Cyber OSINT Overview, Sep 15 - Sep 21, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• AI’s dual role in cybersecurity, both as an enabler for sophisticated attacks and a tool for advanced defense, is a prominent discussion. Threat actors leverage AI for phishing, ransomware generation, malware customization, and social engineering, while security operations use it for threat detection, automated response, and governance. The rapid adoption of AI introduces new security challenges, necessitating robust AI governance and proactive defense strategies.

• The evolving landscape of ransomware attacks continues to be a major concern, with new groups emerging and tactics shifting. Ransomware operations increasingly exploit vulnerabilities in edge and VPN devices for initial access and leverage cloud environments for data exfiltration and encryption. Threat actors are also using brand mimicry and double extortion tactics, indicating a persistent and adapting threat to various sectors globally.

• Supply chain attacks are increasingly targeting software development ecosystems and open-source packages, leading to widespread compromises. Self-replicating worms like ‘Shai-Hulud’ infect NPM packages, steal developer credentials and cloud keys, and then propagate further by publishing secrets to public repositories and injecting malicious code into other packages.

• The issue of phishing and social engineering remains a persistent and evolving threat. Attackers are increasingly leveraging AI to craft highly convincing and personalized phishing emails and websites, often using legitimate-looking infrastructure and anti-bot techniques to evade detection. These campaigns aim to steal credentials, bypass multi-factor authentication, and serve as initial access for larger attacks.

• Managing vulnerabilities and overall cyber exposure is critical for organizational security. Organizations are shifting towards comprehensive exposure management platforms that unify data from various sources, enrich it with contextual relationships, and leverage AI to prioritize risks and automate remediation. This approach moves beyond traditional vulnerability scanning to provide a more holistic and proactive defense, addressing challenges like tool sprawl and improving communication of cyber risk to boards.

Critical Vulnerabilities #

• A critical command injection vulnerability (CVE-2025-10035) exists in Fortra’s GoAnywhere Managed File Transfer (MFT) License Servlet. This deserialization flaw allows a remote attacker with a validly forged license response signature to execute arbitrary commands. Users should immediately apply the latest patches (versions 7.8.4 or 7.6.3) and ensure the GoAnywhere Admin Console is not publicly exposed to the internet, as exploitation is highly dependent on external exposure.

• Google Chrome has released an emergency patch for a critical zero-day vulnerability (CVE-2025-10585) involving a Type Confusion flaw in the V8 JavaScript engine. This vulnerability is actively exploited in the wild, allowing arbitrary code execution, and potentially leading to browser crashes or full system compromise. All users of Chrome and other Chromium-based browsers (e.g., Microsoft Edge) are urged to update immediately.

• Multiple critical vulnerabilities in WatchGuard Firebox firewalls (CVE-2025-9242), Ivanti Endpoint Manager Mobile (EPMM) (CVE-2025-4427, CVE-2025-4428), and Nokia CBIS/NCS Manager API (CVE-2023-49564, CVE-2023-49565) pose significant risks for remote code execution, authentication bypass, and denial of service. These flaws affect widely used network and mobile device management platforms, with Ivanti vulnerabilities already being actively exploited in the wild. Immediate patching and strict access controls are essential for affected systems.

• Apple has released comprehensive security updates for iOS, iPadOS, macOS, tvOS, and watchOS to address numerous vulnerabilities, some of which could lead to arbitrary code execution, privilege escalation, or sensitive data access. Notably, an already-exploited zero-day (CVE-2025-43300) was backported to older iOS versions. Users are strongly encouraged to apply these updates to protect their devices.

• Multiple industrial control systems (ICS) products from various vendors, including ABB, Siemens, Schneider Electric, Hitachi Energy, Westermo, Cognex, and Delta Electronics, contain critical vulnerabilities ranging from command injection and deserialization of untrusted data to authentication bypass, weak credentials, and denial-of-service flaws. These vulnerabilities affect diverse critical infrastructure sectors like energy, manufacturing, and water systems. CISA emphasizes immediate patching, limiting network exposure, and employing secure remote access methods like VPNs for these systems.

• Multiple software products, including Mozilla Firefox, Firefox ESR, Thunderbird, Apple Safari, and various Microsoft Edge (Chromium-based) versions, are affected by several vulnerabilities. These flaws could allow for arbitrary code execution, information disclosure, security feature bypasses, and spoofing attacks. Users and administrators are advised to review security advisories and apply the necessary updates promptly to mitigate risks.

• Multiple vulnerabilities have been identified across various HPE and Atlassian products, including HPE Telco Intelligent Assurance, HPE Aruba Networking EdgeConnect SD-WAN, Atlassian Confluence, Jira, and Jira Service Management. These flaws could lead to command execution, data exposure, and other unspecified attacks. Users are advised to review vendor advisories and apply necessary updates to mitigate risks.

