Featured image of post Cybersecurity Week in Review: September 23 – 29, 2025
NEWS

Cybersecurity Week in Review: September 23 – 29, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Samuel Monsempes

Major Data Breaches and Leaks

This week saw the disclosure of significant data breaches affecting millions of individuals across multiple sectors, with financial services and retail bearing the brunt of the impact.

  • Lotte Card (South Korea) disclosed on September 23 that approximately 3 million customers were affected by a breach exploiting an unpatched vulnerability dating back to 2017. The attack exposed identification numbers, contact information, and for thousands of customers, complete card numbers including CVV codes. South Korea’s fifth-largest card issuer, which processes roughly 10% of the nation’s daily credit card spending, faced investigation by the Personal Information Protection Commission. The CEO issued a public apology and pledged full compensation, while a parliamentary audit was scheduled for majority owner MBK Partners. Critically, only 56% of the 2,700 leaked files were encrypted, and the compromised server had never received security updates despite a fix being available for eight years.

  • Boyd Gaming Corporation filed an SEC disclosure on September 23 revealing a cyberattack that resulted in employee data theft from internal IT systems. The Las Vegas-based casino operator, which manages 28 gaming properties across 10 states and generated $1 billion in revenue last quarter, emphasized that no impact occurred to casino properties or business operations. Federal law enforcement became involved in the investigation, though no ransomware group claimed responsibility. The company expects no material financial impact due to comprehensive cybersecurity insurance coverage. This incident follows the pattern of casino industry targeting, with MGM Resorts and Caesars Entertainment previously suffering major attacks in 2023.

  • The Co-operative Group (UK) disclosed on September 25 that the April 2025 cyberattack resulted in £206 million ($275 million) in lost revenue and an £80 million total impact on profit and cashflow. The breach, which affected all 6.5 million members, led to empty store shelves for weeks, payment system failures across 2,300 stores, and forced funeral services to revert to paper-based systems. Four suspects believed linked to the Scattered Spider group were arrested in July, including one minor. The attack, described as “sophisticated and malicious,” used social engineering tactics with attackers impersonating Co-op employees to gain access. The company predicts a £120 million hit to full-year profits.

  • Volvo Group North America notified employees on September 26 that their names and Social Security numbers were compromised in an August 20 ransomware attack on third-party HR software provider Miljödata. The Swedish vendor serves approximately 25 companies, 200 municipalities, and multiple universities. The DataCarry ransomware group, first observed in May 2025, posted stolen data to the dark web on September 13 after demanding 1.5 Bitcoin (approximately $165,000). The broader Miljödata breach exposed 870,000 unique email addresses and comprehensive personal information including government IDs, dates of birth, employment data, and sick leave records affecting 1.5 million people across multiple organizations including SAS airline, Boliden metals company, and Stockholm municipality. Volvo is offering 18 months of free identity protection and credit monitoring to affected employees.

  • Union County, Ohio disclosed on September 26 that a ransomware attack occurring between May 6-18 compromised data belonging to 45,487 residents and county employees—representing approximately 60% of the county’s total population. Exposed information included names, Social Security numbers, driver’s license numbers, financial account information, fingerprint data, medical information, and passport numbers. The investigation, completed by August 25, found no ransomware group claiming responsibility. The county is offering free identity monitoring and $1 million in identity theft insurance through Experian, with federal law enforcement involved in the investigation.

  • Bouygues Telecom (France), France’s third-largest mobile operator, continued facing scrutiny this week following the August disclosure of a breach affecting 6.4 million customer accounts. The company filed reports with France’s CNIL data protection regulator and judicial authorities. The incident occurred during the same period when Orange was also attacked, prompting French cybersecurity agency ANSSI to issue warnings about state-sponsored threats targeting the telecommunications sector. Bouygues serves 18.3 million mobile customers and 4.2 million fiber customers.

The week’s breaches revealed persistent exploitation of unpatched vulnerabilities (Lotte Card’s eight-year-old flaw), supply chain attack vectors (Volvo via Miljödata), and social engineering tactics (Co-op impersonation), collectively demonstrating the multi-faceted nature of modern data compromise operations targeting organizations across geographic and sectoral boundaries.

Significant Cyberattacks and Incidents

Ransomware operations and state-sponsored cyber activities dominated the threat landscape, with attacks targeting critical infrastructure and revealing sophisticated persistence mechanisms.

