Suspect arrested over airport attack, DDoS attack hits new record, BRICKSTORM backdoor steals IPs - Cybersecurity Headlines

Cyber Security Headlines – September 25, 2025

Host: Sarah Lane, CISO Series
Episode Theme:
A rapid-fire update on major cybersecurity incidents from around the globe, with stories covering cyber attacks affecting critical infrastructure, record-setting DDoS events, novel hacking tools and tactics, and vulnerabilities threatening organizations and consumers alike.

Key Discussion Points and Insights

1. Arrest Over Major Airport Cyber Attack

Incident Overview:
A suspect was arrested in West Sussex in connection with a ransomware attack targeting Collins Aerospace, which disrupted several major European airports—most notably Heathrow.
Impact:
- Baggage and check-in systems forced into manual operations.
- Hundreds of flight delays across numerous airports.
- Collins Aerospace is warning partners to expect ongoing manual processing for at least another week.
Status:
- The suspect is out on bail; investigation ongoing.
Quote:
- “[The] attack was discovered Friday and involved ransomware forcing some airports to use manual check ins and causing hundreds of flight delays.” (00:19, Sarah Lane)

2. World-Record DDoS Attack

Scope and Methodology:
- Cloudflare blocked an unprecedented DDoS attack targeting a European network infrastructure company, hitting 22.2 Tbps and 10.6 billion packets per second within 40 seconds.
- Over 404,000 unique IPs across 14 autonomous systems participated, leveraging the Acero botnet’s capabilities by “UDP carpet bombing” tens of thousands of ports.
Attack Vectors:
- Compromised IoT devices, zero-day vulnerabilities sustained the onslaught.
Quote:
- “Cloudflare blocked a record breaking DDoS attack… peaking at 22.2 terabits per second…” (00:47, Sarah Lane)

3. BRICKSTORM Malware Targeting IP Theft

Who’s Involved:
- Suspected Chinese threat actors (UNC5221) deploying the Linux-based “BRICKSTORM” backdoor.
Victims:
- Law firms, SaaS providers, tech companies, especially those handling high-value targets and sensitive government work.
Tactics:
- Long-term persistence (over a year), exploiting Avanti zero-days, VMware, and compromised routers to maintain access.
Objectives:
- Intellectual property and sensitive data theft, including from national security-related law firms.
Quote:
- “Attackers often persist in networks for over a year, exploiting Avanti Zero Days VMware appliances and compromised routers to maintain access.” (01:31, Sarah Lane)

4. The High Cost of a Weak Password

Case Study:
KNP Logistics, a 158-year-old UK transport company, collapsed following a ransomware breach due to a weak password and lack of MFA.
Consequences:
- Data encrypted, backups destroyed, £5 million ransom demanded.
- Company liquidation, 700 staff let go.
Implication:
- Even strong compliance and insurance couldn’t compensate for poor credential management.
Quote:
- “How one bad password ended a 158-year-old business…” (01:53, Sarah Lane)

5. Cisco Patches Active iOS Zero-Day

Vulnerability details:
- A stack-based buffer overflow in SNMP allowed denial-of-service, or root access with higher privileges, especially after admin credential compromise.
Action Steps:
- Immediate patching is urged; workaround options are limited to tightening SNMP access.
Quote:
- “Cisco advises upgrading immediately since no full workarounds exist beyond restricting SNMP access.” (03:21, Sarah Lane)

6. Malicious NPM Package Using QR Steganography

Discovery:
- The “Fezbox” JavaScript/TypeScript package hid malware in a remotely fetched QR code.
- After delay and multi-level obfuscation, it extracted browser credentials and exfiltrated them.
Impact:
- 327 downloads before removal, showing the continuing threat from supply-chain and package repo attacks.
Quote:
- “The package fetched a QR code from a remote server, waited 120 seconds, then decoded and executed the embedded malware.” (03:50, Sarah Lane)

7. Chinese “Red November” Targeting Governments Worldwide

Actors and Victims:
- Red November, a newly christened Chinese group, attacked defense contractors, an engine manufacturer, and ministries across Asia, Africa, and South America.
Methods:
- Exploiting VPN/firewall/email server vulnerabilities (e.g., Checkpoint, Avanti, Palo Alto Networks).
- Custom backdoors and commodity post-exploitation frameworks like Cobalt Strike.
Quote:
- “Victims reportedly include US Defense contractors, a European engine maker and ministries across Asia, Africa and South America.” (04:30, Sarah Lane)

8. Critical Security Flaw in OnePlus Phones

Vulnerability:
- Any app could access SMS messages due to insecure telephony content providers (affecting Oxygen OS 12–15).
Disclosures:
- Rapid7 published a proof of concept after repeated unheeded attempts to inform OnePlus.
Risks/Advice:
- Possible SMS interception, enabling further attacks.
- Users should minimize app permissions, use app stores with care, and switch to end-to-end encrypted messaging.
Quote:
- “The issue affects oxygen OS versions 12 through 15 and could allow blind SQL injection to reconstruct SMS content.” (05:08, Sarah Lane)

Notable Quotes & Memorable Moments

On persistent advanced threats:
- “Attackers often persist in networks for over a year, exploiting Avanti Zero Days, VMware appliances and compromised routers to maintain access.” (01:31, Sarah Lane)
Credential hygiene cautionary tale:
- “How one bad password ended a 158-year-old business… The case underscores how poor credential hygiene can override compliance and insurance protections.” (01:53, Sarah Lane)
On novel malware creativity:
- “Fezbox… hid its payload inside a QR code to steal usernames and passwords from browser cookies.” (03:42, Sarah Lane)

