Cybersecurity Update 20 September - 3 October 2025

United States of America

Oracle E-Business Suite Exploited. On 29 September 2025, the Cl0p ransomware syndicate claimed to have breached Oracle’s E-Business Suite, which runs core operations including financial, supply chain and customer relationship management. The malicious actor provided proof of compromise to victims including screenshots and file trees. According to Oracle, their “ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Google Threat Intelligence Group (GTIG/Mandiant) are tracking this activity and state the malicious actors are using a "high-volume email campaign" that's launched from hundreds of compromised accounts and are now using that stolen information to extort victim companies. The ransom payment requests range from $10-50M. (Oracle Blog, Bloomberg, CyberScoop, HackerNews, InfoSecurity, Reuters)

Red Hat Confirms Breach of One of Its GitLab Instances Supporting Its Consulting

Business. In mid-September 2025, a malicious actor named Crimson Collective claims to have stolen nearly 570GB of compressed data across 28,000 internal development repositories of one of Red Hat’s GitLab instances. The data includes at least 800 Customer Engagement Reports (CERs) that includes project specifications, example code snippets and internal communications about the consulting services. The directory listing of CERs include a wide range of sectors and well known organizations such as Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the U.S. Navy’s Naval Surface Warfare Center, Federal Aviation Administration, the House of Representatives, and many others.” Red Hat states “this incident is unrelated to a Red Hat OpenShift AI vulnerability (CVE-2025-10725) that was announced on 28 September 2025.” (Red Hat Blog, Bleeping Computer, CyberScoop)

California Passes AI Law. On 29 September 2025, Governor Newsom today signed into law Senate Bill 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA). The law

requires major AI companies to publicly disclose their risk management, safety frameworks, cybersecurity and governance practices for their models. It also establishes whistleblower protections for AI workers and tasks a state agency with laying the groundwork for a public cloud computing cluster. Businesses will need to adapt procurement, compliance and risk management processes to ensure partners and internal management practices meet the requirements of the law. Anthropic was the first major AI company to support the legislation when CEO Dario Amodei stated that he hoped it would inspire federal AI transparency regulations. California is home to 32 of the 50 leading AI companies. (CA Press Release, Politico, Forbes, CIO Dive)

CISA Terminates Funding for MS-ISAC. On 1 October 2025, the US Cybersecurity and

Infrastructure Security Agency (CISA) terminated its financial support to the Multi-State

Information Sharing and Analysis Center (MS-ISAC) — the non-profit that has provided free

and low-cost cybersecurity services and intelligence sharing to state, local, tribal, and territorial (SLTT) governments since 2004. The investment was quite minimal, with funding at $27M a year. "The MS-ISAC, operated by Center for Internet Security (CIS), has been this nation’s most successful public-private partnership. While we are disappointed by this decision, as a nonprofit and nonpartisan organization, CIS remains committed to the SLTT community. The new fee-based membership model for the MS-ISAC will permit it to continue to deliver high-impact cybersecurity services including threat intelligence in a variety of forms and formats, best practices and collaboration opportunities, and effective monitoring, blocking, and response to cyber attacks.” (The Register)

SEC Approves Generic Listing Standards for Commodity-Based Trust Shares. On 17

September 2025, the U.S. Securities and Exchange Commission (SEC) approved generic listing standards for spot crypto exchange-traded products, making them simpler and faster to bring to market — a move analysts say could reshape how money flows into digital assets. The agency approved listing standards for "commodity-based trust shares" across regulated exchanges including Nasdaq, Cboe BZX and NYSE Arca. The new rules remove the need for each crypto ETP to undergo its own individual rule filing under Section 19(b) of the Exchange Act. Instead, an offering whose underlying assets satisfy certain objective eligibility tests — for example, if the crypto trades on a market that is a member of the Intermarket Surveillance Group (ISG), or if the underlying asset's futures contract is listed on a CFTC-regulated designated contract market for at least six months — can be listed using these generic standards. SEC Chairman Atkins stated, “By approving these generic listing standards, we are ensuring that our capital markets remain the best place in the world to engage in the cutting-edge innovation of digital assets. This approval helps to maximize investor choice and foster innovation by streamlining the listing

