Sept 2025: Biggest Cyber Attacks, Ransomware Attacks and Data Breaches

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

September 01, 2025

The Office of the Pennsylvania Attorney General

Pennsylvania AG Office says ransomware attack behind recent outage

Unknown

The Office of the Pennsylvania Attorney General experienced a ransomware attack that led to a two-week service outage, disrupting its public website, email accounts, and landline phones; the office refused to pay the ransom, and while email and phone lines have been partially restored, the website remains inaccessible.

Source: Bleeping Computer 

September 08, 2025

Lovesac

Lovesac confirms data breach after ransomware attack claims

RansomHub

Lovesac suffered a data breach (unauthorised access Feb 12–Mar 3, 2025) that exposed personal information of an undisclosed number of individuals—prompting notification letters and 24‑month credit monitoring—while the RansomHub ransomware gang claimed responsibility.

Source: Bleeping Computer

September 11, 2025

Panama's Ministry of Economy and Finance (MEF)

INC ransom group claimed the breach of Panama’s Ministry of Economy and Finance

INC Ransomware

Panama's Ministry of Economy and Finance (MEF) experienced a cyber attack attributed to the INC ransomware group, resulting in the theft of over 1.5 TB of sensitive data, including emails, financial documents, and budgeting details; however, the core systems vital to its operations remained unaffected. 

Source: SecurityAffairs

September 15, 2025

FinWise systems

FinWise insider breach impacts 689K American First Finance customers

A former employee

An insider (a former employee) accessed FinWise systems, exposing personal data of ~689,000 American First Finance customers — including full names and other personal data elements — prompting investigations, class‑action lawsuits and 12 months of free credit monitoring.

Source: Bleeping Computer

September 17, 2025

Insight Partners

VC giant Insight Partners warns thousands after ransomware breach

Unknown

Insight Partners, a New York-based venture capital and private equity firm, experienced a ransomware attack in January 2025, initiated by a sophisticated social engineering campaign. The attackers exfiltrated sensitive data, including banking and tax information, personal details of current and former employees, and information related to limited partners and portfolio companies. The breach affected 12,657 individuals, prompting the company to notify impacted parties and offer complimentary credit or identity monitoring services. As of September 2025, no ransomware group has claimed responsibility for the attack.

Insight Partners Ransomware Attack

September 20, 2025

Collins Aerospace’s MUSE check‑in/boarding system 

European Airport Cyberattack Linked to Obscure Ransomware, Suspect Arrested

HardBit Ransomware Group

A ransomware attack on Collins Aerospace’s MUSE check‑in/boarding system disrupted operations at major European airports (Heathrow, Brussels, Berlin, Cork, Dublin), causing 100+ flights to be delayed or cancelled and forcing thousands of passengers to be processed manually.

European Airports Cyber Attack Update 

September 26, 2025

Union County, Ohio

Ransomware attack on Ohio county impacts over 45,000 residents, employees

Unknown

A ransomware attack on Union County, Ohio, compromised sensitive data of over 45,000 residents and employees, including Social Security numbers, financial and medical information; no group has claimed responsibility, and there is no evidence the data was leaked or sold.

Source: The Record Media 

September 26, 2025

Kido International

London nurseries hit by hackers, data on 8,000 children stolen

Radiant Ransomware

A ransomware group known as Radiant breached Kido International, a childcare provider operating 18 nurseries in Greater London, and stole personal data on over 8,000 children; they published names, photos, home addresses, and family contact information of 10 children to prove their breach and threatened to release additional data on 30 more children and 100 employees; the group claimed it had been inside Kido's network for weeks and alleged to be based in Russia, though no evidence was provided. 

London Nurseries Ransomware Attack 

Date

Victim

Summary

Threat Actor

Business Impact

Source Link

September 01, 2025

Zscaler 

Zscaler data breach exposes customer info after Salesloft Drift compromise

UNC6395

The Zscaler cyber attack, attributed to threat actor UNC6395, exposed customer data from their Salesforce instance including names, business emails, job titles, phone numbers, regional details, product licensing info, and support case content, with no known misuse detected, though phishing risks exist.