  • Kenosha Unified School District in Wisconsin became the latest educational institution victimized by ransomware when the Snatch ransomware gang launched an attack during the week, with disclosure occurring September 29. The district, serving nearly 20,000 students, proactively took portions of its network offline and contacted law enforcement while hiring a cybersecurity firm to investigate. Systems were later restored, though the volume of stolen data remains unknown. The Snatch group has increasingly targeted educational institutions, exploiting typically under-resourced cybersecurity programs in school districts.

  • The Secret Service disrupted an illicit cellular network on September 23 that posed an extraordinary threat to New York City’s telecommunications infrastructure during the UN General Assembly. Agents seized over 300 servers and 100,000 SIM cards at multiple sites within 35 miles of Manhattan, discovering a network capable of sending 30 million text messages per minute and potentially disabling cell towers to shut down the city’s cellular network. Early forensic analysis indicated “cellular communications between nation-state threat actors and individuals known to federal law enforcement.” The operation, led by the Secret Service’s new Advanced Threat Interdiction Unit in partnership with DHS Homeland Security Investigations, DOJ, ODNI, and NYPD, also seized 80 grams of cocaine, illegal firearms, and computers, suggesting the infrastructure served multiple illicit purposes.

  • Two 17-year-old boys were arrested in the Netherlands on September 23 for suspected cyber espionage on behalf of Russian interests, with the arrest announced September 26. Dutch authorities allege the teenagers were recruited via Telegram by pro-Russian hackers and tasked with carrying wifi-sniffer equipment past sensitive locations including Europol and Eurojust headquarters in The Hague, as well as several embassies. The devices were intended to map networks and intercept data. One suspect was remanded in custody while the other was released on home bail with an ankle monitor. The arrests, following a tip from AIVD (Dutch signals intelligence), exemplify the pattern of Russian recruitment of teenagers for infrastructure reconnaissance and intelligence gathering operations.

  • Jaguar Land Rover extended its production shutdown through at least October 1 following the August 31 cyberattack that resulted in a confirmed data breach. The incident affecting Britain’s largest automaker impacted over 30,000 employees and caused supply chain workers to be laid off, with estimated daily sales losses of £72 million ($98 million). The company worked with the UK National Cyber Security Centre and law enforcement on forensic investigation, with suspected links to the Scattered Spider group through the Tata Consultancy Services managed services provider. On September 29, the UK Government announced a £1.5 billion ($2 billion) loan guarantee to support the manufacturer amid the ongoing crisis.

  • European airport systems continued experiencing disruption from the September 19 HardBit ransomware attack on Collins Aerospace’s MUSE system, with impacts extending into the week of September 23-29. Major airports including London Heathrow, Brussels, Berlin Brandenburg, Dublin, and Cork faced check-in and baggage system failures. Brussels alone canceled over 140 departing flights on Monday, September 23, with thousands of passengers affected across Europe requiring manual check-in processes. The UK National Crime Agency arrested a 40-year-old man from West Sussex on September 24 in connection with the attack, releasing him on bail. The European Union Agency for Cybersecurity (ENISA) identified the ransomware type, though details were not publicly disclosed. Parent company RTX notified law enforcement as the investigation continued.

The week’s incidents demonstrated threat actor diversification, with operations ranging from established ransomware gangs (Snatch, HardBit) to state-sponsored espionage (Russian recruitment operations) to sophisticated infrastructure threats (NYC cellular network). The physical-digital convergence represented by telecommunications network targeting and teenagers conducting physical reconnaissance with cyber tools marks an evolution in adversary tactics that blurs traditional security boundaries.

Critical Vulnerabilities and Patches

Multiple critical zero-day vulnerabilities were disclosed this week, several actively exploited by sophisticated threat actors, prompting emergency government directives and urgent patching requirements.

  • Cisco ASA Firewall Zero-Days dominated the week’s vulnerability landscape when three critical flaws were disclosed on September 25-26, with two actively exploited. CVE-2025-20333 (CVSS 9.9) represents a memory corruption vulnerability enabling remote code execution in Cisco Secure Firewall ASA Software. CVE-2025-20362 (CVSS 6.5) provides privilege escalation and authentication bypass capabilities. These vulnerabilities have been actively exploited since at least May 2025 in the ArcaneDoor campaign attributed to UAT4356 (Storm-1849), a suspected China-linked threat actor. The attackers deployed RayInitiator, a persistent GRUB bootkit that survives reboots and firmware upgrades, and LINE VIPER, a user-mode shellcode loader with advanced evasion capabilities. Targeted organizations included multiple government agencies across the US, Canada, UK, and Australia. A third vulnerability, CVE-2025-20363 (CVSS 8.5-9.0), also enables remote code execution but showed no evidence of active exploitation. Cisco released patches on September 25, but organizations must upgrade to fixed versions AND reset devices to factory defaults. End-of-support devices including the 5512-X, 5515-X, and 5585-X cannot be patched and must be disconnected immediately.

