Cybersecurity Update 6-19 September 2025

United States of America

SalesLoft Breach was Due to GitHub. On 6 September 2025, Salesloft published an update regarding Mandiant's investigation into the attacks and provided more clarity on how the malicious actor compromised the supply chain. In March through June 2025, the malicious actor accessed the Salesloft GitHub account which contained the private source code for the company. With this access, the malicious actor was able to download content from multiple repositories, add a guest user, and establish workflows. “The malicious actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations. Specifically they were able to steal the OAuth tokens — master keys — used for integrations like Salesforce and Google Workspace. The Federal Bureau of Investigation (FBI) released a FLASH notice to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities been observed targeting organizations’ Salesforce platforms via different initial access mechanisms. The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using the compromised Salesloft Drift OAuth tokens. Google Threat Intelligence Group (GTIG, aka Mandiant) reported that the stolen Case data was

analyzed for hidden secrets, such as credentials, authentication tokens, and access keys, to enable the malicious actors to pivot into other environments for further malicious activities. "GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens.” The stolen Drift and Drift Email tokens were used in large-scale data theft campaigns that hit major companies including, BeyondTrust, Cato Networks, Cloudflare, CyberArk, Google, Nutanix, PagerDuty, Palo Alto Networks, ProofPoint, Rubrik, Qualys, SpyCloud, Tenable, and Zscaler. (SalesLoft, DarkReading, FBI Flash, BleepingComputer, eSecurity, HackRead)

Microsoft Invests in Three Large AI Datacenters. On 18 September 2025, Microsoft

announced that it would take over Foxconn’s LCD factory and turn it into an AI datacenter. It also announced that it was investing in purpose-built datacenters and infrastructure in Narvik, Norway and Loughton, UK to support the global adoption of cutting-edge AI workloads and cloud services. The new data center in Fairwater Wisconsin is massive at 1.2 million square feet spread over three buildings on 315 acres of land. Under those roofs are “hundreds of thousands” of Nvidia’s GB200 GPUs. Microsoft claims this cluster of interconnected GPUs is ten-times more powerful than the fastest super computer and will greatly accelerate its AI training efforts. “These AI datacenters are significant capital projects, representing tens of billions of dollars of investments and hundreds of thousands of cutting-edge AI chips, and will seamlessly connect with our global Microsoft Cloud of over 400 datacenters in 70 regions around the world.” (The Verge, Microsoft Blog)

New AI Ransomware. On 26 August 2025, ESET released research about a new piece of

malicious ransomware using artificial intelligence (AI). It is dubbed PromptLock – a piece of

malicious software that hijacks computer systems until a price is paid and “may

exfiltrate data, encrypt it, or potentially destroy it” using artificial intelligence. It turns out that the malicious software was created at NYU. The NYU team said they created the malware prototype as part of their research into the potential dangers of AI — “Ransomware 3.0” — using large language models to probe a victim’s computer environment, locate sensitive information and generate malicious code. Attackers don’t need to know how to code; they can just tell the model what to do. The model also writes ransom notes, tailoring each to the victim based on what it finds on the system. (NYU Paper, CyberScoop)

Cyber Insurance Provider, Resilience, Published Mid-Year Cyber Trends. On 9 September

2025, Resilience released its mid-year Cyber Risk Report revealing that financial incentives are driving cybercriminals to be more creative, and as a result, the consequences of attacks are becoming more severe. Ransomware accounted for 91% of all incurred losses among Resilience's customer base in the first half of 2025 and victims are paying more to recover. Cybercriminals are employing more sophisticated methods, such as double extortion—demanding separate payments for data decryption and to prevent public data release—and AI-powered social engineering. The manufacturing, healthcare, and retail industries were the most targeted sectors during the period. (Resilience Mid-Year Cyber Risk Report, Cybersecurity Dive)

New FICO and Corinium Study Reveals Global Financial Institutions Abandon GenAI

Hype for Responsible AI Standards. On 4 September 2025, Global analytics software leader FICO today announced its State of Responsible AI in Financial Services: Unlocking Business Value at Scale global report, developed in collaboration with Corinium Global Intelligence. The report surveyed more than 250 C-Suite financial services leaders, including Chief Analytics/AI Officers (CAO and CAIO), Chief Technology Officers (CTO), and Chief Information Officers (CIO) who are focused on AI, data, IT, and technology. Leaders were asked to evaluate their organizations' current capabilities, challenges, and plans regarding adopting Responsible AI. Financial firms want stronger AI governance to achieve measurable returns on investments in the technology. Of the executives surveyed, nearly two-thirds cited lack of predictability as a barrier to scaling AI capabilities and more than half pointed to inadequate model monitoring. Almost three-quarters said their organization lacked sufficient collaboration between business and IT teams. (FICO, CIODive)

