Cyber Security Headlines – September 25, 2025
Host: Sarah Lane, CISO Series
Episode Theme:
A rapid-fire update on major cybersecurity incidents from around the globe, with stories covering cyber attacks affecting critical infrastructure, record-setting DDoS events, novel hacking tools and tactics, and vulnerabilities threatening organizations and consumers alike.
Key Discussion Points and Insights
1. Arrest Over Major Airport Cyber Attack
- Incident Overview:
A suspect was arrested in West Sussex in connection with a ransomware attack targeting Collins Aerospace, which disrupted several major European airports—most notably Heathrow. - Impact:
- Baggage and check-in systems forced into manual operations.
- Hundreds of flight delays across numerous airports.
- Collins Aerospace is warning partners to expect ongoing manual processing for at least another week.
- Status:
- The suspect is out on bail; investigation ongoing.
- Quote:
- “[The] attack was discovered Friday and involved ransomware forcing some airports to use manual check ins and causing hundreds of flight delays.” (00:19, Sarah Lane)
2. World-Record DDoS Attack
- Scope and Methodology:
- Cloudflare blocked an unprecedented DDoS attack targeting a European network infrastructure company, hitting 22.2 Tbps and 10.6 billion packets per second within 40 seconds.
- Over 404,000 unique IPs across 14 autonomous systems participated, leveraging the Acero botnet’s capabilities by “UDP carpet bombing” tens of thousands of ports.
- Attack Vectors:
- Compromised IoT devices, zero-day vulnerabilities sustained the onslaught.
- Quote:
- “Cloudflare blocked a record breaking DDoS attack… peaking at 22.2 terabits per second…” (00:47, Sarah Lane)
3. BRICKSTORM Malware Targeting IP Theft
- Who’s Involved:
- Suspected Chinese threat actors (UNC5221) deploying the Linux-based “BRICKSTORM” backdoor.
- Victims:
- Law firms, SaaS providers, tech companies, especially those handling high-value targets and sensitive government work.
- Tactics:
- Long-term persistence (over a year), exploiting Avanti zero-days, VMware, and compromised routers to maintain access.
- Objectives:
- Intellectual property and sensitive data theft, including from national security-related law firms.
- Quote:
- “Attackers often persist in networks for over a year, exploiting Avanti Zero Days VMware appliances and compromised routers to maintain access.” (01:31, Sarah Lane)
4. The High Cost of a Weak Password
- Case Study:
KNP Logistics, a 158-year-old UK transport company, collapsed following a ransomware breach due to a weak password and lack of MFA. - Consequences:
- Data encrypted, backups destroyed, £5 million ransom demanded.
- Company liquidation, 700 staff let go.
- Implication:
- Even strong compliance and insurance couldn’t compensate for poor credential management.
- Quote:
- “How one bad password ended a 158-year-old business…” (01:53, Sarah Lane)
5. Cisco Patches Active iOS Zero-Day
- Vulnerability details:
- A stack-based buffer overflow in SNMP allowed denial-of-service, or root access with higher privileges, especially after admin credential compromise.
- Action Steps:
- Immediate patching is urged; workaround options are limited to tightening SNMP access.
- Quote:
- “Cisco advises upgrading immediately since no full workarounds exist beyond restricting SNMP access.” (03:21, Sarah Lane)
6. Malicious NPM Package Using QR Steganography
- Discovery:
- The “Fezbox” JavaScript/TypeScript package hid malware in a remotely fetched QR code.
- After delay and multi-level obfuscation, it extracted browser credentials and exfiltrated them.
- Impact:
- 327 downloads before removal, showing the continuing threat from supply-chain and package repo attacks.
- Quote:
- “The package fetched a QR code from a remote server, waited 120 seconds, then decoded and executed the embedded malware.” (03:50, Sarah Lane)
7. Chinese “Red November” Targeting Governments Worldwide
- Actors and Victims:
- Red November, a newly christened Chinese group, attacked defense contractors, an engine manufacturer, and ministries across Asia, Africa, and South America.
- Methods:
- Exploiting VPN/firewall/email server vulnerabilities (e.g., Checkpoint, Avanti, Palo Alto Networks).
- Custom backdoors and commodity post-exploitation frameworks like Cobalt Strike.
- Quote:
- “Victims reportedly include US Defense contractors, a European engine maker and ministries across Asia, Africa and South America.” (04:30, Sarah Lane)
8. Critical Security Flaw in OnePlus Phones
- Vulnerability:
- Any app could access SMS messages due to insecure telephony content providers (affecting Oxygen OS 12–15).
- Disclosures:
- Rapid7 published a proof of concept after repeated unheeded attempts to inform OnePlus.
- Risks/Advice:
- Possible SMS interception, enabling further attacks.
- Users should minimize app permissions, use app stores with care, and switch to end-to-end encrypted messaging.
- Quote:
- “The issue affects oxygen OS versions 12 through 15 and could allow blind SQL injection to reconstruct SMS content.” (05:08, Sarah Lane)
Notable Quotes & Memorable Moments
-
On persistent advanced threats:
- “Attackers often persist in networks for over a year, exploiting Avanti Zero Days, VMware appliances and compromised routers to maintain access.” (01:31, Sarah Lane)
-
Credential hygiene cautionary tale:
- “How one bad password ended a 158-year-old business… The case underscores how poor credential hygiene can override compliance and insurance protections.” (01:53, Sarah Lane)
-
On novel malware creativity:
- “Fezbox… hid its payload inside a QR code to steal usernames and passwords from browser cookies.” (03:42, Sarah Lane)
Timestamps for Key Segments
- [00:19] – Suspect arrested over airport ransomware attack
- [00:47] – Cloudflare blocks record DDoS attack
- [01:31] – “BRICKSTORM” Linux backdoor attributed to China
- [01:53] – Password hygiene tragedy: KNP Logistics collapse
- [03:21] – Cisco iOS/XE zero-day actively exploited
- [03:50] – Steganographic attack via NPM package and QR code
- [04:30] – Red November’s global espionage campaign
- [05:08] – SMS vulnerability in OnePlus phones
Summary
This episode gives a brisk yet comprehensive rundown of critical cyber incidents impacting airports, enterprise networks, and global infrastructure, highlighting how both sophisticated and basic attack methods—ranging from record-setting DDoS assaults to single-factor authentication failures—continue to threaten organizations of all sizes. Noteworthy is the escalation of state-sponsored campaigns, creative abuse of open-source supply chains, and the urgent need for patching and credential management as fundamental defense measures.
