Cyber OSINT Overview, Sep 22 - Sep 28, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Cisco vulnerabilities in Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software are a major concern, with multiple zero-day flaws being actively exploited by nation-state actors. These vulnerabilities, including critical remote code execution issues, enable full system compromise, malware deployment, and data exfiltration. Urgent patching and forensic analysis are mandated for affected devices.

• Supply chain attacks, particularly targeting the npm ecosystem, are a growing threat. The ‘Shai-Hulud’ worm compromised over 500 npm packages, exfiltrating GitHub Personal Access Tokens and cloud service API keys. These attacks leverage phishing to gain initial access, then automate the spread of malicious code by injecting it into other packages, highlighting the need for robust dependency controls and credential hygiene.

• Ransomware campaigns, such as Akira, are becoming increasingly aggressive and rapid, with dwell times sometimes under an hour. These attacks often target VPN infrastructure (e.g., SonicWall SSL VPNs) and can bypass MFA, likely using previously exfiltrated credentials. The financial and operational impacts are significant, affecting various sectors including retail and local governments, necessitating swift detection and response strategies.

• Linux Kernel vulnerabilities are a recurring concern, with numerous advisories detailing flaws that can lead to Denial of Service (DoS), privilege escalation, and other unspecified attacks. Both local and remote attackers can exploit these weaknesses, emphasizing the need for continuous patching and robust security practices for Linux-based systems.

Critical Vulnerabilities #

• Multiple critical vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) exist in Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) Software, with two actively exploited zero-days. These flaws, with CVSS scores up to 9.9, allow unauthenticated remote access to restricted URL endpoints and authenticated remote code execution as root, potentially leading to complete system compromise. Organizations must apply patches immediately and conduct forensic analysis.

• A critical, actively exploited vulnerability (CVE-2025-20352) impacts the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software. This stack-based buffer overflow allows authenticated remote attackers to cause Denial of Service (DoS) with low privileges or execute arbitrary code with root-level permissions on affected IOS XE devices. All devices with SNMP enabled are vulnerable if not explicitly excluding the affected OID, necessitating immediate software updates.

• SolarWinds Web Help Desk (WHD) is vulnerable to a critical remote code execution (RCE) flaw (CVE-2025-26399) arising from an unauthenticated AjaxProxy deserialization issue. This vulnerability is a second bypass of a previously disclosed flaw, allowing an attacker to execute code in the context of SYSTEM. Applying the latest hotfix (12.8.7 Hotfix 1) is strongly recommended.

• Fortra GoAnywhere MFT has a maximum severity vulnerability (CVE-2025-10035) in its License Servlet that allows remote command injection due to deserialization of untrusted data. This flaw, rated 10.0 CVSS, could enable a system takeover of enterprise file transfer infrastructure. Although the vendor’s official reports are inconsistent regarding active exploitation, independent researchers have found credible evidence of exploitation dating back to September 10.

• A supply chain compromise in the npm ecosystem, dubbed ‘Shai-Hulud,’ has impacted hundreds of software packages, including popular ones with millions of weekly downloads. Attackers phished an npm maintainer to gain access, then deployed a self-replicating worm to scan for and exfiltrate sensitive credentials (e.g., GitHub PATs, cloud API keys), leading to public exposure of stolen secrets. This highlights the need for robust credential hygiene and dependency management.

• A Google Chromium V8 Type Confusion Vulnerability (CVE-2025-10585) has been actively exploited as a zero-day. This high-severity flaw, often used in campaigns targeting cryptocurrency wallets and espionage operations, allows for remote code execution. Google has released emergency patches for Chrome, and users are urged to update immediately.

• A critical vulnerability (CVE-2025-55232) in Microsoft High Performance Compute (HPC) Pack could allow remote code execution. Additionally, a flaw (CVE-2025-55322) in OmniParser related to binding to an unrestricted IP address in GitHub also allows unauthorized remote code execution over a network.

• Salesforce Agentforce, an AI-driven CRM agent platform, had a critical vulnerability dubbed ‘ForcedLeak’ (CVSS 9.4). This indirect prompt injection flaw allowed attackers to inject malicious instructions into Web-to-Lead form submissions. When processed by the AI agent, this could force the exfiltration of sensitive CRM data like customer contacts and sales strategies to external servers. Salesforce has issued patches to enforce ‘Trusted URLs’ for Agentforce and Einstein AI.