Source: Bleeping Computer 

September 01, 2025

Palo Alto

Palo Alto Networks data breach exposes customer info, support cases

Unknown

Palo Alto Networks experienced a data breach after attackers exploited compromised OAuth tokens from the Salesloft Drift incident to access its Salesforce instance, exposing sensitive customer data and support cases. The breach was part of a broader supply-chain attack affecting multiple organizations. Palo Alto Networks has not publicly identified the threat actor responsible.

Source: Security Affairs

September 02, 2025

Cloudflare

Cloudflare hit by data breach in Salesloft Drift supply chain attack

ShinyHunters

Cloudflare experienced a data breach due to a supply chain attack originating from Salesloft Drift, compromising its Salesforce instance and exposing sensitive customer support data, including API tokens and credentials; the threat actor responsible is identified as ShinyHunters.

Source: Bleeping Computer

September 02, 2025

Evertec’s Brazilian subsidiary, Sinqia S.A.

Hackers breach fintech firm in attempted $130M bank heist

Unknown

Hackers breached Evertec’s Brazilian subsidiary, Sinqia S.A., exploiting stolen credentials from an IT vendor to access the Brazilian Central Bank’s Pix real-time payment system; they attempted to steal $130 million through unauthorised transactions involving HSBC and other financial institutions; while part of the funds were recovered, the full financial and reputational impact remains undetermined.

Source: Infosecurity Magazine 

September 03, 2025

Workiva

SaaS giant Workiva discloses data breach after Salesforce attack

ShinyHunters

Workiva disclosed a data breach after attackers exploited a compromised third-party CRM system, stealing business contact information and support ticket content; this breach is part of a broader wave of Salesforce-targeted attacks attributed to the ShinyHunters extortion group

Source: Bleeping Computer 

September 04, 2025

Chess.com

Chess.com discloses recent data breach via file transfer app

Unknown

Chess.com disclosed June 2025 data breach as in June 2025, threat actors exploited unauthorized access to a third-party file transfer application used by Chess.com, compromising data of approximately 4,500 users; the breach was promptly addressed with investigations and notifications to federal law enforcement.

Source: The Record Media

September 05, 2025

Wealthsimple

Financial services firm Wealthsimple discloses data breach

ShinyHunters

Wealthsimple, a Canadian fintech firm, disclosed a data breach, affecting less than 1% of its clients. The breach, detected on August 30, was traced to a compromised third-party software package. Exposed data included contact details, government-issued IDs, financial account numbers, Social Insurance Numbers (SINs), dates of birth, and IP addresses. No funds or passwords were compromised, and all customer accounts remain secure. While Wealthsimple did not specify the threat actor, the breach is suspected to be part of a broader wave of Salesforce-targeted attacks linked to the ShinyHunters extortion group.

Wealthsimple Data Breach

September 8, 2025

Plex

Plex tells users to reset passwords after new data breach

Unknown

In a Sept 8, 2025 breach Plex said an unauthorised party stole a limited subset of customer authentication data — email addresses, usernames, authentication data and securely hashed passwords (no payment card data) — prompting users to reset passwords.

Source: Bleeping Computer

September 16, 2025

SonicWall

SonicWall warns customers to reset credentials after breach

Unknown

SonicWall has confirmed a breach of its MySonicWall portal, exposing firewall configuration backup files for certain customers. These backups contained sensitive information, including credentials and tokens, potentially facilitating exploitation of firewalls. While the breach affected fewer than 5% of SonicWall's firewall install base, the company has advised administrators to reset all credentials, API keys, and authentication tokens associated with their devices to mitigate potential risks.

