A verified summary of cyber events disclosed or reported within the past 48 hours (Sept. 20–22, 2025 ET).
European airport disruptions from third-party ransomware attack * Incident date (ET): Sept. 20–22, 2025 * Disclosure (ET): Sept. 22, 2025 * Summary: A ransomware incident at a third-party provider disrupted Collins Aerospace MUSE systems, causing check-in issues at Heathrow, Brussels, and Berlin airports. Flight safety systems were not affected. * Source: https://www.reuters.com/business/aerospace-defense/eu-agency-says-third-party-ransomware-behind-airport-disruptions-2025-09-22/ ## Turla piggybacks Gamaredon compromises (Ukraine) * Incident date (ET): Jan.–Feb. 2025 * Disclosure (ET): Sept. 22, 2025 * Summary: Turla deployed malware on systems initially compromised by Gamaredon, demonstrating sequential exploitation and operational overlap targeting Ukraine. * Source: https://www.securityweek.com/turla-and-gamaredon-working-together-in-fresh-ukrainian-intrusions/ ## SonicWall cloud backup incident * Incident date (ET): Mid-September 2025 * Disclosure (ET): Sept. 17, 2025 (updated Sept. 22, 2025) * Summary: Threat actors accessed encrypted firewall backup files for fewer than five per cent of SonicWall customers via brute-force. SonicWall advised immediate password resets and configuration reviews. * Source: https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330 ## Microsoft Entra ID token validation flaw patched (CVE-2025-55241) * Incident date (ET): N/A * Disclosure (ET): Sept. 22, 2025 (details published); patch issued July 17, 2025 * Summary: Microsoft patched a cross-tenant token validation issue that could have enabled admin impersonation. No evidence of active exploitation. * Source: https://thehackernews.com/2025/09/microsoft-patches-critical-entra-id.html ## macOS campaign delivers AMOS (Atomic) stealer * Incident date (ET): Ongoing through Sept. 2025 * Disclosure (ET): Sept. 22, 2025 * Summary: A macOS-focused campaign uses SEO poisoning and fake GitHub repositories to distribute the AMOS infostealer, with password-manager users among targets. * Source: https://www.securityweek.com/widespread-infostealer-campaign-targeting-macos-users/ ## Fortra GoAnywhere MFT critical RCE (CVE-2025-10035) * Incident date (ET): N/A * Disclosure (ET): Sept. 19–22, 2025 * Summary: A CVSS 10.0 deserialisation flaw in the License Servlet enables command injection. Fortra urges immediate updates to GoAnywhere 7.8.4 / SR 7.6.3 and removal of public Admin Console access. * Sources: https://www.securityweek.com/fortra-patches-critical-goanywhere-mft-vulnerability/ https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.html ## Jaguar Land Rover cyberattack disrupts production * Incident date (ET): Early Sept. 2025 * Disclosure (ET): Sept. 22, 2025 * Summary: A cyberattack halted production at Jaguar Land Rover’s U.K. facilities for nearly three weeks, with significant supplier impacts. * Source: https://www.wired.com/story/jlr-jaguar-land-rover-cyberattack-supply-chain-disaster/ ## DPRK (Lazarus cluster) deploys BeaverTail and InvisibleFerret * Incident date (ET): Campaign observed since May 2025 * Disclosure (ET): Sept. 21, 2025 * Summary: North Korean actors used ClickFix-style phishing lures to deliver BeaverTail stealer and InvisibleFerret backdoor against cryptocurrency and retail targets. * Source: https://www.thehackernews.com/2025/09/dprk-hackers-use-clickfix-to-deliver.html ## MalTerminal — GPT-4-powered malware proof of concept * Incident date (ET): N/A (research finding) * Disclosure (ET): Sept. 20, 2025 * Summary: SentinelOne described “MalTerminal,” a PoC that uses GPT-4 to generate ransomware and reverse shells at runtime; no evidence of in-the-wild use. * Source: https://www.thehackernews.com/2025/09/researchers-uncover-gpt-4-powered.html ## ShadowLeak prompt-injection issue resolved * Incident date (ET): N/A (research finding) * Disclosure (ET): Sept. 20, 2025 (public report); responsibly disclosed June 18, 2025; fixed early Aug. 2025 * Summary: Radware detailed an indirect prompt-injection technique that could exfiltrate Gmail data via ChatGPT’s Deep Research agent; the issue has been addressed. * Source: https://www.thehackernews.com/2025/09/shadowleak-zero-click-flaw-leaks-gmail.html