• NVIDIA Merlin Transformers4Rec library contains a critical remote code execution vulnerability (CVE-2025-23298) due to unsafe deserialization practices. This flaw allows an attacker to execute arbitrary code with root privileges by crafting malicious model checkpoint files. The widespread reliance on Python’s pickle serialization in ML/AI frameworks contributes to this class of vulnerabilities.

Major Incidents #

• The Akira ransomware group is conducting an aggressive campaign targeting SonicWall SSL VPNs, deploying ransomware in under an hour. Threat actors gain initial access through malicious logins, likely using credentials exfiltrated via CVE-2024-40766, and have successfully bypassed OTP MFA. This campaign exhibits unusually short dwell times and opportunistic mass exploitation across various industries, requiring immediate credential resets and adherence to SonicWall’s recommendations.

• A widespread software supply chain compromise has impacted the npm ecosystem, with a self-replicating worm dubbed ‘Shai-Hulud’ affecting over 500 packages. The attack, initiated via phishing, exfiltrated sensitive credentials like GitHub Personal Access Tokens and cloud service API keys. The malware then automatically injected malicious code into other packages maintained by the compromised developers, leading to exponential spread.

• The Co-op retail chain experienced a cyberattack in April, resulting in an £80 million hit to its operating profit and approximately £206 million in revenue loss. The incident disrupted grocery and funeral services, forcing the company to take systems offline. All 6.5 million members had data stolen. Four individuals, including a teenager, linked to the Scattered Spider group were arrested in connection to this and other UK retail hacks.

• Major European airports, including Heathrow, Berlin, Brussels, Dublin, and Cork, experienced significant disruptions due to a cyberattack targeting Collins Aerospace’s MUSE software for electronic check-in and baggage drop systems. This incident led to flight delays, cancellations, and diversions, highlighting the critical impact of third-party supply chain compromises on essential infrastructure.

• SonicWall disclosed a security incident where malicious actors used brute-force techniques against the MySonicWall.com web portal to access a subset of customer preference files stored in cloud backups. These files contained encrypted credentials and other information that could be used to gain access to customers’ SonicWall Firewall devices. Customers are urged to check if their devices are at risk and implement containment and remediation immediately.

• A U.S. federal agency experienced a breach due to attackers exploiting CVE-2024-36401, a critical GeoServer vulnerability, three weeks before EDR alerts were triggered. Attackers gained initial access to two GeoServers and moved laterally to other servers, deploying web shells and persistence mechanisms. This incident highlighted critical failures in prompt patching, incident response plan testing, and continuous security alert review.

• Over 45,000 residents and employees of Union County, Ohio, were impacted by a ransomware attack that stole names, Social Security numbers, driver’s license numbers, financial account information, fingerprint data, medical information, and passport numbers. No ransomware gang has publicly claimed responsibility, but the incident is part of a trend of cyberattacks on state, county, and city governments in 2025.

Emerging Threats #

• AI-powered cyberattacks are accelerating, leveraging generative AI tools like ‘SpamGPT’ to automate highly personalized phishing campaigns, find vulnerabilities faster, and evade detection. Adversaries are using AI to enhance the quality and volume of attacks, lower the entry bar for threat actors, and potentially weaponize AI agent CLIs for reconnaissance and data exfiltration. Organizations must update security awareness training to recognize AI-crafted scams.

• The China-nexus APT group UNC5221 is deploying ‘BRICKSTORM’ malware in stealthy, long-term espionage campaigns targeting legal services, SaaS providers, BPOs, and technology sectors in the US. This malware enables persistent access by deploying backdoors on non-EDR-supporting appliances, such as VMware vCenter and ESXi hosts, and employs advanced evasion techniques for lateral movement and data theft, resulting in an average dwell time of 393 days.

• BTMOB RAT is a highly sophisticated Android malware-as-a-Service that gives attackers full control over infected devices. It combines live screen control, banking overlay attacks (targeting apps like Alipay), cryptocurrency theft, and comprehensive surveillance. The malware exploits Android’s Accessibility Service to bypass security measures and spreads primarily through phishing campaigns and malicious app stores, making it a professionalized mobile threat.

• A new email-based attack campaign is spreading XWorm Remote Access Trojan (RAT) via fake invoice emails containing malicious Office files (.xlam). The attack uses shellcode and reflective DLL injection to load the XWorm RAT into memory, enabling full remote access and data theft. This persistent threat has previously exploited cloud misconfigurations for distribution.