  • Cisco IOS/IOS XE SNMP Zero-Day (CVE-2025-20352) with CVSS score 7.7 was disclosed September 24 as actively exploited in the wild. The stack overflow in the Simple Network Management Protocol subsystem affects all versions of Cisco IOS and IOS XE Software with SNMP enabled, including Meraki MS390 Switches and Catalyst 9300 Series Switches. Exploitation with low privileges enables denial of service, while attackers with administrative credentials can achieve arbitrary code execution as root. Approximately 2 million devices are potentially at risk. Cisco discovered the vulnerability after local administrator credentials were compromised. Fixed versions are available in Cisco IOS XE Software Release 17.15.4a, with mitigations including restricting SNMP access to trusted users only.

  • Sitecore Zero-Day (CVE-2025-53690) was disclosed September 24 by Mandiant as actively exploited in highly sophisticated attacks. The ViewState deserialization flaw enables remote code execution when ASP.NET machine keys are exposed, affecting Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce. This vulnerability represents part of a broader 2025 trend of ViewState attacks, joining CVE-2025-30406 (Gladinet CentreStack), CVE-2025-3935 (ConnectWise ScreenConnect), and CVE-2025-53770 (Microsoft SharePoint). Sitecore released updates on September 24 addressing the critical flaw targeting specific organizations with advanced persistence.

  • SAP S/4HANA Critical Vulnerability (CVE-2025-42957) with CVSS 9.9 saw active exploitation confirmed in September following its August 2025 Patch Tuesday release. SecurityBridge Threat Research Labs documented exploitation of the command injection vulnerability in SAP S/4HANA’s function module exposed via Remote Function Call (RFC). Attackers with only low-privileged user access can inject arbitrary ABAP code, bypassing authorization checks to achieve full system compromise. Impact includes database modification, superuser account creation with SAP_ALL privileges, password hash downloads, business process alteration, and potential ransomware deployment. The vulnerability’s ease of exploitation and straightforward patch reverse engineering make it particularly dangerous. SAP urged immediate patching, log monitoring for suspicious RFC calls or new administrative users, and implementation of SAP UCON to restrict RFC usage.

The convergence of multiple critical zero-days (Cisco, Google, Sitecore, SAP) within a single week, nearly all with active exploitation confirmed, represents an unusually intense vulnerability landscape. The deployment of advanced persistence mechanisms including bootkits surviving firmware updates signals escalating adversary sophistication, while the targeting of enterprise security infrastructure (firewalls, VPN gateways) and business-critical systems (ERP, CMS) demonstrates strategic focus on high-value compromise opportunities.

Government and Industry Cyber Responses

Government agencies and international law enforcement mounted coordinated responses to active threats, issuing emergency directives and conducting operations targeting cybercriminal infrastructure.

  • CISA Emergency Directive ED-25-03 was issued September 25, ordering federal civilian agencies to immediately address the two actively exploited Cisco ASA vulnerabilities (CVE-2025-20333 and CVE-2025-20362). The directive gave agencies until 12 PM EDT September 26 to identify devices, collect forensics, disconnect compromised devices, and patch clean systems—representing an unprecedented 24-hour response timeline. Agencies must permanently disconnect end-of-support ASA devices by September 30. Acting Director Madhu Gottumukkala stated the directive was necessary due to “the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network.” CISA coordinated the response with the Canadian Centre for Cyber Security, UK National Cyber Security Centre, and Australian cybersecurity agencies, demonstrating Five Eyes intelligence cooperation.

  • Interpol announced on September 26 the results of a coordinated African cybercrime crackdown resulting in 260 arrests across multiple countries targeting transnational criminal networks running romance and sextortion scams. The operation identified 1,460+ victims with combined losses of $2.8 million and seized 1,200+ electronic devices including USB drives and SIM cards. Ghana authorities made 68 arrests and seized 835 devices, with victims losing approximately $450,000. Senegal arrested 22 individuals for impersonating celebrities on dating platforms, affecting 120 victims and stealing roughly $34,000. Côte d’Ivoire arrested 24 suspects in a sextortion scheme targeting approximately 810 victims, while Angola made 8 arrests tied to domestic and international victims. Cyril Gout, Interpol’s acting executive director, noted that “cybercrime units across Africa are reporting a sharp rise in digital-enabled crimes such as sextortion and romance scams.”

