Cyber Security Headlines – September 25, 2025

Host: Sarah Lane, CISO Series
Episode Theme:
A rapid-fire update on major cybersecurity incidents from around the globe, with stories covering cyber attacks affecting critical infrastructure, record-setting DDoS events, novel hacking tools and tactics, and vulnerabilities threatening organizations and consumers alike.

Key Discussion Points and Insights

1. Arrest Over Major Airport Cyber Attack

Incident Overview:
A suspect was arrested in West Sussex in connection with a ransomware attack targeting Collins Aerospace, which disrupted several major European airports—most notably Heathrow.
Impact:
- Baggage and check-in systems forced into manual operations.
- Hundreds of flight delays across numerous airports.
- Collins Aerospace is warning partners to expect ongoing manual processing for at least another week.
Status:
- The suspect is out on bail; investigation ongoing.
Quote:
- “[The] attack was discovered Friday and involved ransomware forcing some airports to use manual check ins and causing hundreds of flight delays.” (00:19, Sarah Lane)

2. World-Record DDoS Attack

Scope and Methodology:
- Cloudflare blocked an unprecedented DDoS attack targeting a European network infrastructure company, hitting 22.2 Tbps and 10.6 billion packets per second within 40 seconds.
- Over 404,000 unique IPs across 14 autonomous systems participated, leveraging the Acero botnet’s capabilities by “UDP carpet bombing” tens of thousands of ports.
Attack Vectors:
- Compromised IoT devices, zero-day vulnerabilities sustained the onslaught.
Quote:
- “Cloudflare blocked a record breaking DDoS attack… peaking at 22.2 terabits per second…” (00:47, Sarah Lane)

3. BRICKSTORM Malware Targeting IP Theft

Who’s Involved:
- Suspected Chinese threat actors (UNC5221) deploying the Linux-based “BRICKSTORM” backdoor.
Victims:
- Law firms, SaaS providers, tech companies, especially those handling high-value targets and sensitive government work.
Tactics:
- Long-term persistence (over a year), exploiting Avanti zero-days, VMware, and compromised routers to maintain access.
Objectives:
- Intellectual property and sensitive data theft, including from national security-related law firms.
Quote:
- “Attackers often persist in networks for over a year, exploiting Avanti Zero Days VMware appliances and compromised routers to maintain access.” (01:31, Sarah Lane)

4. The High Cost of a Weak Password

Case Study:
KNP Logistics, a 158-year-old UK transport company, collapsed following a ransomware breach due to a weak password and lack of MFA.
Consequences:
- Data encrypted, backups destroyed, £5 million ransom demanded.
- Company liquidation, 700 staff let go.
Implication:
- Even strong compliance and insurance couldn’t compensate for poor credential management.
Quote:
- “How one bad password ended a 158-year-old business…” (01:53, Sarah Lane)

5. Cisco Patches Active iOS Zero-Day

Vulnerability details:
- A stack-based buffer overflow in SNMP allowed denial-of-service, or root access with higher privileges, especially after admin credential compromise.
Action Steps:
- Immediate patching is urged; workaround options are limited to tightening SNMP access.
Quote:
- “Cisco advises upgrading immediately since no full workarounds exist beyond restricting SNMP access.” (03:21, Sarah Lane)

6. Malicious NPM Package Using QR Steganography

Discovery:
- The “Fezbox” JavaScript/TypeScript package hid malware in a remotely fetched QR code.
- After delay and multi-level obfuscation, it extracted browser credentials and exfiltrated them.
Impact:
- 327 downloads before removal, showing the continuing threat from supply-chain and package repo attacks.
Quote:
- “The package fetched a QR code from a remote server, waited 120 seconds, then decoded and executed the embedded malware.” (03:50, Sarah Lane)

7. Chinese “Red November” Targeting Governments Worldwide

Actors and Victims:
- Red November, a newly christened Chinese group, attacked defense contractors, an engine manufacturer, and ministries across Asia, Africa, and South America.
Methods:
- Exploiting VPN/firewall/email server vulnerabilities (e.g., Checkpoint, Avanti, Palo Alto Networks).
- Custom backdoors and commodity post-exploitation frameworks like Cobalt Strike.
Quote:
- “Victims reportedly include US Defense contractors, a European engine maker and ministries across Asia, Africa and South America.” (04:30, Sarah Lane)