• Dell has released security advisories to address multiple vulnerabilities in its client platforms (Latitude Rugged Extreme series) and PowerProtect products. These include an AMI BIOS vulnerability and other third-party component flaws. Users and administrators are encouraged to review the provided web links and apply the necessary updates to their affected Dell products.

• Jenkins has released urgent security updates to patch multiple vulnerabilities in its weekly and LTS releases. These flaws include a high-severity HTTP/2 denial-of-service issue in the bundled Jetty component, as well as permission-check omissions and a log message injection bug. Administrators are strongly advised to upgrade to Jenkins weekly 2.528 or LTS 2.516.3 immediately, or to disable HTTP/2 as a temporary mitigation.

• Numerous high and medium severity vulnerabilities continue to be reported in the Linux Kernel, Red Hat Enterprise Linux, Microsoft Windows and Windows Server. These flaws frequently enable denial-of-service attacks, privilege escalation, information disclosure, and arbitrary code execution. Regular and timely application of updates and patches for these widely used operating systems and platforms is crucial for maintaining a strong security posture.

Major Incidents #

• SonicWall’s MySonicWall.com platform was breached through brute-force attacks, exposing customer firewall configuration backup files. These files, while containing encrypted passwords, could still simplify future exploitation of customer firewalls due to network architecture, rules, and policy details. SonicWall advises affected customers to implement containment steps, reset credentials, and monitor logs for unusual activity.

• A major cyberattack on Collins Aerospace’s MUSE software disrupted check-in and baggage drop systems at several European airports, including London Heathrow, Brussels, and Berlin. This incident caused hundreds of flight delays and cancellations, forcing airports to revert to manual operations. While no passenger data theft has been confirmed, the event highlights the vulnerability of critical aviation infrastructure to supply chain attacks.

• The notorious Scattered Spider cybercriminal operation has been linked to numerous high-impact attacks, including a breach of a U.S. federal court network and the Transport for London systems. Two key members, Thalha Jubair and Owen Flowers, were arrested in the UK, facing charges related to computer fraud, wire fraud, and money laundering. Their operations resulted in victims paying at least $115 million in ransoms and exposed sensitive personal data.

• The Panamanian Ministry of Economy and Finance (MEF) suffered a ransomware attack by the INC Ransom group, leading to the theft of over 1.5TB of sensitive data, including emails and financial documents. This incident highlights the critical impact of ransomware on governmental fiscal operations and management.

• The Jaguar Land Rover (JLR) automotive manufacturer experienced a cyberattack, attributed to the Scattered LAPSUS$ Hunters group, which caused a production shutdown at its UK factories. This incident has escalated into a national crisis for the UK, potentially affecting over 200,000 workers in the supply chain and costing at least £50 million per week in lost production.

• Luxury fashion group Kering, owning brands like Gucci, Balenciaga, and Alexander McQueen, confirmed a data breach in June 2025. The ShinyHunters hacking group claimed responsibility, alleging compromise via Salesforce CRM, and stole millions of customer records including names, dates of birth, phone numbers, and email addresses. While no financial information was breached, exposed personal details create opportunities for follow-up phishing and social engineering attacks on wealthy victims.

Emerging Threats #

• A new self-replicating worm, dubbed “Shai-Hulud,” is actively compromising the npm ecosystem in a large-scale supply chain attack. This worm steals developer credentials, cloud keys, and tokens by scanning infected systems, exfiltrates data to new public GitHub repositories, and spreads by injecting malicious code into other packages maintained by compromised users. This automated propagation highlights a significant evolution in software supply chain threats, demanding urgent attention from organizations using npm in their development workflows.

• AI-powered malware, including ‘PromptLock’ and ‘MalTerminal’, represents a significant shift in threat development. These tools leverage Large Language Models (LLMs) to dynamically generate malicious code such as ransomware and reverse shells at runtime. This capability allows malware to bypass static analysis and signature-based detection, making traditional security methods less effective. Defenders must adapt strategies to detect LLM-enabled malware by focusing on artifacts unique to LLM integration, such as embedded API keys and prompt structures.

• Nation-state threat actors, including Russian groups like Turla and Gamaredon, are increasingly collaborating with cybercriminal organizations and leveraging criminal proxies to advance geopolitical objectives. This collaboration involves sharing tools and infrastructure to conduct sophisticated espionage, ransomware, and hacktivism campaigns, particularly targeting critical infrastructure and government entities in countries like Ukraine. This strategy aims to obscure attribution and enhance the impact of cyber operations.