  • International cooperation on the Cisco vulnerabilities showcased coordinated Five Eyes response capabilities. Rajiv Gupta of the Canadian Centre for Cyber Security stated, “This is a critical moment for Canadian organizations. Threat actors are targeting legacy systems with increasing sophistication. I urge all critical infrastructure sectors to act swiftly.” The UK NCSC provided detailed technical analysis on the LINE VIPER malware and RayInitiator bootkit, while Australian agencies coordinated on threat intelligence sharing. The collaboration enabled synchronized public warnings and mitigation guidance across multiple jurisdictions.

The week revealed government adoption of increasingly aggressive timelines for emergency responses, with CISA’s 24-hour deadline marking one of the shortest compliance windows ever imposed. The convergence of public and private sector coordination (CISA-GitHub, Five Eyes agencies, Interpol-member countries) demonstrates maturing international cybersecurity cooperation frameworks, while the preemptive Secret Service operation disrupting the NYC cellular network shows evolution toward anticipatory threat interdiction rather than reactive incident response.

Miscellaneous

Research reports, product launches, and trend analyses released this week highlighted the transformation of the cybersecurity landscape through artificial intelligence and the continued fragmentation of the ransomware ecosystem.

  • MalwareBytes released its State of Ransomware 2025 report revealing unprecedented fragmentation in the ransomware ecosystem, with 41 new groups emerging between July 2024-June 2025, bringing the total to over 60 simultaneously operating ransomware gangs for the first time ever. Total ransomware attacks have doubled over the past three years, with approximately 50 new groups appearing annually and 30 exiting. The top-10 ransomware groups now account for only 50% of attacks, down from 69% in 2022. RansomHub, which briefly dominated with 10% of attacks, went silent after March 31, 2025. Flashpoint analysis noted many new groups are rebrands using leaked source code, with SafePay sharing code with LockBit. The lower barrier to entry is attributed to leaked ransomware source code, commoditized malware, and AI assistance in developing malicious tools. Law enforcement takedowns of LockBit, BlackCat/AlphV, and Hive caused ecosystem splintering rather than suppression.

  • CrowdStrike unveiled its Charlotte AI AgentWorks Platform on September 26 at Fal.Con 2025 before over 8,000 cybersecurity professionals. The platform introduces seven AI agents including exposure prioritization, malware analysis, hunting, search, correlation rules, data transformation, and workflow generation agents, with capability for customers to build custom agents. Built on trillions of platform telemetry events and over a decade of annotated threats from Falcon Complete MDR, the agents accelerate triage, write reports, analyze malware, and understand incidents. CrowdStrike also announced acquisition of Pangea for AI agent protection and introduced AIDR (AI Detection and Response) as a new security category, aiming to “protect every AI agent in the world.”

  • CrowdStrike’s 2025 Threat Hunting Report presented at Fal.Con 2025 revealed that adversaries are using AI to create customized PowerShell scripts tailored to specific environments. FAMOUS CHOLLIMA (DPRK-nexus) infiltrated 320+ companies in 12 months, representing a 220% year-over-year increase, with North Korean IT workers using generative AI for resumes, deepfakes for video interviews, and AI code tools to secure employment. SCATTERED SPIDER resurfaced in 2025 with faster, more aggressive tradecraft. Cross-domain attacks became standard, with a 136% increase in cloud intrusions in H1 2025 and a 40% year-over-year increase in intrusions by suspected cloud-conscious China-nexus actors. Notably, 81% of interactive intrusions were malware-free, indicating sophisticated living-off-the-land techniques. The organization now tracks 265+ named adversaries and 150+ activity clusters.

  • Cybersecurity Ventures published its 7 Cybersecurity Trends of 2026 report on September 26, identifying key trends including agentic cyberattack and defense, deepfake and synthetic cyberattacks, evolving ransomware threats, strengthening the weakest human link, quantum security, regulatory and legislative overhaul, and cyberwarfare on the global stage. The report projected cybercrime will represent the world’s third-largest economy in 2026 behind only the United States and China, marking a critical inflection point where emerging technologies amplify both criminal capabilities and defensive opportunities.