SonicWall Breach

September 17, 2025

Salesforce

ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks

ShinyHunters

ShinyHunters claims to have stolen over 1.5 billion Salesforce records from 760 companies by exploiting compromised Salesloft Drift OAuth tokens, which were obtained after breaching Salesloft's GitHub repository using the TruffleHog tool to scan for secrets; the stolen data includes sensitive information from Salesforce objects such as Contacts, Cases, Accounts, Opportunities, and Users. 

Source: Bleeping Computer

September 18, 2025

The Shai-Hulud 

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

Shai Hulud Worm

The Shai-Hulud worm exploited hundreds of npm packages to steal cloud and GitHub credentials and automatically propagate via compromised maintainers, severely endangering the software supply chain. 

Shai-Hulud Supply Chain Attack 

September 23, 2025

Boyd Gaming

Boyd Gaming discloses data breach after suffering a cyber attack

Unknown

Boyd Gaming disclosed a data breach after a cyber attack compromised its systems, leading to the theft of employee and limited personal data.

Source: SecurityWeek

September 22, 2025

Stellantis

Automaker giant Stellantis confirms data breach after Salesforce hack

ShinyHunters/UNC6395

Stellantis confirmed a data breach resulting from a Salesforce compromise via the Salesloft/Drift OAuth incident, exposing internal emails, documents, and personal data of employees, suppliers, customers and dealers; the breach is tied to the ShinyHunters/UNC6395 threat cluster.

Source: Bleeping Computer

September 29, 2025

Asahi Group Holdings Ltd

Japanese brewing giant Asahi hit by cyber attack

Unknown

Due to the impact of the cyber attack on Asahi Group Holdings, the operations (ordering, shipping, call center, customer service) were completely suspended in Japan; no confirmed personal data leakage; investigation ongoing

Asahi Cyber Attack 

September 30, 2025

Harrods

Harrods reveals 430,000 exposed in third-party breach, refuses to engage with attackers

Unknown

Harrods confirmed a supply chain breach impacting 430,000 online customers, exposing basic personal identifiers such as names and contact details; no payment information was compromised; the threat actor behind the attack has not been publicly identified, and the retailer has refused to engage with them.

Harrods Data Breach 

Date

Victim

Summary

Threat Actor

Business Impact

Source Link 

September 01, 2025

Jaguar Land Rover (JLR)

Jaguar Land Rover cyber attack severely disrupts production

Scattered Lapsus$ Hunters

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted production and retail operations, leading to an almost four-week shutdown of certain systems; while customer data was not initially believed to be compromised, further investigation revealed some data theft, and the threat actor, a group named "Scattered Lapsus$ Hunters," has claimed responsibility for the breach.

JLR Cyber Attack  

September 03, 2025

Bridgestone

Tire giant Bridgestone confirms cyber attack impacted manufacturing

Unknown

Bridgestone confirmed a cyber attack disrupted operations at its North American manufacturing facilities in South Carolina and Quebec in early September 2025; the company believes its rapid response contained the attack at its early stages, preventing customer data theft or deep network infiltration.

Source: Infosecurity Magazine 

September 06, 2025

2,180 GitHub accounts

AI-powered malware hit 2,180 GitHub accounts in “s1ngularity” attack

Unknown

The "S1ngularity" supply chain attack compromised 2,180 GitHub accounts and 7,200 repositories by exploiting a vulnerable GitHub Actions workflow in the Nx build system; attackers deployed AI-powered malware ('telemetry.js') via malicious npm packages, harvesting credentials such as GitHub tokens, npm keys, SSH keys, and cryptocurrency wallets, and exfiltrating them to public GitHub repositories named "s1ngularity-repository".