process and reducing barriers to access digital asset products within America’s trusted capital markets.” In addition to the approval of the generic listing standards for Commodity-Based Trust Shares, the Commission approved the listing and trading of the Grayscale Digital Large Cap Fund, which holds spot digital assets based on the CoinDesk 5 Index. The Commission also approved the listing and trading of p.m.-settled options on the Cboe Bitcoin U.S. ETF Index and the Mini-Cboe Bitcoin U.S. ETF Index with third Friday expirations, nonstandard expirations, and quarterly index expirations. (SEC, Coindesk, BitwiseInvestments)

ChatGPT Agents can be Manipulated to Bypass CAPTCHA Protections. On 16 September

2025, researchers at Cornell University published their analysis that showed that ChatGPT

agents can be manipulated to bypass CAPTCHA protections and internal safety rules, raising serious concerns about the security of large language models (LLMs) in enterprise environments. CAPTCHA systems are designed to prevent bots from mimicking human actions. But the researchers showed by using a prompt injection, that even advanced anti-bot systems and AI guardrails could be circumvented when contextual manipulation is involved. There are no reports of this being exploited in the wild. Yet, malicious actors could exploit these weaknesses to instruct AI tools to process confidential files, execute harmful code, or generate disallowed content while appearing compliant with internal policies. (Cornell University Paper, E-security Planet)

AI Generated “Workslop” is Destroying Productivity. On 22 September 2025, The Harvard

Business Review released a paper in collaboration with Stanfords’ Social Media Lab that states employees are using AI tools to create low-effort, passable looking work that ends up creating more work for their coworkers. On social media, which is increasingly clogged with low-quality AI-generated posts, this content is often referred to as “AI slop.” In the context of work, the researchers refer to this phenomenon as “workslop.” They define workslop as AI generated work content that masquerades as good work, but lacks the substance to meaningfully advance a given task. The research, based on a survey of 1,150 workers, is the latest analysis to suggest that the injection of AI tools into the workplace has not resulted in some magic productivity boom and instead has just increased the amount of time that workers say they spend fixing low-quality AI-generated “work.” An MIT study found that “Despite $30–40 billion in enterprise investment into GenAI; a surprising result in that 95% of organizations are getting zero return … Despite high-profile investment, industry-level transformation remains limited.” The Financial Times

reported that “the biggest US-listed companies keep talking about artificial intelligence. But other than the ‘fear of missing out,’ few appear to be able to describe how the technology is changing their businesses for the better.” “Most of the anticipated benefits, such as increased productivity, were vaguely stated and harder to categorize than the risks.” (HBR Paper, FT, MIT State of AI Study)

Entra ID Vulnerability, Finally Patched. On 14 July 2025, security researcher Dirk-jan

Mollema, discovered and reported a significant flaw in Azure Entra ID that could lead to full

tenant compromises. It stemmed from a failure in token validation, exacerbated by service-to-service actor tokens and a legacy API flaw. Malicious actors could bypass Conditional Access Policies and access sensitive data without detection. The researcher’s findings showed that undocumented “Actor tokens,” combined with a validation failure in the legacy Azure AD Graph API, could be abused to impersonate any user in any Entra ID tenant, even a Global Administrator. To put it simply, a single token, obtained from any test tenant, could have granted complete administrative control over every Microsoft Entra ID (Azure AD) tenant in the world. Microsoft has patched the flaw, but organizations should migrate apps from the deprecated Azure AD Graph API to Microsoft Graph. With a valid NetID of a Global Admin, the door opens to enable full takeover of Microsoft 365, Azure subscriptions, and connected services. These vulnerabilities highlight once again the poor security of Microsoft's own security products. (Microsoft, HackerNews, HackRead, Wired, The Register, Dirk Jan Mollema, Tide)

Cisco Products Actively Exploited. On 25 September 2025, roughly 50,000 Cisco Adaptive

Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances exposed on the public web were vulnerable to two vulnerabilities actively exploited by hackers. “Cisco assesses that this campaign is connected to the a nation state malicious actor — ArcaneDoor — and that this malicious actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024.” The Federal Risk and Authorization Management Program (FedRAMP) is requiring FedRAMP authorized cloud service providers (CSPs) to identify and report all Cisco Adaptive Security Appliances (ASA) platforms, following the issuance of an emergency directive by the Cybersecurity and Infrastructure Security Agency (CISA). CISA ordered all government agencies to patch their systems by 26 September 2025 and respective contractors by 2 October 2025. (TechRadar, CISA Emergency Directive, Bleeping Computer, Cybersecurity Dive, MeriTalk)

Covert Communications Network Near United Nations Seized. On 23 September 2025, the US Secret Service announced that it discovered and dismantled a network of electronic devices (seizing 100,000 SIM cards and 300 co-located SIM servers) located throughout the New York tristate area. The operation, capable of sending 30 million texts per minute, could disable cellular towers, enable surveillance or espionage, launch phishing campaigns, and enable encrypted communication between potential threat actors and criminal enterprises. A preliminary analysis of the SIM card showed links to a foreign nation and criminal groups, including cartels, highlighting overlaps between nation-state actors and cybercrime rings. (US Secret Service, CNN, Security Affairs, NYT)

China Backdoor in US Infrastructure. On 24 September 2025, Google Threat Intelligence

Group (GTIG/Mandiant) published a report about a new China-linked malicious actor

(UNC5221) that has embedded itself across U.S. infrastructure and enterprise service providers for more than a year. The BRICKSTORM backdoor is being used to target legal entities, SaaS providers, business process outsourcers, and technology companies. By breaching high-value service providers, researchers said the malicious actors can pivot into sensitive enterprise environments, marking a shift toward more persistent and technically advanced espionage operations. Mandiant notes that "[t]he value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims.” Mandiant said the threat actor demonstrates a deep understanding of appliance-level blind spots, using modified startup scripts, web shells and in-memory payloads to evade detection and maintain persistence. BRICKSTORM's stealthy

methods enable prolonged access, avoiding detection for an average of 393 days. (Mandiant, GovInfoSec, CybersecurityDive)

Three Industry Leaders Opt-out of Mitre ATT&CK Evaluations. On 22 September 2025,

Microsoft, SentinelOne, and Palo Alto Networks opted out of the 2025 MITRE Engenuity

ATT&CK evaluations. Industry experts suggest that Mitre-Engenuity “tests” that simulate real

world attack scenarios to assess endpoint detection and response solutions — are increasingly viewed as promotional tools rather than drivers of genuine security advancements. The absence of key cybersecurity companies underscores a shift in industry priorities towards product innovation and customer-focused initiatives. (InfoSecMag)

Self-Replicating Worm Targets NPM Software Repository. On 15 September 2025, a self-propagating worm infected at least 180 code packages by the "Shai-Hulud" malware. Daniel Pereira, a senior backend software engineer, sounded the alarm regarding a large-scale software supply chain attack affecting the world's largest JavaScript registry, npmjs.com. The worm works by infecting packages then stealing any npm tokens it finds, compromising those packages, and then continues spreading on and on. (KrebsOnSecurity, Bleeping Computer, Daniel Pereira Blog, StepSecurity)

DoD Releases The Cybersecurity Risk Management Construct (CSRMC). The CSRMC is

the DoD’s new real-time framework that replaces the previous Risk Management Framework (RMF). The CSRMC offers a faster, more adaptive approach focused on automation, continuous monitoring, and resilience. The framework is composed of a five-phase lifecycle and 10 foundational tenets, including: (1) Design, which embeds security from the outset; (2) Build, where secure systems are implemented at initial operating capability; (3) Test, which validates and stress-tests before full operating capability; (4) Onboard, where continuous monitoring is activated; and (5) Operations, which uses real-time dashboards for rapid threat detection and response. In addition to its phased lifecycle, the CSRMC is grounded in 10 core principles, including (1) automation for efficiency, (2) critical controls for focused security, (3) continuous monitoring and real-time authority to operate, (4) DevSecOps for agile development, (5) cyber survivability in contested environments, (6) ongoing training, (7) use of enterprise services to

reduce duplication, (8) operationalization for real-time risk visibility, (9) reciprocity to reuse

assessments, and (10) threat-informed cybersecurity testing. (Press Release)

