Brief #129: 7 ChatGPT Vulnerabilities, New OWASP 2025 Top 10, 2 Million Jobs Myth

Happy Sunday!

In this week's brief:

• OWASP's 2025 Top 10 introduces Software Supply Chain Failures as a new #3 category, while social engineering attacks jumped 1,450% in the first half of 2025
• ChatGPT vulnerabilities are enabling attackers to steal private data from hundreds of millions of users through 0-click attacks and memory poisoning techniques
• The "two million cybersecurity jobs" narrative gets debunked with real data showing only 514,000 actual openings, explaining why qualified professionals struggle to find work

A quick note before we dive in.

Industry News

OWASP Releases Top 10 Application Security Risks for 2025

• OWASP has published the Top 10:2025 release candidate featuring two new categories and one consolidation, with Broken Access Control maintaining its #1 position while Security Misconfiguration jumps from #5 to #2 based on data from 2.8 million tested applications.

• The new Software Supply Chain Failures category expands beyond vulnerable components to encompass broader ecosystem compromises including build systems and distribution infrastructure, ranking #3 despite limited testing data but showing the highest average exploit and impact scores from CVEs.

• A tenth new category called Mishandling of Exceptional Conditions addresses improper error handling and logical errors, while the methodology now analyzes 589 CWEs (up from 400 in 2021) grouped into categories focusing on root causes rather than symptoms.

Unit 42 Discovers LANDFALL Android Spyware Exploiting Samsung Zero-Day Vulnerability

• Researchers uncovered LANDFALL, a previously unknown Android spyware family targeting Samsung Galaxy devices through CVE-2025-21042, a zero-day vulnerability in Samsung's image processing library that was actively exploited in the wild before being patched in April 2025.

• The spyware was delivered via malicious DNG image files likely sent through WhatsApp, enabling comprehensive surveillance capabilities including microphone recording, location tracking, and collection of photos, contacts, and call logs on targeted devices in the Middle East.

• LANDFALL shares infrastructure and tradecraft patterns with commercial spyware operations, indicating possible links to private-sector offensive actors (PSOAs), with similarities observed to Stealth Falcon activity and references to "Bridge Head" terminology commonly used by commercial spyware vendors.

Scattered LAPSUS$ Hunters Emerges as Federated Cybercriminal Brand Combining Legacy Groups

• A new cybercriminal umbrella brand called Scattered LAPSUS$ Hunters (SLH) emerged in August 2025, appropriating reputational assets from Scattered Spider, ShinyHunters, and LAPSUS$ groups while operating through a federated model rather than a formal merger of the original entities.

• The group operates primarily through Telegram channels that have been recreated at least 16 times following takedowns, offering Extortion-as-a-Service capabilities and targeting cloud-first environments including SaaS providers, CRMs, and database systems for data theft and extortion.

• SLH demonstrates advanced technical capabilities including AI-automated vishing, exploit development targeting CVE-2025-61882 (Oracle E-Business Suite) and CVE-2025-31324 (SAP NetWeaver), with evidence suggesting fewer than five core operators control approximately 30 public personas through sophisticated sockpuppetry.