Cyber Threat Intelligence — 22 Sept. 2025

A verified summary of cyber events disclosed or reported within the past 48 hours (Sept. 20–22, 2025 ET).

European airport disruptions from third-party ransomware attack

• Incident date (ET): Sept. 20–22, 2025
• Disclosure (ET): Sept. 22, 2025
• Summary: A ransomware incident at a third-party provider disrupted Collins Aerospace MUSE systems, causing check-in issues at Heathrow, Brussels, and Berlin airports. Flight safety systems were not affected.
• Source: https://www.reuters.com/business/aerospace-defense/eu-agency-says-third-party-ransomware-behind-airport-disruptions-2025-09-22/

Turla piggybacks Gamaredon compromises (Ukraine)

• Incident date (ET): Jan.–Feb. 2025
• Disclosure (ET): Sept. 22, 2025
• Summary: Turla deployed malware on systems initially compromised by Gamaredon, demonstrating sequential exploitation and operational overlap targeting Ukraine.
• Source: https://www.securityweek.com/turla-and-gamaredon-working-together-in-fresh-ukrainian-intrusions/

SonicWall cloud backup incident

• Incident date (ET): Mid-September 2025
• Disclosure (ET): Sept. 17, 2025 (updated Sept. 22, 2025)
• Summary: Threat actors accessed encrypted firewall backup files for fewer than five per cent of SonicWall customers via brute-force. SonicWall advised immediate password resets and configuration reviews.
• Source: https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330

Microsoft Entra ID token validation flaw patched (CVE-2025-55241)

• Incident date (ET): N/A
• Disclosure (ET): Sept. 22, 2025 (details published); patch issued July 17, 2025
• Summary: Microsoft patched a cross-tenant token validation issue that could have enabled admin impersonation. No evidence of active exploitation.
• Source: https://thehackernews.com/2025/09/microsoft-patches-critical-entra-id.html

macOS campaign delivers AMOS (Atomic) stealer

• Incident date (ET): Ongoing through Sept. 2025
• Disclosure (ET): Sept. 22, 2025
• Summary: A macOS-focused campaign uses SEO poisoning and fake GitHub repositories to distribute the AMOS infostealer, with password-manager users among targets.
• Source: https://www.securityweek.com/widespread-infostealer-campaign-targeting-macos-users/

Fortra GoAnywhere MFT critical RCE (CVE-2025-10035)

• Incident date (ET): N/A
• Disclosure (ET): Sept. 19–22, 2025
• Summary: A CVSS 10.0 deserialisation flaw in the License Servlet enables command injection. Fortra urges immediate updates to GoAnywhere 7.8.4 / SR 7.6.3 and removal of public Admin Console access.
• Sources: https://www.securityweek.com/fortra-patches-critical-goanywhere-mft-vulnerability/ https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.html

Jaguar Land Rover cyberattack disrupts production

• Incident date (ET): Early Sept. 2025
• Disclosure (ET): Sept. 22, 2025
• Summary: A cyberattack halted production at Jaguar Land Rover’s U.K. facilities for nearly three weeks, with significant supplier impacts.
• Source: https://www.wired.com/story/jlr-jaguar-land-rover-cyberattack-supply-chain-disaster/

DPRK (Lazarus cluster) deploys BeaverTail and InvisibleFerret

• Incident date (ET): Campaign observed since May 2025
• Disclosure (ET): Sept. 21, 2025
• Summary: North Korean actors used ClickFix-style phishing lures to deliver BeaverTail stealer and InvisibleFerret backdoor against cryptocurrency and retail targets.
• Source: https://www.thehackernews.com/2025/09/dprk-hackers-use-clickfix-to-deliver.html

MalTerminal — GPT-4-powered malware proof of concept

• Incident date (ET): N/A (research finding)
• Disclosure (ET): Sept. 20, 2025
• Summary: SentinelOne described “MalTerminal,” a PoC that uses GPT-4 to generate ransomware and reverse shells at runtime; no evidence of in-the-wild use.
• Source: https://www.thehackernews.com/2025/09/researchers-uncover-gpt-4-powered.html

ShadowLeak prompt-injection issue resolved

• Incident date (ET): N/A (research finding)
• Disclosure (ET): Sept. 20, 2025 (public report); responsibly disclosed June 18, 2025; fixed early Aug. 2025
• Summary: Radware detailed an indirect prompt-injection technique that could exfiltrate Gmail data via ChatGPT’s Deep Research agent; the issue has been addressed.
• Source: https://www.thehackernews.com/2025/09/shadowleak-zero-click-flaw-leaks-gmail.html