  • BankInfoSecurity and CyberArk announced a September 24 webinar on identity security revealing that machine identities now outnumber human identities by 45:1, with 93% of organizations reporting at least one identity-related breach in the past year. Digital certificates, SSH keys, and secrets represent largely invisible but deeply impactful threats in financial services, often lacking ownership, lifecycle control, and visibility.

  • Cloudflare’s Project Galileo report disclosed that the service blocked 108.9 billion attacks against non-profits between May 1, 2024 and March 31, 2025, averaging 325.2 million attacks per day—representing a tripling over the past year. Notable incidents included the Belarusian Investigative Center being targeted by 28 billion requests on September 28, and Tech4Peace suffering a 12-day assault totaling 2.7+ billion requests. Targets included organizations supporting arts, human rights, journalism, and democracy.

  • CrowdStrike’s analysis of Microsoft’s September 2025 Patch Tuesday detailed that Microsoft addressed 84 vulnerabilities including 2 publicly disclosed zero-days and 8 critical vulnerabilities, with leading risk types being elevation of privilege (45%), remote code execution (26%), and information disclosure (16%). Windows received the most patches (58), followed by Extended Security Updates (35) and Office (17).

  • U.S. Senators introduced legislation on September 24 directing the Federal Trade Commission to establish standards for protecting consumers’ neural data collected by emerging technologies, representing the first major legislative initiative addressing brain-computer interface security and privacy concerns.

The week’s miscellaneous developments centered on the AI transformation of cybersecurity operations, with both offensive capabilities (DPRK using AI for employment fraud, customized PowerShell generation) and defensive innovations (CrowdStrike’s AI agents, AIDR category creation) achieving new sophistication levels. The ransomware ecosystem’s fragmentation coupled with AI-lowered barriers to entry suggests the threat landscape will continue diversifying rather than consolidating, while machine identity explosion (45:1 ratio) and non-profit targeting intensification (108.9 billion attacks) reveal expanding attack surfaces and democratization of victims beyond traditional corporate targets.

Conclusion

The week of September 23-29, 2025 demonstrated the cybersecurity landscape’s evolution toward increasingly sophisticated, AI-enabled threats requiring unprecedented response velocities and international cooperation. CISA’s 24-hour emergency directive for Cisco vulnerabilities exploited by nation-state actors deploying firmware-persistent bootkits represents a watershed moment in government response tempo, while the Secret Service’s disruption of cellular infrastructure capable of paralyzing New York City’s communications reveals the physical-digital convergence of modern threats.

Three key takeaways define the week’s significance. First, zero-day exploitation has become the norm rather than the exception, with nearly every major vulnerability disclosed (Cisco, Google, Sitecore, SAP) seeing active exploitation, often by state-sponsored actors with advanced persistence mechanisms. Organizations can no longer rely on vulnerability disclosure providing a grace period before weaponization. Second, supply chain attacks achieved unprecedented scale and automation through third-party compromises (Miljödata affecting 1.5 million, Collins Aerospace disrupting European airports), demonstrating that vendor security assessment must become continuous rather than periodic. Third, artificial intelligence is simultaneously arming adversaries and defenders, with North Korean operatives using AI for employment fraud at scale while security vendors deploy autonomous agent platforms—the outcome of this arms race will determine the industry’s trajectory.

The ransomware ecosystem’s fragmentation into 60+ simultaneous groups, combined with AI lowering technical barriers to entry, suggests the threat landscape will grow more diffuse and harder to track. Meanwhile, the 45:1 ratio of machine-to-human identities and 81% of intrusions being malware-free indicate traditional perimeter defenses and signature-based detection are increasingly inadequate. Security leaders must prioritize zero-trust architectures, continuous vulnerability management with aggressive patching timelines, supply chain security throughout vendor lifecycles, AI-powered detection and response capabilities, and international information sharing partnerships. The week’s events make clear that cybersecurity has transcended IT concerns to become a national security imperative requiring coordination across intelligence agencies, law enforcement, and private sector at unprecedented levels.

Sources

  • BankInfoSecurity
  • BleepingComputer
  • CrowdStrike Blog
  • CyberScoop
  • Cybernews
  • Cybersecurity Dive
  • Cybersecurity Ventures
  • Dark Reading
  • SecurityWeek
  • The Hacker News
  • The Record from Recorded Future News
© 2025 Senthorus Blog