• AI-driven phishing campaigns are becoming increasingly sophisticated, leveraging advanced content-generation platforms and real-time language models. These campaigns craft highly personalized emails and fake login pages, often using genuine branding and anti-bot techniques to evade security tools. They also employ polymorphic payloads that mutate text and embedded URLs to bypass static blocklists, making them difficult to detect and mitigate through traditional methods.

• Threat actors are increasingly impersonating IT and cybersecurity professionals or recruiters through sophisticated social engineering tactics. These schemes, often leveraging AI-generated video, voice, and fake personas, aim to infiltrate companies by manipulating hiring processes. Campaigns like North Korea’s ‘Contagious Interview’ lure job seekers with phony offers or malicious coding tests to steal sensitive data, deploy malware, or gain privileged access.

• New malware strains like Sality and ACR Stealer demonstrate advanced stealth and persistence mechanisms. Sality, a polymorphic file-infecting virus, creates peer-to-peer botnets for spamming, data theft, and DDoS attacks, actively disabling security software. ACR Stealer is an information-stealing malware-as-a-service (MaaS) that harvests credentials, financial details, and browser data, using advanced obfuscation, virtual machine checks, and unconventional C2 platforms like Google Docs to evade detection.

• The rise of “Shadow AI,” where employees use unsanctioned AI tools without oversight, introduces complex risks to organizations. Unlike Shadow IT, Shadow AI transforms, exposes, and learns from sensitive data, creating vulnerabilities such as data leakage, model misuse, and legal exposure from copyright or privacy violations. This trend highlights the urgent need for visibility into AI usage, strict access controls, and proper AI governance to prevent new attack vectors like poisoned inputs or insecure AI-generated code.

• The global spyware market is expanding, with a notable increase in US-based investors funding spyware companies despite policy actions against them. This market heavily relies on resellers and brokers as intermediaries, who obscure connections between vendors and buyers, facilitating the proliferation of cyber surveillance tools. These entities often connect vendors to new regional markets, creating a critical information gap for effective policy enforcement.

Regulatory and Policy Updates #

• The Cybersecurity Information Sharing Act of 2015 (CISA 2015), which provides liability protections for private sector cybersecurity information sharing, is set to expire on September 30, 2025. This impending expiration raises concerns about discouraging critical infrastructure organizations from sharing threat intelligence, potentially impacting national security. The future of the CVE Program, a critical global resource for cataloging software and hardware bugs, is also in limbo as CISA and board members debate its leadership and funding model.

• The Trump administration is planning to expand the U.S. quantum strategy, considering executive actions such as national plans or mandates to accelerate federal agencies’ migration to post-quantum protections. The deadline for this migration might be moved up from 2035 to 2030, emphasizing the urgency to defend against future quantum-enabled hacks and maintain global dominance in national security technology.

• Japan is accelerating its “Government Cloud” initiative, aiming to standardize and migrate all local government core business systems to a shared cloud environment by the end of fiscal year 2025. This strategic move, prompted by lessons from the COVID-19 pandemic, seeks to enhance security and availability, enable faster service deployment, and reduce vendor lock-in by fostering a “cloud-by-default” principle with standardized applications.

• The European Union’s AI Act, set to be gradually implemented from August 2024, introduces stringent transparency requirements for AI developers, including public disclosure of training data overviews for general-purpose AI models and mandatory labeling for AI-generated content. This regulatory framework, alongside the Digital Single Market (DSM) Directive, prioritizes creator rights and aims to become a de facto international standard, influencing global AI development and data utilization practices.

• A data broker, Airlines Reporting Corporation (ARC), is reportedly selling access to over five billion airline passenger records to various U.S. government agencies through its Travel Intelligence Program (TIP). This raises significant privacy concerns, as it provides federal customers with warrantless access to extensive data, including names, flight itineraries, and financial details, impacting millions of individuals.

• Australia’s privacy regulator ruled that Kmart’s use of facial recognition technology without explicit customer consent was unlawful, violating the Privacy Act. This decision emphasizes the strict legal scrutiny surrounding the collection of sensitive biometric data and reinforces the need for businesses to ensure transparency and proportionality in such deployments, or face penalties.

• The Cyberspace Administration of China has enacted new National Cybersecurity Incident Reporting Management Measures. These measures mandate network operators, particularly those managing critical information infrastructure, to report cybersecurity incidents immediately to protection departments and public security organs. This top-down approach reinforces state control over cyber incident information and is part of China’s broader national strategy to integrate data and AI into its social systems.

Security Operations #

• Cybersecurity strategies are shifting towards comprehensive exposure management platforms that provide a unified, holistic view of cyber risk. These platforms integrate data from various sources, enrich it with contextual relationships, and leverage AI to prioritize risks and automate remediation across the entire attack surface. This evolution aims to move beyond traditional vulnerability management by bridging data silos, enabling better insights, increasing productivity, and improving communication of cyber risk to executive boards.