US-UK Joint Quantum Initiative. On 19 September 2025, the U.S. National Science

Foundation (NSF) and United Kingdom Research and Innovation (UKRI) announced their

partnership and investment for eight joint research projects that could open the door to

breakthroughs in quantum computing, ultra-precise navigation and secure communications. NSF is pitching in $4.7 million for the effort, while the UKRI is chipping in £4.2 million. Potential applications of the research include ultra-sensitive molecular compasses, molecular-scale memory systems, and new types of qubits. Training opportunities for graduate students and early-career researchers will also be made available under the partnership, where students can research quantum optics, molecular spectroscopy, and nanofabrication. (NSF, MeriTalk, White House UK Prosperity Deal)

DoD Cyberspace Operations: About 500 Organizations Have Roles, with Some Potential

Overlap. On 17 September 2025, the Government Accounting Office (GAO) published a report on the Department of Defense’s (DoD) complex number of components and supporting elements to conduct cyberspace operations. DoD has established almost 440 organizations that contain about 61,000 military and civilian personnel (and over 9,500 contractors), to conduct cyberspace operations. These organizations are most often aligned with U.S. Cyber Command (CYBERCOM) or retained by the military services and conduct a mixture of offensive, defensive, and DOD Information Network operations. To enable organizations conducting cyberspace operations, each unit is supported by organizations providing budgetary, personnel, policy, and training support. GAO identified 70 organizations and about 3,400 personnel that provide support to cyberspace operations. Two key recommendations from GAO are: (1) The Secretary of Defense should ensure that the Assistant Secretary of Defense for Cyber Policy assesses the extent to which similar cyberspace training courses provided by the services overlap and can be consolidated to ensure that the military services are implementing a federated and

joint training model in a manner that achieves efficiencies and reduces training development and delivery costs; and (2) The Secretary of Defense should ensure that the Assistant Secretary of Defense for Cyber Policy assesses the extent to which there are opportunities to achieve cost savings and efficiencies by consolidating DOD cybersecurity service providers. The Pentagon reportedly concurred with the recommendations and the report more broadly. (Bloomberg, GAO Report, Defense Scoop)

Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity

Negligence. On 10 September 2025, Senator Ron Wyden sent a letter to the Federal Trade

Commission (FTC) urging it to launch an investigation of Microsoft for contributing to

ransomware attacks against critical U.S. infrastructure, including the hack of millions of patient records from Ascension, the major hospital system. "Without timely action, Microsoft's culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable," Wyden wrote in a four-page letter to FTC Chairman Andrew Ferguson, likening Redmond to an "arsonist selling firefighting services to their victims.” Wyden has repeatedly called on federal agencies to hold Microsoft responsible for its years-long pattern of selling dangerously insecure software to the government. (Wyden Letter, HackerNews, ArsTechnica)

Final Critical Infrastructure Cyber Incident Reporting Rule Delayed to May 2026. The

Cybersecurity and Infrastructure Security Agency (CISA) will finalize regulations to implement certain aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) by 1 May 2026. The regulation requires covered entities to submit reports to CISA regarding covered cyber incidents and ransom payments. The Administration's decision to delay the final rule’s release was made “to examine options within the rulemaking process to address Congressional intent” and streamline requirements under the law, said CISA Director of Public Affairs Marci McCarthy. CISA “received a significant number of public comments on the proposed rule” that highlighted “the need to reduce the scope and burden, improve harmonization of CIRCIA with other federal cyber incident reporting requirements and ensure clarity” for stakeholders. The Cybersecurity Coalition and the U.S. Chamber of Commerce urged CISA to clarify whether internal system outages, third-party breaches or minor data leaks would require notification. The Business Roundtable urged CISA to "tailor the proposed rule to avoid unnecessary redundancy of cyber incident reporting while focusing its resources on the covered entities and incidents of greatest impact to cybersecurity.” (GovInfoSec, RegInfo)

