Rover has shut down car production in the UK, Slovakia, China, India and Brazil.
https://www.itv.com/news/2025-09-04/jaguar-land-rover-temporarily-halts-all-car-production-following-cyber-attackITV News 6pm lead story on Jaguar Land Rover
Key take away is anonymous source at JLR saying they may need UK government support for motor sector off the back of the incident.
-
ITV News 6pm lead story on Jaguar Land Rover
Key take away is anonymous source at JLR saying they may need UK government support for motor sector off the back of the incident.
JLR is keeping all factory production suspended today, tomorrow, Sunday and at least Monday (possibly longer) in UK, Slovakia, China, India and Brazil.
https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-staff-until-32413174 -
JLR is keeping all factory production suspended today, tomorrow, Sunday and at least Monday (possibly longer) in UK, Slovakia, China, India and Brazil.
https://www.liverpoolecho.co.uk/news/liverpool-news/jaguar-land-rover-staff-until-32413174JLR direct employ 32k people in the UK so I imagine there's going to be ripple effects on the wider economy off the back of this one the longer it goes on.
-
JLR direct employ 32k people in the UK so I imagine there's going to be ripple effects on the wider economy off the back of this one the longer it goes on.
Meanwhile the LAPSUS guys were busy posting large numbers of US defense Top Secret marked documents last night. They've since been deleted from Telegram.
-
R AodeRelay shared this topic