• Organizations are increasingly prioritizing cyber resilience, focusing on the ability to prepare for, respond to, and recover from cyberattacks and disruptions. This comprehensive approach integrates robust cybersecurity foundations, risk management, threat detection, business continuity, and incident response, often aligned with established frameworks like NIST CSF 2.0. The goal is to ensure continuous operations and adapt to evolving threats, emphasizing proactive measures and swift recovery.

• Cisco is enhancing firewall operations through autonomous AI-driven management, focusing on AIOps and AgenticOps. These advanced systems analyze configurations, health status, and traffic patterns to proactively detect anomalies, predict bugs, and guide upgrades in real-time. This approach aims to shift from reactive troubleshooting to proactive remediation, optimizing firewall performance and strengthening security posture across hybrid environments.

• Proofpoint has launched the first agentic AI solution for Human Communications Intelligence (HCI), transforming digital communications governance. This solution uses intelligent agents to interpret human intent and contextualize communications across over 80 channels in real-time. It aims to detect and prevent misconduct, regulatory risks, and insider threats before they escalate, moving beyond traditional content capture and archiving to provide AI-powered risk reasoning and detection.

• CISA has published new guidance on Operational Technology (OT) asset inventory and taxonomy, emphasizing its foundational role in building a defensible security posture and resilient operations. This framework outlines six key steps: defining scope and governance, identifying assets, collecting attributes, creating a taxonomy, managing data, and implementing lifecycle management. The guidance is crucial for organizations to gain visibility and control in complex IT/OT environments and meet cybersecurity requirements.

• SOC workflows are being optimized through the integration of interactive sandbox environments and real-time threat intelligence feeds. Solutions like ANY.RUN’s Interactive Sandbox provide immediate access to virtual environments for analyzing suspicious files and URLs, boosting detection rates and accelerating incident resolution. Automated threat intelligence correlation helps overcome alert fatigue, allowing security teams to focus on critical threats and ensure quicker, more accurate responses.

• The cybersecurity industry faces a critical talent gap, with a growing demand for professionals possessing strong human skills alongside technical expertise. In the AI era, employers prioritize teamwork, problem-solving, analytical thinking, and communication, as AI automates routine tasks. This shift necessitates new career pathways, continuous learning, and mentorship programs to cultivate hybrid technologists who can bridge technical and business domains, effectively managing AI governance, ethics, and strategic planning.

Wins #

• Microsoft, in collaboration with Cloudflare and international law enforcement, successfully disrupted RaccoonO365, a major Phishing-as-a-Service (PhaaS) operation. This win involved seizing 338 websites and attributing the operation to a Nigerian suspect, significantly cutting off revenue streams and operational capabilities for cybercriminals who had stolen thousands of Microsoft 365 credentials across 94 countries.

• Law enforcement achieved significant wins against the Scattered Spider cybercriminal group with the arrest of two key figures, Thalha Jubair and Owen Flowers, in the UK. Jubair faces U.S. charges for over 120 cyberattacks that extorted at least $115 million, including breaches of a U.S. federal court network and critical infrastructure. These arrests represent a major disruption to a prolific threat actor responsible for widespread and damaging cyber incidents.

• OpenAI promptly fixed a zero-click prompt injection vulnerability, dubbed ‘ShadowLeak,’ in its ChatGPT Deep Research agent, preventing any detected real-world abuse. This vulnerability could have allowed attackers to invisibly exfiltrate sensitive inbox information by sending specially crafted emails. The quick patch demonstrates effective incident response and proactive security measures by OpenAI.

• Google successfully removed 224 malicious apps from the Google Play Store implicated in the ‘SlopAds’ ad fraud campaign. These apps, downloaded over 38 million times, generated billions of fraudulent ad requests daily using steganographically encrypted payloads and hidden WebViews. This action, combined with Google Play Protect’s automatic protections, effectively mitigated a large-scale ad fraud operation.

• Palo Alto Networks Unit 42 achieved Enhanced Level Cyber Incident Response (CIR) assurance from the UK’s National Cyber Security Centre (NCSC). This recognition validates Unit 42’s high standards and proven capability in handling complex and impactful security incidents, aligning with NCSC’s gold standard for incident response and strengthening the resilience of critical national infrastructure.

• The Estonian-led EU CyberNet project, aiming to strengthen global cybersecurity capabilities, received an additional 6.6 million euros in funding from the European Union for its second phase. This funding will support the expansion of cyber cooperation into the India and Pacific Ocean regions, focusing on developing cybersecurity strategies, crisis preparedness, and enhancing public cyber awareness.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.