• A high-severity phishing campaign impersonating the National Police of Ukraine is using malicious Scalable Vector Graphics (SVG) files to deliver Amatera Stealer (for data theft) and PureMiner (for cryptojacking). The SVG files trick victims into downloading password-protected ZIP archives containing a Compiled HTML Help (CHM) file, which then launches a fileless loader. This sophisticated multi-stage attack aims to steal credentials, files, and cryptocurrency.

• A large-scale campaign is targeting Mac users with fake software, including Malwarebytes and LastPass, distributed via GitHub pages. These fake installers deliver information stealers like Atomic Stealer (aka AMOS). The attackers employ SEO poisoning techniques to rank their malicious GitHub pages higher in search results, tricking users into self-installing the malware.

• A new botnet operation is using a Loader-as-a-Service model to weaponize internet-connected devices globally. It exploits SOHO routers, IoT devices, and enterprise applications through command injection vulnerabilities in web interfaces. The campaign targets unsanitized POST parameters and default credentials, deploying RondoDoX, Mirai, and Morte payloads with multi-architecture support, and exploiting older CVEs (e.g., CVE-2019-17574).

Regulatory and Policy Updates #

• The UK government is set to announce plans for mandatory digital ID cards for all working adults, aimed at tackling illegal immigration. This initiative, referred to as a ‘Brit card,’ is expected to spark opposition from civil liberties campaigners due to concerns about personal privacy and potential cybersecurity risks associated with centralized data databases. The proposal seeks to revive a controversial policy from 21 years ago, adapting it for a modern, digitally enabled society.

• India’s Digital Personal Data Protection (DPDP) Act, 2023, now mandates tougher obligations for handling personal data and imposes strict breach notification standards. Organizations must notify CERT-In within 6 hours of a cyber incident and the Data Protection Board (DPB) within 72 hours of a breach, with penalties up to ₹250 crore per instance. This law creates a new era of accountability for over 1.4 billion users, requiring businesses to adapt their data protection practices.

• A new $100,000 fee for H-1B visa applications, effective September 21, 2025, is significantly increasing talent acquisition costs for US IT companies. This policy change creates uncertainty and is prompting companies to reconsider hiring foreign talent in the US, potentially shifting recruitment to countries like Canada, India, and Mexico, thus impacting the global IT labor market and the US startup ecosystem.

• The Estonian government has eased cybersecurity requirements for approximately 1200 micro and small businesses and local government agencies. This policy change introduces clearer, more manageable primary security measures, replacing the full Estonian Information Security Standard (E-ITS) or ISO/IEC 27001, to reduce administrative burden and improve resilience against phishing, data exfiltration, and ransomware attacks for organizations with limited resources.

• CISA has issued Emergency Directive 25-03, mandating federal agencies to identify, analyze, and mitigate potential compromises of Cisco Adaptive Security Appliances (ASA) and Cisco Firepower devices. The directive, prompted by actively exploited zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362), requires agencies to collect memory files for forensic analysis by September 26, 2025, and to either patch or disconnect end-of-life devices immediately. This urgent action highlights the significant risk posed by nation-state exploitation of critical perimeter network devices.

• A report from Senate Homeland Security and Governmental Affairs Committee Democrats concludes that the Department of Government Efficiency (DOGE) has violated cybersecurity and privacy rules at three federal agencies (GSA, OPM, SSA). Practices include bypassing cybersecurity protections, evading oversight, and operating with unchecked access to Americans’ personal data, creating unprecedented privacy and security risks. Concerns include potential data breaches with ‘catastrophic adverse effect’ and the use of Starlink to circumvent agency IT oversight.

• A proposed US cyber threat information-sharing bill reauthorization by Senator Rand Paul is facing backlash from Senate committee members. Lawmakers fear this version could undermine the original CISA 2015 law, which facilitates cyber threat sharing between the private sector and federal government and provides crucial liability protections. The existing law is set to expire on September 30 unless Congress agrees on reauthorization, making broad changes to the law risky.

Security Operations #

• Migration to post-quantum cryptography is an urgent and significant challenge for the financial services sector, requiring global coordination and extensive code rewriting. Quantum computing’s potential to break current encryption standards necessitates a shift to post-quantum encryption algorithms like MLKEM in a hybrid mode (X25519 + MLKEM). This ensures that ‘harvest now, decrypt later’ attacks will not compromise sensitive data once quantum computers become viable.