Source: Bleeping Computer

September 08, 2025

GitHub Token

Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack

Unknown

GhostAction supply‑chain attack exfiltrated ~3,325 secrets (PyPI/npm/DockerHub tokens, GitHub tokens, Cloudflare & AWS keys, DB creds), risking trojanized package releases and widespread credential compromise

Source: Bleeping Computer 

September 08, 2025

npm maintainer Josh Junon's account 

Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack

Unknown

In September 2025, attackers hijacked npm maintainer Josh Junon's account via a phishing campaign impersonating npm support, injecting malware into widely used packages like chalk-template and has-ansi, which collectively had over 2.6 billion weekly downloads; this supply chain attack disrupted approximately 10% of all cloud environments, but the threat actor has not been publicly identified.

Source: Bleeping Computer

New Ransomware

Summary

HybridPetya ransomware

HybridPetya is a proof‑of‑concept ransomware that can bypass UEFI Secure Boot by exploiting CVE‑2024‑7344 to install a bootkit on the EFI System Partition, encrypt MFT clusters and render Windows unbootable while showing a boot‑time ransom note (US$1,000).

New FileFix attack

FileFix campaign used steganography to hide a second‑stage PowerShell script and encrypted executables inside JPGs (hosted on Bitbucket), lured victims with fake Meta suspension warnings to run a File Explorer address‑bar command that installed the StealC infostealer (which harvested browser credentials, cloud logins, crypto wallets and screenshots); the threat actor has not been publicly identified.

Obscura ransomware

Huntress analysts discovered a new ransomware variant called Obscura, which placed its executable in the domain controller’s NETLOGON share to auto-propagate via GPO, create scheduled tasks to enable RDP, delete shadow copies, and encrypt files while threatening to leak stolen data.

Date

New Flaws/Fixes

Summary

September 03, 2025

CVE-2025-38352, CVE-2025-48543

Google's September 2025 Android security update addresses 84 vulnerabilities, including two actively exploited flaws: CVE-2025-38352 (Android kernel elevation of privilege) and CVE-2025-48543 (Android Runtime elevation of privilege), both under limited, targeted exploitation.

September 04, 2025

CVE-2025-53690

Attackers exploited a Sitecore zero‑day (CVE-2025-53690) in legacy deployments to achieve RCE and deploy WeepSteel reconnaissance malware—leading to credential theft, privilege escalation, backdoors (Earthworm/Dwagent), data exfiltration and persistent access.

September 04, 2025

CVE-2024-21833

TP-Link confirmed a zero-day vulnerability (CVE-2024-21833) in its Archer and Deco router models, allowing unauthenticated remote OS command injection via the LAN interface; first reported by researcher Mehrun (ByteRay) on May 11, 2024, and currently under active exploitation.

September 05, 2025

CVE-2025-42957

A critical SAP S/4HANA code injection vulnerability (CVSS 9.9) allows low-privileged authenticated users to inject arbitrary code via an RFC-exposed function module, enabling full system compromise; despite a patch released on August 11, 2025, active exploitation is occurring due to unpatched systems.

September 09, 2025

CVE-2025-54236

Adobe patched a critical vulnerability, dubbed "SessionReaper," in its Commerce and Magento Open Source platforms, allowing unauthenticated remote code execution via the REST API, potentially enabling customer account takeovers; the flaw was disclosed by Sansec and is considered one of the most severe in the platform's history.

September 09, 2025

CVE‑2025‑42944

SAP patched a maximum‑severity insecure‑deserialization flaw in NetWeaver that could be exploited—via the RMI‑P4 interface—to achieve remote/OS command execution and full system takeover (data theft, persistence, ransomware), with active exploitation observed.

September 11, 2025

CVE-2024-40766

Akira ransomware is exploiting a critical access control vulnerability in SonicWall SSLVPN devices, to gain unauthorized access to target networks; despite a patch released in August 2024, many systems remain unpatched, leaving them vulnerable to attacks.

September 12, 2025

CVE-2025-21043

Samsung patched a critical out-of-bounds write vulnerability in the libimagecodec.quram.so image parsing library, allowing remote code execution on Android 13+ devices; the flaw was actively exploited, with WhatsApp and Meta reporting it on August 13, 2025. 