8. Critical Security Flaw in OnePlus Phones

Vulnerability:
- Any app could access SMS messages due to insecure telephony content providers (affecting Oxygen OS 12–15).
Disclosures:
- Rapid7 published a proof of concept after repeated unheeded attempts to inform OnePlus.
Risks/Advice:
- Possible SMS interception, enabling further attacks.
- Users should minimize app permissions, use app stores with care, and switch to end-to-end encrypted messaging.
Quote:
- “The issue affects oxygen OS versions 12 through 15 and could allow blind SQL injection to reconstruct SMS content.” (05:08, Sarah Lane)

Notable Quotes & Memorable Moments

On persistent advanced threats:
- “Attackers often persist in networks for over a year, exploiting Avanti Zero Days, VMware appliances and compromised routers to maintain access.” (01:31, Sarah Lane)
Credential hygiene cautionary tale:
- “How one bad password ended a 158-year-old business… The case underscores how poor credential hygiene can override compliance and insurance protections.” (01:53, Sarah Lane)
On novel malware creativity:
- “Fezbox… hid its payload inside a QR code to steal usernames and passwords from browser cookies.” (03:42, Sarah Lane)

Timestamps for Key Segments

[00:19] – Suspect arrested over airport ransomware attack
[00:47] – Cloudflare blocks record DDoS attack
[01:31] – “BRICKSTORM” Linux backdoor attributed to China
[01:53] – Password hygiene tragedy: KNP Logistics collapse
[03:21] – Cisco iOS/XE zero-day actively exploited
[03:50] – Steganographic attack via NPM package and QR code
[04:30] – Red November’s global espionage campaign
[05:08] – SMS vulnerability in OnePlus phones

Summary

This episode gives a brisk yet comprehensive rundown of critical cyber incidents impacting airports, enterprise networks, and global infrastructure, highlighting how both sophisticated and basic attack methods—ranging from record-setting DDoS assaults to single-factor authentication failures—continue to threaten organizations of all sizes. Noteworthy is the escalation of state-sponsored campaigns, creative abuse of open-source supply chains, and the urgent need for patching and credential management as fundamental defense measures.

Cyber Security Headlines – September 25, 2025

Key Discussion Points and Insights

1. Arrest Over Major Airport Cyber Attack

Incident Overview:
A suspect was arrested in West Sussex in connection with a ransomware attack targeting Collins Aerospace, which disrupted several major European airports—most notably Heathrow.
Impact:
- Baggage and check-in systems forced into manual operations.
- Hundreds of flight delays across numerous airports.
- Collins Aerospace is warning partners to expect ongoing manual processing for at least another week.
Status:
- The suspect is out on bail; investigation ongoing.
Quote:
- “[The] attack was discovered Friday and involved ransomware forcing some airports to use manual check ins and causing hundreds of flight delays.” (00:19, Sarah Lane)

2. World-Record DDoS Attack

Scope and Methodology:
- Cloudflare blocked an unprecedented DDoS attack targeting a European network infrastructure company, hitting 22.2 Tbps and 10.6 billion packets per second within 40 seconds.
- Over 404,000 unique IPs across 14 autonomous systems participated, leveraging the Acero botnet’s capabilities by “UDP carpet bombing” tens of thousands of ports.
Attack Vectors:
- Compromised IoT devices, zero-day vulnerabilities sustained the onslaught.
Quote:
- “Cloudflare blocked a record breaking DDoS attack… peaking at 22.2 terabits per second…” (00:47, Sarah Lane)

3. BRICKSTORM Malware Targeting IP Theft

Who’s Involved:
- Suspected Chinese threat actors (UNC5221) deploying the Linux-based “BRICKSTORM” backdoor.
Victims:
- Law firms, SaaS providers, tech companies, especially those handling high-value targets and sensitive government work.
Tactics:
- Long-term persistence (over a year), exploiting Avanti zero-days, VMware, and compromised routers to maintain access.
Objectives:
- Intellectual property and sensitive data theft, including from national security-related law firms.
Quote:
- “Attackers often persist in networks for over a year, exploiting Avanti Zero Days VMware appliances and compromised routers to maintain access.” (01:31, Sarah Lane)

4. The High Cost of a Weak Password

Case Study:
KNP Logistics, a 158-year-old UK transport company, collapsed following a ransomware breach due to a weak password and lack of MFA.
Consequences:
- Data encrypted, backups destroyed, £5 million ransom demanded.
- Company liquidation, 700 staff let go.
Implication:
- Even strong compliance and insurance couldn’t compensate for poor credential management.
Quote:
- “How one bad password ended a 158-year-old business…” (01:53, Sarah Lane)