Timestamps for Key Segments

[00:19] – Suspect arrested over airport ransomware attack
[00:47] – Cloudflare blocks record DDoS attack
[01:31] – “BRICKSTORM” Linux backdoor attributed to China
[01:53] – Password hygiene tragedy: KNP Logistics collapse
[03:21] – Cisco iOS/XE zero-day actively exploited
[03:50] – Steganographic attack via NPM package and QR code
[04:30] – Red November’s global espionage campaign
[05:08] – SMS vulnerability in OnePlus phones

Summary

This episode gives a brisk yet comprehensive rundown of critical cyber incidents impacting airports, enterprise networks, and global infrastructure, highlighting how both sophisticated and basic attack methods—ranging from record-setting DDoS assaults to single-factor authentication failures—continue to threaten organizations of all sizes. Noteworthy is the escalation of state-sponsored campaigns, creative abuse of open-source supply chains, and the urgent need for patching and credential management as fundamental defense measures.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:05)

These are the cybersecurity headlines for Thursday, September 25, 2025. I'm Sarah Lane. Man arrested in connection with airport cyber attack A man was arrested in West Sussex over a cyber attack that disrupted several European airports, including Heathrow, after Collins Aerospace's baggage and check in systems were hit. The attack was discovered Friday and involved ransomware forcing some airports to use manual check ins and causing hundreds of flight delays. The suspect has been released on bail and the investigation is ongoing. Collins Aerospace is rebuilding its systems, warning airlines and ground handlers to expect at least another week of manual operations. Record breaking DDoS attack hits new highs Cloudflare blocked a record breaking DDoS attack targeting a European network infrastructure company peaking at 22.2 terabits per second and 10.6 billion packets per second over 40 seconds. The attack, possibly powered by the Acero botnet, involved over 404,000 unique IPs across 14 ASNs and used a UDP carpet bomb targeting tens of thousands of ports of on a single IP. Isuru active for over a year now, leverages compromised IoT devices and zero day vulnerabilities China linked attackers use Brickstorm backdoor to steal IP Mandian says suspected Chinese hackers are deploying a new Linux focused backdoor called Brickstorm to steal intellectual property and sensitive data from law firms, software as a service providers and tech companies. The campaign, linked to UNC5221, has been active since March and targets high value email accounts including senior executives and national security related law firms. Attackers often persist in networks for over a year, exploiting Avanti Zero Days VMware appliances and compromised routers to maintain access. How one bad password ended a 158-year-old business UK transport firm KNP Logistics, founded back in 1867, collapsed in June after the Akira ransomware group breached its systems using a weak employee Password with no MFA, attackers encrypted data, destroyed backups and demanded 5 million pounds, forcing the company to lay off 700 workers. The case underscores how poor credential hygiene can override compliance and insurance protections. Huge thanks to our sponsor Conveyor. Security reviews don't have to feel like a hurricane. Most teams are buried in back and forth emails and never ending customer requests for documentation or answers. But Conveyor takes all that chaos and turns it into calm. AI fills in the questionnaires, your trust center is always ready and sales cycles move without stalls. Breathe easier. Check out conveyor@www.conveyor.com Cisco warns of iOS zero day vulnerability exploited in attacks Cisco patched a zero day in iOS and iOS XE exploited in active attacks through the SNMP subsystem. The stack based buffer overflow lets low privileged attackers cause denial of service or with higher privileges, gain root access on iOS XE devices. Exploitation was seen after admin credentials were compromised. Cisco advises upgrading immediately since no full workarounds exist beyond restricting SNMP access. NPM package uses QR code steganography to steal credentials Socket researchers discovered a malicious NPM package called Fezbox that hid its payload inside a QR code to steal usernames and passwords from browser cookies. Posing as a JavaScript TypeScript utility, the package fetched a QR code from a remote server, waited 120 seconds, then decoded and executed the embedded malware. It used multiple obfuscation layers including string reversal and encryption before sending stolen credentials to a railway hosted server. Fezbox had 327 downloads before npm removed it at Socket's request. Chinese hackers Red November target global governments recorded Future says A Chinese state backed hacking group it now calls Red November has been breaching governments and private sector firms worldwide since mid 2024. The group exploits flaws in VPNs, firewalls and email servers from vendors including Checkpoint, Avanti and Palo Altum Networks, then deploys tools like the Go based Backdoor, Pantagona, sparkrat and Cobalt Strike. Victims reportedly include US Defense contractors, a European engine maker and ministries across Asia, Africa and South America. Unpatched flaw in OnePlus phones lets rogue apps text messages A flaw in Oxygen OS lets any app on a OnePlus device Access SMS data without permission, exploiting improperly secured telephony content providers. Rapid 7 confirmed the vulnerability on multiple models including the OnePlus AT and the 10 Pro, and published a POC after OnePlus ignored repeated disclosure attempts. The issue affects oxygen OS versions 12 through 15 and could allow blind SQL injection to reconstruct SMS content. Users are advised to limit apps, use reputable sources, switch from SMS based to FA and rely on end to end encrypted messaging until a patch is released. If you want to help make great content for the CISO series, well we've got a great way for you to participate. We need our listeners to fill out a quick five question survey. They're Family Feud style questions and your responses will be used in an upcoming live event. It should be very fun. If you've got an extra minute, we would love to hear from you head on over to cisoseries.com participate to fill it out. And if you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbacksoseries.com I am Sarah Lane, reporting for the CISO series. Thanks for being with us and we'll talk to you next time.