September 12, 2025

CVE-2025-43300 and CVE-2025-55177

Apple has alerted users in over 150 countries about targeted spyware attacks, including zero-click exploits like CVE-2025-43300 and CVE-2025-55177, affecting high-risk individuals such as journalists, activists, and officials; Apple recommends enabling Lockdown Mode and contacting Access Now's Digital Security Helpline for assistance.

September 12, 2025

CVE-2025-5086

CISA has issued an alert regarding a critical remote code execution vulnerability in Dassault Systèmes' DELMIA Apriso software, which is actively exploited by threat actors; the flaw, rated CVSS 9.0, allows attackers to execute malicious code via specially crafted SOAP requests, affecting all versions from Release 2020 to 2025.

September 15, 2025

CVE‑2025‑6202

Phoenix “Phoenix” Rowhammer (CVE‑2025‑6202) against DDR5 (notably Hynix DIMMs) can flip memory bits to enable privilege escalation — researchers gained root shells in <2 minutes, broke co‑located VM RSA keys, and exposed/compromised data on affected modules (DIMMs produced Jan 2021–Dec 2024).

September 16, 2025

CVE‑2025‑43300

Apple backported fixes to older iPhones and iPads for an actively exploited Image I/O out‑of‑bounds write zero‑day (CVE‑2025‑43300), which was used in “extremely sophisticated” targeted spyware attacks — patches now cover devices back to iPhone 6s. 

September 18, 2025

CVE-2025-10585

Google has released an emergency security update to patch a high-severity zero-day vulnerability in its Chrome web browser, tracked as CVE-2025-10585, marking the sixth actively exploited flaw patched this year. This vulnerability, caused by a type confusion issue in Chrome’s V8 JavaScript engine, allows attackers to execute arbitrary code on victims' systems by luring them to a malicious website.

September 18, 2025

CVE-2025-9242

WatchGuard has issued a critical security update to address CVE-2025-9242, an out-of-bounds write vulnerability in the Fireware OS's iked process, which could allow remote unauthenticated attackers to execute arbitrary code on Firebox firewalls configured with IKEv2 VPN; affected versions include Fireware OS 11.x, 12.x, and 2025.1, with patches available in versions 12.3.1_Update3, 12.5.13, 12.11.4, and 2025.1.1.

September 19, 2025

CVE-2025-10035

Fortra has addressed a critical deserialization vulnerability in GoAnywhere MFT's License Servlet, which could allow remote unauthenticated attackers to execute arbitrary commands by forging license response signatures; users are advised to upgrade to versions 7.8.4 or 7.6.3 and monitor Admin Audit logs for anomalies.

September 23, 2025

CVE-2025-26399

SolarWinds released a hotfix addressing CVE-2025-26399, a critical unauthenticated remote code execution vulnerability in Web Help Desk 12.8.7, caused by unsafe deserialization in the AjaxProxy component; this flaw bypasses previous patches for CVE-2024-28986 and CVE-2024-28988.

September 24, 2025

CVE-2025-10184

A flaw in OnePlus OxygenOS (tracked as CVE-2025-10184) allows any installed app to silently read SMS/MMS content and metadata—bypassing user consent and breaking SMS-based multi-factor authentication protections.

September 24, 2025

CVE-2025-20291

Cisco warned of a zero-day vulnerability in Cisco IOS and IOS XE  that allows remote attackers to execute code via crafted NETCONF messages—this flaw is already being exploited in limited targeted attacks, and Cisco recommends urgent patching.

September 25, 2025

CVE-2025-20333 and CVE-2025-20362

Cisco warned that two zero-day vulnerabilities in its ASA/FTD firewall software are being actively exploited, allowing attackers remote code execution or unauthenticated access to restricted endpoints.

