🚨 Weekly Cybersecurity Roundup: 29 Sept – 6 Oct 2025

1. US Shutdown Disrupts Cyber Coordination, Sharing Law Expires

• A U.S. federal government shutdown has forced the Cybersecurity and Infrastructure Security Agency (CISA) to furlough most of its workforce, retaining just ~35% of staff. (The Washington Post)

• Coincidentally, the Cybersecurity Information Sharing Act (CISA 2015) — the legal framework that shielded private entities from liability when sharing cyber threat intelligence with government — has expired due to the budget impasse. (Wall Street Journal)

• Without this protection, many companies may hesitate to share threat data, weakening collective cyber defence. (The Washington Post)

Why it matters: For organisations that rely on cross-border threat intel exchange, the lapse is a warning: legislative or funding instability can ripple into your security posture. Mitigate by ensuring internal sharing, clear legal frameworks, and fallback coordination mechanisms.

2. “Cl0p” Ransomware Campaign Targets Executives via Extortion Emails

• Google issued a warning of a “high-volume extortion email” campaign targeting corporate executives across sectors. The hackers purport to have stolen sensitive data and demand multi‑million dollar ransoms. (New York Post)

• Oracle confirmed that customers using its E‑Business Suite have received extortion threats, likely leveraging previously known vulnerabilities. (Reuters)

• The suspected group is Cl0p, a well-known ransomware‑as‑a-service operator. (Reuters)

What to do now:

1. Scrutinise any unexpected business‑management or ERP platform emails, especially with attachments or extortion claims.

2. Patch known vulnerabilities in Oracle and related systems.

3. Ensure executives are trained in phishing and extortion tactics, and limit access to sensitive data on a “need‑to” basis.
   

3. DarkCloud Malware: Targeting Manufacturing via Phishing

• Cyber intelligence firm CYFIRMA flagged a surge in a new information‑stealer called DarkCloud, used via spear‑phishing campaigns aimed at manufacturing firms. (CYFIRMA)

• Once deployed, it can exfiltrate keystrokes, email content, files, browser credentials, VPN data, and more. (CYFIRMA)

Risk domains: manufacturing, industrial control networks, supply chain partners.

Mitigation tips: tighten email defenses, scan attachments and URLs with advanced heuristics, monitor for anomalous outbound traffic, and isolate sensitive internal systems.

4. Supply Chain & Open Source Threats — “shai‑hulud” worm, “soopsocks” package

• A worm dubbed “Shai‑Hulud” has compromised over 500 npm (JavaScript) packages, allowing attackers to distribute malicious payloads and steal developer credentials. (c3isit.com)

• In parallel, a malicious Python package soopsocks was discovered infecting ~2,653 systems. It masqueraded as a SOCKS proxy, then disabled firewalls, escalated privileges, and exfiltrated data to Discord webhooks. (telesoft-technologies.com)

Implications: Most organisations now depend on open-source ecosystems. Malicious code hidden in dependencies can percolate deeply into your networks.

Defence guidance:

• Implement software supply chain hygiene (dependency vetting, code audits, locked versions).

• Use anomaly detection around unexpected outbound connections.

• Rotate credentials/keys when suspicious activity is detected.
  

5. Regional Focus: Rising Cyber Threats in South Africa

• South Africa continues to see rapid escalation in malware, backdoor, banking trojan, and spyware attacks. (National Security News)

• In the first half of 2025, Kaspersky reported more than 6 million attack attempts and 10.3 million malware incidents locally. (National Security News)

• Many attacks go unreported. In 2024, over 100,000 banking attacks were launched, yet only 544 cases were officially recorded. (National Security News)

Takeaway: For organisations operating in South Africa or tied to its markets, under‑reporting and visibility gaps highlight the importance of proactive detection, internal logging, and external intelligence.

6. Emerging Trends & Alerts

• Milesight Routers Abused for Phishing SMSAttackers are abusing exposed APIs on Milesight routers (mainly in Europe) to send phishing SMS campaigns. ~572 routers found vulnerable. (diesec.com)

• Red Hat GitLab BreachA breach at a self‑hosted GitLab instance tied to Red Hat’s consulting division may have affected over 28,000 private repos (~570 GB data). (diesec.com)

• “ForcedLeak” Prompt Injection in SalesforceResearchers disclosed a high‑severity vulnerability (CVSS ~9.4) in Salesforce Agentforce/Einstein AI, allowing indirect prompt injection and data exfiltration. (paratuscybersec.com)

• AI‑Driven Threat LandscapeThe acceleration of AI‑powered attack tools is being widely observed — from prompt injections to LLM‑driven malware agents and campaign‑level automation. (strongestlayer.com)

• PhishLumos: Proactive Phishing Defence ResearchA new academic system, PhishLumos, proposes a multi‑agent approach that identifies phishing campaigns before they fully deploy — shifting defensive posture from reactive to proactive. (arXiv)

✅ Key Recommendations for the Week

🔍 What to Watch Next Week

• Will the U.S. government renew CISA 2015 or introduce alternative information sharing legislation?

• Updates on Cl0p’s extortion campaign — new targeted industries or tactics?

• New zero‑days or active exploitation in open source ecosystems (npm, PyPI, GitLab).

• Further evidence of AI‑driven attacks / agent‑based threat tools.

• Local/regional reporting improvements in South Africa, and whether regulators mandate stronger breach obligations.