• AI is increasingly trusted and integrated into threat intelligence and SOC workflows for tasks like report summarization, threat scoring, and recommended actions. Security leaders report high trust in AI-generated output (86%) and expect AI to reduce analyst workloads by a quarter or more. Effective AI-driven security operations require ‘context engineering’ to provide agents with rich, contextual intelligence from various data layers (alerts, identity, asset, enrichments) to move beyond basic processing to intelligent analysis.

• Exposure management platforms are critical for effectively reducing cyber risk by unifying data from various security tools (vulnerability management, cloud security, application security, endpoint security, identity management, OT, IoT, AI). These platforms help break down silos, cut through alert noise, and prioritize the most critical threats, allowing security and IT teams to focus on fixing what matters most in their expanding attack surfaces.

• The debate continues between ‘decoupled SIEM’ architectures, which separate security components, and ‘supercoupled SIEM’ or ‘EDR-ized SIEM’ with tightly integrated platforms. While decoupled SIEM with federated log search and AI agents offers automation, tightly integrated platforms bundling search, dashboards, detection, data collection, and AI capabilities are seen as the mainstream future for many organizations. The latter model often includes auxiliary decentralized elements as needed, forming a ‘90% centralized / 10% federated SIEM’ approach.

• Organizations are adopting a ‘secure by default’ approach with automated guardrails to manage cloud security in complex multi-cloud environments. This involves leveraging native cloud capabilities, preventive policies, and custom auto-remediation tools (e.g., in AWS, Azure, GCP) to identify, prevent, and fix common cloud misconfigurations. The goal is to build a consistent security baseline and shift security left by scanning infrastructure as code (IaC) in CI/CD pipelines to prevent issues before deployment.

• Adopting a positive security model with application control is crucial for strengthening defenses, moving beyond traditional antivirus. This default-deny approach decides what is allowed and blocks everything else. Effective implementation involves preparing employees for a culture shift, building a strong infrastructure with Endpoint Detection and Response (EDR) tools for granular visibility, and tailoring solutions to organizational needs. This approach significantly enhances protection even with gradual adoption, addressing issues like legacy systems and edge application access.

• A new report reveals that organizations, on average, detect only 19% of all human risk activity, leaving a majority of risky behaviors such as credential misuse and insider threats unseen. This highlights a significant gap between increased spending on security awareness training (SAT) and actual reductions in human risk exposure. Effective human risk management (HRM) requires new strategies, proven frameworks, and cross-functional collaboration to extend risk ownership beyond traditional security teams.

Wins #

• A coordinated Interpol operation in Africa led to 260 arrests and the dismantling of transnational criminal networks engaged in social media-based romance and sextortion scams. The crackdown identified over 1,460 victims who collectively lost an estimated $2.8 million, with $70,000 recovered. The operation also seized over 1,200 electronic devices and targeted online infrastructures, highlighting successful international cooperation in combating cyber fraud.

• Significant arrests have been made in connection with major cybercrime groups. In the UK, 19-year-old Thalha Jubair, a core member of the Scattered Spider group linked to $115 million in ransoms, was arrested and charged. Separately, two 17-year-olds were arrested in the Netherlands on suspicion of conducting cyber espionage for Russia, including using ‘wifi-sniffers’ near prominent government buildings in The Hague.

• The US Secret Service disrupted a large network of telecommunications devices, including over 300 SIM servers and 100,000 SIM cards, in the New York City area. This network had the capability to disable cellular systems, send bulk messages to the entire US population, and launch Distributed Denial of Service (DDoS) attacks. The operation prevented potential cellular network shutdowns and disrupted a ‘well-organized and well-funded’ scheme involving nation-state threat actors and organized crime groups.

• OpenAI successfully fixed a zero-click vulnerability in ChatGPT Deep Research. This addresses a critical security flaw that could have been exploited without user interaction, improving the overall security posture of the AI platform.

• Google removed 224 malicious apps from the Google Play Store after discovering an ad fraud campaign. This action helps to protect users from deceptive practices and maintains the integrity of the app ecosystem.

• A security flaw in the American Archive of Public Broadcasting (AAPB) website, which allowed unauthorized access to protected and private media for years, was fixed within 48 hours after being reported by a cybersecurity researcher. The vulnerability facilitated copyright violations and misuse of historically significant public radio and television programs. This quick remediation highlights the importance of prompt response to vulnerability disclosures.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.