September 26, 2025

CVE-2025-10035

A zero-day vulnerability in Fortra’s GoAnywhere MFT is being actively exploited to bypass authentication and execute arbitrary code, placing victim systems at critical risk.

News Type

Summary

Report

VirusTotal's AI Code Insight identified a phishing campaign utilizing SVG files to impersonate Colombia's judicial portal, delivering malware via a password-protected ZIP archive containing a legitimate executable and a malicious DLL; this campaign had previously evaded detection by antivirus software.

Warning

The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning advising critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China, citing a high risk of significant cybersecurity disruptions; this warning follows confirmed malicious activities by Chinese cyber actors, including an APT31 campaign targeting the Czech Ministry of Foreign Affairs

Report

Texas sued PowerSchool after a December 19, 2024 breach of its PowerSource portal that exposed ~62.4 million students (including ~880,000 Texans) and ~9.5 million teachers’ personal data — names, addresses, contact details, Social Security numbers and medical data — following a $2.85M ransom demand; the incident was linked to claims by ShinyHunters (and an affiliate) and a 19‑year‑old later pleaded guilty. 

Report

The French data protection authority (CNIL) fined Google €325 million ($378 million) for violating cookie regulations and displaying ads between Gmail users' emails without their consent. Investigations found that Google breached the French Data Protection Act by failing to inform users who created new accounts that they were required to allow the company to place cookies for advertising purposes to access its services. CNIL stated that Google's behavior was negligent, given that the company had been fined in 2020 (€100 million) and 2021 (€150 million) for other breaches related to cookies. 

Analysis

In March 2025, threat actors breached Salesloft's GitHub repositories, extracting OAuth tokens from the Drift platform; these tokens were subsequently exploited to access Salesforce instances, leading to the theft of approximately 1.5 billion records from 760 organizations, including Google, Zscaler, Cloudflare, and Workiva. The ShinyHunters extortion group, along with threat actors associated with Scattered Spider, are believed to be responsible for these attacks.

Warning

The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims. 

Report

Attackers created a fraudulent account in Google’s Law Enforcement Request System (LERS)—which could have enabled impersonation of law enforcement and access to sensitive user data—but Google disabled the account and said no requests were made and no data was accessed; the group calling itself "Scattered Lapsus$ Hunters" claimed responsibility. 

Report

CISA found attackers used split malware loaders against Ivanti EPMM to inject listeners that enabled remote code execution, network reconnaissance, LDAP credential theft, data exfiltration and persistent access on compromised on‑prem EPMM servers — CISA made no public attribution, though EclecticIQ reported a China‑nexus espionage group may be responsible. 

Warning

The FBI has issued a warning about cybercriminals creating fake versions of its Internet Crime Complaint Center (IC3) website to deceive individuals into disclosing personal information, including names, addresses, and banking details.

Report

A vulnerability in the American Archive of Public Broadcasting's website allowed unauthorized downloading of protected media since at least 2021; the flaw was patched within 48 hours after being reported by a cybersecurity researcher.

Report

The UK's National Crime Agency arrested a suspect in West Sussex on September 23, 2025, in connection with a ransomware attack that disrupted operations at European airports by compromising Collins Aerospace's MUSE passenger processing software; the investigation is ongoing.

Report

Researchers disclosed multiple new flaws in Supermicro Baseboard Management Controller (BMC) firmware that allow malicious actors to implant stealthy, firmware-level persistent backdoors and execute arbitrary code below the operating system via POST-boot or reboot attacks.

Warning

CISA directed U.S. federal civilian agencies to patch actively exploited Cisco zero-day vulnerabilities (including in IOS/IOS XE, ASA/FTD, and others) by October 28, 2025, to mitigate risks of remote code execution and network compromise.

Report

Co-op said it lost £80 million (~$107 million) in operating profit after a cyberattack in April 2025 linked to Scattered Spider affiliates, also experiencing £206 million in lost sales while systems were offline.