5. Cisco Patches Active iOS Zero-Day

Vulnerability details:
- A stack-based buffer overflow in SNMP allowed denial-of-service, or root access with higher privileges, especially after admin credential compromise.
Action Steps:
- Immediate patching is urged; workaround options are limited to tightening SNMP access.
Quote:
- “Cisco advises upgrading immediately since no full workarounds exist beyond restricting SNMP access.” (03:21, Sarah Lane)

6. Malicious NPM Package Using QR Steganography

Discovery:
- The “Fezbox” JavaScript/TypeScript package hid malware in a remotely fetched QR code.
- After delay and multi-level obfuscation, it extracted browser credentials and exfiltrated them.
Impact:
- 327 downloads before removal, showing the continuing threat from supply-chain and package repo attacks.
Quote:
- “The package fetched a QR code from a remote server, waited 120 seconds, then decoded and executed the embedded malware.” (03:50, Sarah Lane)

7. Chinese “Red November” Targeting Governments Worldwide

Actors and Victims:
- Red November, a newly christened Chinese group, attacked defense contractors, an engine manufacturer, and ministries across Asia, Africa, and South America.
Methods:
- Exploiting VPN/firewall/email server vulnerabilities (e.g., Checkpoint, Avanti, Palo Alto Networks).
- Custom backdoors and commodity post-exploitation frameworks like Cobalt Strike.
Quote:
- “Victims reportedly include US Defense contractors, a European engine maker and ministries across Asia, Africa and South America.” (04:30, Sarah Lane)

8. Critical Security Flaw in OnePlus Phones

Vulnerability:
- Any app could access SMS messages due to insecure telephony content providers (affecting Oxygen OS 12–15).
Disclosures:
- Rapid7 published a proof of concept after repeated unheeded attempts to inform OnePlus.
Risks/Advice:
- Possible SMS interception, enabling further attacks.
- Users should minimize app permissions, use app stores with care, and switch to end-to-end encrypted messaging.
Quote:
- “The issue affects oxygen OS versions 12 through 15 and could allow blind SQL injection to reconstruct SMS content.” (05:08, Sarah Lane)

Notable Quotes & Memorable Moments

On persistent advanced threats:
- “Attackers often persist in networks for over a year, exploiting Avanti Zero Days, VMware appliances and compromised routers to maintain access.” (01:31, Sarah Lane)
Credential hygiene cautionary tale:
- “How one bad password ended a 158-year-old business… The case underscores how poor credential hygiene can override compliance and insurance protections.” (01:53, Sarah Lane)
On novel malware creativity:
- “Fezbox… hid its payload inside a QR code to steal usernames and passwords from browser cookies.” (03:42, Sarah Lane)

Timestamps for Key Segments

[00:19] – Suspect arrested over airport ransomware attack
[00:47] – Cloudflare blocks record DDoS attack
[01:31] – “BRICKSTORM” Linux backdoor attributed to China
[01:53] – Password hygiene tragedy: KNP Logistics collapse
[03:21] – Cisco iOS/XE zero-day actively exploited
[03:50] – Steganographic attack via NPM package and QR code
[04:30] – Red November’s global espionage campaign
[05:08] – SMS vulnerability in OnePlus phones

wavePod

Suspect arrested over airport attack, DDoS attack hits new record, BRICKSTORM backdoor steals IPs

Powered by Wave AI

Summary

Cyber Security Headlines – September 25, 2025

Key Discussion Points and Insights

1. Arrest Over Major Airport Cyber Attack

2. World-Record DDoS Attack

3. BRICKSTORM Malware Targeting IP Theft

4. The High Cost of a Weak Password

5. Cisco Patches Active iOS Zero-Day

6. Malicious NPM Package Using QR Steganography

7. Chinese “Red November” Targeting Governments Worldwide

8. Critical Security Flaw in OnePlus Phones

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Summary

Summary

Cyber Security Headlines – September 25, 2025

Key Discussion Points and Insights

1. Arrest Over Major Airport Cyber Attack

2. World-Record DDoS Attack

3. BRICKSTORM Malware Targeting IP Theft

4. The High Cost of a Weak Password

5. Cisco Patches Active iOS Zero-Day

6. Malicious NPM Package Using QR Steganography

7. Chinese “Red November” Targeting Governments Worldwide

8. Critical Security Flaw in OnePlus Phones

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Summary