OpenAI Teams up with Oracle and Softbank to Build Mega-datacenters. The new sites will boost Stargate’s planned capacity to nearly 7 gigawatts—about equal to the output of seven large nuclear reactors. Three of the new sites, in Shackelford County, Texas; Doña Ana County, New Mexico; and a yet-to-be-disclosed location in the Midwest, are being developed in partnership with Oracle. The move follows an agreement Oracle and OpenAI announced in July 2025 to develop up to 4.5 gigawatts of US data center capacity on top of what the two companies are already building at the first Stargate facility in Abilene. On 22 September 2025, OpenAI and NVIDIA announced a letter of intent for a landmark strategic partnership to deploy at least 10 gigawatts of NVIDIA systems for OpenAI’s next-generation AI infrastructure to train and run its next generation of models on the path to deploying super-intelligence. Nvidia stated it would invest $100 billion progressively as each gigawatt is deployed. The first gigawatt of NVIDIA systems will be deployed in the second half of 2026. (Wired, OpenAI, NYT, Nvidia Press Release)

Tractor Supply Hit With $1.35 Million Privacy Fine Under CCPA. On 30 September 2025,

the California Privacy Protection Agency fined Tractor Supply $1.35 million for multiple privacy failures, including a lack of opt-out options, missing privacy notices, and unapproved data-sharing. Tractor Supply agreed to change its business practices, appoint a company official to certify compliance for the next four years, and ensure it is not using tracking technologies (The Record, Bloomberg)

Breach at Motility Software Solutions Impacts 766k Customers. On 29 September 2025,

Motility Software Solutions(formerly known as Systems 2000/Sys2K), a provider of dealer

management software (DMS) notified the Maine Attorney General of a ransomware event that it discovered on 19 August 2025. Motility’s DMS software is used by 7,000 dealerships (automotive, powersports, marine, heavy-duty, and RV retail) across the United States. Its products cover customer relationship management (CRM), inventory management, sales, accounting, financials, service operations, rental and fleet tracking, as well as mobile or

web access to control dashboards. The company stated that the malware restricted access to internal data and forensic evidence indicates that the attacker "may have removed limited files containing customers’ personal data.” At least 766,670 customers are affected. To date, no ransomware group has claimed responsibility for the attack at Motility. (Bleeping Computer, Maine AG)

Microsoft Revokes Certain Cloud Services from the Israeli Military. On 25 September

2025, Microsoft announced that it ceased and disabled a set of services to a unit within the Israel Ministry of Defense (IMOD). This followed a 15 August investigation by Microsoft after the Guardian published an article that claimed the IDF's Unit 8200 was using Microsoft's Azure servers in Europe to store millions of recordings of phone calls made by Palestinian civilians. Brad Smith’s letter states "While our review is ongoing, we have found evidence that supports elements of The Guardian’s reporting. This evidence includes information relating to IMOD consumption of Azure storage capacity in the Netherlands and the use of AI services.” Smith outlined the following two reasons for cutting the services: "First, we do not provide technology to facilitate mass surveillance of civilians. We have applied this principle in every country around the world, and we have insisted on it repeatedly for more than two decades. This is why we explained publicly on August 15 that Microsoft’s standard terms of service prohibit the use of our technology for mass surveillance of civilians. Second, we respect and protect the privacy rights of our customers. This means, among other things, that we do not access our customers’ content in this type of investigation.” Microsoft will continue providing other services to Israel, including those related to cybersecurity. (Microsoft Blog, CNBC, The Guardian)

International Items of Interest

SWIFT to Build a Blockchain-Based Ledger. On 29 September 2025, Javier Pérez-Tasso,