FinWise Insider Breach Exposes 700K Customer Records. On 18 June 2025, American First Finance, LLC, a Dallas-based financial services firm, suffered a significant insider breach when a recently terminated employee exploited unauthorized access to its production database. The incident is being called the “FinWise insider breach” because a former employee of the company leveraged residual privileges left in an archived service account and exfiltrated sensitive customer records nearly 689,000 names, Social Security numbers, and other personal identifiers via direct SQL queries and unmonitored API endpoints. Moving forward, American First Finance plans to implement just-in-time (JIT) access provisioning, enhance database encryption with AWS KMS, and deploy user behavior analytics (UBA) to detect anomalous insider activities. These measures aim to fortify their security posture and prevent future insider threats.” (CybersecurityNews, Maine AG)

Starlink Outage Affects 40,000 Users. On 15 September 2025, Starlink’s satellite broadband network suffered a brief outage affecting at least 40,000 users in the US and Europe as well as communications along the front lines in Ukraine. Neither SpaceX nor Starlink has provided a detailed explanation for the cause of the outage. (The Register, Reuters, CNN)

International Items of Interest

Huawei Unveils AI Chip Roadmap. On 18 September 2025, Huawei's Deputy Chairman of the Board and Rotating Chairman, gave a keynote themed "Groundbreaking SuperPoD Interconnect: Leading a New Paradigm for AI Infrastructure". During the event, Xu unveiled the world's most powerful SuperPoDs and SuperClusters. Huawei outlined its multi-year plan to challenge Nvidia. It intends to link as many as 15,488 of its Ascend neural processing units for artificial intelligence and operate them as a coherent system. The next-generation Ascend 950 series will be accompanied by new high-bandwidth memory designed by Huawei. It also plans to roll out an Ascend 960 in late 2027, to be succeeded by a 970 model in late 2028. (Huawei Press Release, TechCrunch, Huawei Speech, Bloomberg)

China’s Great Firewall Data Exposed. On 11 September 2025, nearly 600 GB of material

from the Great Firewall of China began appearing online, allegedly containing source code,

internal communications, work logs, and technical documentation from groups said to be

involved in building and maintaining the system. The data was leaked by Enlace Hacktivista, previously linked to the Cellebrite breach. The collective claims that the documents were traced to Geedge Networks and the MESA Lab at the Chinese Academy of Sciences’ Institute of Information Engineering. Both have long been central to the Firewall’s research and development, with Geedge led by Fang Binxing, often called the “Father of the Great Firewall.” The Great Firewall is not a fixed system; it is a growing network shaped by government contracts, research institutes, and private companies. Analysts at Net4People and GFW Report plan to share more findings as they go through the data and better understand how the Firewall operates and how its influence spreads. (HackRead, GFW Report, TomsHardware, Wired)

Jaguar Land Rover Factories are Still Down. On 31 August 2025, Jaguar Land Rover (JLR)

suffered a cyber attack severely disrupted vehicle production. On 16 September 2025, the

company stated that production will remain offline until at least 24 September. JLR stated, “We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time.” Shares in Autins, a company providing specialist insulation components for Jaguar vehicles are down 40%. Different media sources estimate the costs of the company’s shutdown at £50 million (US$68 million) per week in lost production and possibly up to £72 million (US$98 million) in sales per day. JLR is working with the British government to restore operations and assess the impact. (CyberMagazine, WSJ, The Record, JLR Blog, BBC, Reuters)

Vietnam Probes Breach of Credit Agency Run by Central Bank. On 10 September 2025, the State Bank of Vietnam learned about a data breach that affected its National Credit Information Center, a credit reporting agency. The ransomware gang, ShinyHunters is taking credit for the attack and has threatened to expose160M customer records. Investment bank JPMorgan said in a note to investors on 12 September 2025, the incident could lead to higher costs for banks to improve cybersecurity and was a potential risk to deposit flows, but maintained its recommendation to stay invested in Vietnamese banks "barring a widespread impact or further incidents". (DataBreachToday, Reuters)

KillSec Ransomware is Attacking Healthcare Institutions in Brazil. On 8 September 2025,

the ransomware group KillSec claimed responsibility for a cyberattack on Brazil’s

MedicSolution, a cloud-based software provider that product is designed to streamline clinic and practice management. The group has threatened to leak sensitive data unless negotiations are initiated promptly. The root cause of the incident was data exfiltration from an insecure AWS S3 bucket. The compromised data include: Medical evaluations Medical lab results X-rays Unredacted patient pictures, including those showing body parts Records related to minors" The total volume of stolen data exceeds 34 GB, containing over 94,818 files. Notably, KillSec ransomware actors also targeted healthcare institutions in Colombia, Peru, and the United States a few days before Brazil. (ReSecurity, Security Affairs)