Cybersecurity Weekly Roundup: 22–29 September 2025

🔐 Major Incidents & Threat Landscape

1. Airport disruption from Collins Aerospace ransomware A ransomware attack on Collins Aerospace’s vMUSE / ARINC AviNet systems disrupted check‑in and baggage services across multiple European airports. (Reuters)

• The European Union’s cybersecurity agency (ENISA) confirmed the attack and noted this is part of a growing trend of high-impact disruption-focused campaigns. (Reuters)

• Why it matters: This incident highlights how aviation, logistics, and transport-related infrastructure are becoming increasingly targeted. The ripple effects on customer experience, reputation, and regulatory scrutiny (especially in Europe) are significant.
  

2. Cisco ASA / firewall appliances under active attack Security agencies including the UK NCSC and U.S. CISA issued urgent warnings about two critical vulnerabilities in Cisco ASA 5500‑X devices: CVE‑2025‑20333 (allows code execution) and CVE‑2025‑20362 (unauthenticated endpoint access). (IT Pro)

• These flaws are being actively exploited in campaigns linked to the ArcaneDoor threat actor, using evasion techniques (e.g. disabling logging). (IT Pro)

• Recommendation: If you use Cisco ASA / FTD with VPN services, apply patches or replace vulnerable appliances immediately. Audit logs and check for signs of compromise.
  

3. Supply‑chain attacks via Salesloft / Drift / OAuth tokens A breach originating in Salesloft’s GitHub environment allowed attackers to steal OAuth tokens and gain unauthorized access to Salesforce environments in firms like Zscaler, Cloudflare, Palo Alto Networks, and PagerDuty. (Cyber Recaps)

• Even though the attacks were confined to CRM data, the incident demonstrates how third‑party integrations can magnify risk. (Cyber Security News)

• If your organization uses SaaS integrations or third‑party connectors, review token security, rotate credentials, and strengthen your zero-trust posture.
  

4. SonicWall backup config breach Threat actors gained access to SonicWall’s cloud backup service, exfiltrating firewall configuration files and encrypted credentials. (Cyber Recaps)

• Though only a small subset of customers were affected, exposure of firewall rules and configurations can facilitate further pivoting into networks. (Cyber Recaps)

• Consider reviewing your own network appliance backup practices, encryption at rest, and access controls to backup stores.
  

🛡️ Vulnerabilities, Exploits & Emerging Tactics

• “MostereRAT” malware: A stealthy RAT variant capable of disabling antivirus/endpoint tools and persisting in compromised systems. (Cyber Recaps)

• Salty2FA phishing kit: A new, more sophisticated phishing kit that breaks common detection patterns and simulates multi-factor authentication flows. (cgspam.org)

• Axios user-agent phishing surge: Attackers are automating phishing campaigns leveraging the “Axios” user-agent string and Microsoft’s Direct Send feature. ReliaQuest reports a 241% increase in Axios-based phishing activity. (cgspam.org)

• State of CISO pressures & disclosure ethics: A new survey shows 69% of CISOs feel pressured by executives to downplay or conceal security incidents—up from 42% two years ago. (Black Arrow Cyber Consulting)

  • This poses serious risk in regulated jurisdictions (e.g. GDPR, DORA) where mandatory breach reporting is required.

• Phishing via calendar invites & infrastructure abuse: Attackers have abused iCloud Calendar to send phishing emails that evade spam filters by using Apple’s legitimate infrastructure. (Cyber Recaps)
  

✅ Key Recommendations for Your Organisation

1. Patch & prioritize

   • Immediately address Cisco ASA / firewall device vulnerabilities.

   • Rotate OAuth tokens and audit integrations used in CRM workflows.

   • Monitor for indicators of the MostereRAT strain or similar stealth tools.

2. Harden third-party boundaries

   • Vet and reduce reliance on third‑party connectors or scripts.

   • Use least privilege for integration accounts, and enforce strong access controls and logging.

3. Network & backup hygiene

   • Encrypt backups, separate them from live networks, and scrutinize access logs.

   • Configure network appliances (firewalls, VPNs) with strict rule sets, segmentation, and monitoring.

4. Raise awareness & simulate attack paths

   • Employees should be trained to detect clever phishing (calendar invites, MFA impersonation).

   • Use tabletop exercises to simulate attacks via supply chain or phishing vectors.

5. Leadership accountability & disclosure readiness

   • CISOs must push for openness in incident handling.

   • Ensure legal/compliance teams understand reporting obligations (e.g., GDPR, DORA).

   • Prepare forward‑looking incident response playbooks and public communication strategies.
     

🔍 What to Watch Next Week

• Will more high-impact ransomware attacks target critical infrastructure or transport systems?

• Continued exploitation campaigns targeting Cisco ASA and other legacy VPN/firewall appliances.

• New zero-days discovered in SaaS or CRM systems as attackers scan for weak links.

• Escalation of phishing sophistication using AI tools or deceptive infrastructure subversion.