CEO of SWIFT (Society for Worldwide Interbank Financial Telecommunication) announced that it intends to begin to design and build a blockchain based ledger with more than 30 global financial institutions including JPMorgan Chase & Co., HSBC Holdings Plc, Bank of America Corp. and Deutsche Bank AG. The first prototype will be focused on real-time, 24/7 cross-border payments and will be built using technology from the US blockchain software firm Consensys, which is run by Ethereum co-founder Joseph Lubin. The ultimate goal of Swift’s blockchain-based infrastructure will be to allow its members to use the network for transactions involving various kinds of digital assets, such as stablecoins, tokenized deposits or other tokenized assets. SWIFT “provides powerful and effective rails today and are moving at a rapid pace with our community to create the infrastructure stack of the future. Through this initial ledger concept, we are paving the way for financial institutions to take the payments experience to the next level with SWIFT’s proven and trusted platform at the centre of the industry’s digital transformation.” For decades, SWIFT had been the invisible infrastructure connecting 11,500 financial institutions across more than 200 countries and territories. Every cross-border payment,

every international wire transfer, every trade settlement—nearly all of them moved through

SWIFT's secure messaging system. (Bloomberg, NASDAQ, Forbes, CoinGeek, CoinDesk)

Euro Stablecoin to Launch in Second-Half of 2026. On 29 September 2025, nine European banks (UniCredit SpA, ING Groep NV, DekaBank, Banca Sella, KBC Group NV, Danske Bank AS, SEB AB, CaixaBank SA and Raiffeisen Bank International AG) have joined forces to develop a euro-based stablecoin as an alternative in a market dominated by dollar-backed tokens. The consortium has established a new company in the Netherlands to house the project and issue the token. Customers can then pay, receive, or hold digital euros. The banks said the initiative “will provide a real European alternative to the US-dominated stablecoin market, contributing to Europe’s strategic autonomy in payments.” (Bloomberg, CoinDesk, TechInformed)

European Airport Disruption Caused by Collin’s Aerospace Cloud Platform. On 19

September 2025, a malicious actor ransomed Collins Aerospace’s Muse software, a cloud-based platform used for electronic check-ins and boarding. The HardBit ransomware attack brought check-in systems offline at several major airports, including Berlin, Brussels, Dublin, and Heathrow and hundreds of flights of been delayed or canceled since the incident began. It is unclear which malicious actor conducted the attack. In a statement to Reuters, RTX states that “the impact is limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations.” Hundreds of flights were canceled due to the issue. Collins told staff not to turn off computers or log out of the Muse software if they were logged in. The European Union Agency for Cybersecurity (ENISA) stated that this was a a ransomware incident. The UK by the National Crime Agency arrested a man in his forties in West Sussex (near a major Collins facility) on suspicion of Computer Misuse Act offenses. (Reuters, SocRadar, CNBC, BBC, Brussels Airport Blog, Heathrow Post on X, Security Week, Cybersecurity Dive, Bleeping Computer, The Guardian)

Asahi Brewing Offline in Japan. On 30 September 2025, Japanese brewing company Asahi Group Holdings announced that its operations in the country have been disrupted by a cyberattack. Production at some of Asahi’s 30 domestic factories has been halted. The system failure is limited to its operations within Japan. It has suspended order and shipment operations at group companies in Japan, as well as call centers, which include its customer service desks. It is unclear when operations will restart. (Security Week, Reuters, Bloomberg, CNN)

China Tells Grumps, Trolls, and AIs to Stop Emoting Online. On 22 September 2025,

China’s Cyberspace Administration announced a two-month campaign to quash netizens who “maliciously incite negative emotions.” The CAC’s announcement states that it will moderate content hosted by social media platforms, short video services, the live-streaming platforms used by Chinese e-commerce sites to host infomercials and even delve into comments left across the Internet. The sentiments that China wants to stop includes “excessively exaggerating negative and pessimistic sentiment” through content that includes themes such as “"hard work is useless" and "studying is useless.” Platforms and individuals that create or host types of content mentioned above face punishment. (The Register, CAC Announcement)

The UK Government Plans to Roll-out Mandatory Digital Identifies for Citizens. On 26

September 2025, Prime Minister Starmer announced that he intends to introduce a national identity card to block “unauthorized” immigration and make it simpler for people to access health care, welfare, child care and other public services. He stated the new ID system would be in place before the next election, due by 2029. On 2 October 2025, the UK parliament stated that it intends to introduce a digital ID to help tackle illegal migration, make accessing government services easier, and enable wider efficiencies. The U.K. has long resisted national identity cards (while much of Europe has them) fearing surveillance, unnecessary data collection and tracking. (The Guardian, UK Petition, AP)

UK Established Fourth Armed Forces Command Focused on Cyber and AI. On 1

September 2025, the UK Ministry of Defence announced the completion of the reorganization of the Cyber and Specialist Operations Command (CSOC). CSOC’s mission is to consolidate cyber and other specialized capabilities in order to enhance the United Kingdom’s security and improve its readiness for conflict. Among its responsibilities, CSOC is tasked with operating advanced cyber warfare and electromagnetic warfare capabilities for military purposes, as well as strengthening the protection of critical infrastructure, supply chains, and the civilian population. In addition, the new command will promote the use of data-driven approaches and artificial intelligence to generate secure, reliable, and continuous information streams for military use. It replaced Strategic Command and according to its Commanding Officer, General Sir Jim Hockenhull, the choice of name defines "a transformation in posture, purpose, and mindset”. CSOC now operates under the direction of the newly established Military Strategic Headquarters (MSHQ), who are the single strategic authority for force design, planning, and capability investment. As part of this structure, Commander CSOC (rank of 4 stars) now reports directly to the Chief of the Defence Staff (CDS). (UK Press Release, Defense Online, Defense 24)

China Introduces Cyber Incident Reporting Regulation. On 11 September 2025, China finalized new regulations (Measures for the Management of National Network Security Incident Reports) that require a 1-hour reporting of severe cybersecurity incidents starting on 1 November 2025. The requirements, described in a notice published by the Cyberspace Administration of China (CAC), require network operators who build, operate, or provide services in China and its territories to report any security incidents to the appropriate ministry. The regulation requires network operators to grade any incident and, if the security event impacted "key infrastructure," report the incident within an hour — if they affect over half a province or 10 million people. For "a major or particularly important network security incident," the regulations require notification within 30 minutes. Cybersecurity incidents are divided into 4 categories: (1) Extremely Severe Cybersecurity Incidents; (2) Severe Cybersecurity Incidents; (3) Relatively Severe Cybersecurity Incidents; and (4)General Cybersecurity Incidents. In addition, the network operators must require service providers (e.g., cybersecurity vendors, system maintenance teams) to promptly report any detected cybersecurity incidents and assist in fulfilling their reporting obligations. This should be formalized through contracts or other binding arrangements. Operators who fail to report cybersecurity incidents will be penalized in accordance with the relevant laws and regulations, with severe penalties for situations where an operator delays, omits, falsely reports, or conceals cybersecurity incidents leading to severe

consequences (Security Boulevard, Dark Reading, CAC Notice, Herbert Smith)

Afghanistan’s Nationwide Internet Blackout. On 29 September 2025, authorities in Afghanistan shut down internet and telecommunications services nationwide leaving millions without access to digital communication, banking, and essential public services (e.g., medical care, food delivery, online education, and air travel). The outage followed a partial disruption earlier in September when the Taliban blocked fiber connections in more than half a dozen provinces, saying the move was needed to curb “immoral acts.” The United Nations mission in Afghanistan (UNAMA) urged the authorities to immediately restore services, saying the blackout “has far-reaching consequences,” including disruptions to financial systems, aviation, medical care and remittances. UNAMA also stated that the blackout also restricts freedom of expression and increases the isolation of women and girls. (The Record, AMU)

ENISA Threat Landscape Report. On 1 October 2025, ENISA, the EU Agency for

Cybersecurity, released its annual threat landscape report that examined nearly 4,900

cyberattacks that occurred between July 2024 and June 2025 and offers insights into the broad cyber trends affecting the continent. Key findings include: (1) DDoS attacks – largely launched by hacktivists – were by far the most common cyber incident, accounting for just under 77% of reported incidents. (2) Supply chain attacks are on the rise, and the lines between hacktivism, cybercrime and state-sponsored threats continue to blur, with “increasingly shared toolsets and modus operandi.” (3) Ransomware was by far the most dominant malware type, accounting for 83.5% of all malware identified in intrusions. (ENISA Report, CyberExpress)