Application Security Testing 30 Sep 2025

Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches 23 Sep – 29 Sep, 2025

Priyanka Aash Co-Founder, FireCompass

Summarize and analyze this article with:

The final week of September 2025 saw critical cybersecurity incidents impacting global aviation, automotive, retail, and manufacturing sectors. Key events include a crippling ransomware attack on Collins Aerospace that disrupted European airports, a major data breach at Stellantis exposing 18 million customer records via a compromised Salesforce platform, and a system-wide outage at Japan’s Asahi Group caused by a cyberattack. Other notable developments include the Harrods breach of 430,000 customer records, Union County Ohio’s delayed ransomware disclosure, the takedown of the RaccoonO365 phishing service, and urgent patches for exploited VMware zero-day vulnerabilities. These incidents underscore the persistent threat to supply chains, third-party integrations, and operational technology environments, emphasizing the need for robust vendor security assessments, OAuth and API monitoring, OT network segmentation, and timely breach notification protocols.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Collins Aerospace Ransomware Attack – European Aviation Disruption

Overview

On September 19, 2025, Collins Aerospace (RTX) was hit by the HardBit ransomware variant, encrypting its MUSE passenger processing software across multiple European data centers. This attack forced major airports to revert to manual check-in and baggage handling procedures.

Explanation

Attackers gained initial access via spear-phishing emails containing a fake RTX firmware update (MITRE ATT&CK T1566.001). They exploited an unpatched API gateway vulnerability (CVSS 9.8) for privilege escalation (T1068), then deployed ransomware to encrypt passenger manifest databases (T1486). Logs were cleared (T1070.001) to evade detection, and lateral movement occurred via compromised credentials (T1021.001).

Impact

Heathrow, Brussels, Berlin, and Dublin airports experienced flight delays and cancellations for three days.
Over 500,000 itineraries were encrypted, affecting thousands of passengers and airlines’ operational continuity.

Details

Indicators of Compromise:

Malicious firmware-update attachments
Network traffic to known HardBit C2 domains
Encrypted files with “.HardBit” extension
Suspicious “vmtoolsd.exe” injection behavior

Timeline:

2025-09-19 22:45 GMT – Initial compromise
2025-09-20 02:00 GMT – Mass encryption
2025-09-22 – EU agency confirms ransomware
2025-09-25 – Arrest of suspect in UK

Takeaway for CISOs

Supply chain risk assessments and stringent vendor security requirements are paramount. Implement advanced EDR with automated rollback and maintain secondary check-in systems to ensure resilience against similar disruptions.

Stellantis Data Breach – Salesforce Compromise

Overview

On September 21, 2025, Stellantis disclosed unauthorized access to its Salesforce CRM, impacting 18 million North American customer records. The breach was attributed to the ShinyHunters group.

Explanation

Threat actors leveraged compromised OAuth tokens from a Salesloft Drift AI chat integration (T1539), obtained via vishing campaigns to steal employee credentials. They executed unauthorized API calls (T1213) to exfiltrate bulk CRM data (T1041).

Impact

Exposure of customer names, emails, phone numbers, service histories, and marketing preferences.
Heightened phishing risk for 18 million individuals.

Details

Proof-of-Concept Flow:

Vishing calls to employees
Theft of OAuth session tokens
Persistent API access for data export
Encrypted exfiltration channels

IOCs:

Unusual Salesforce API access patterns outside business hours
Suspicious IP geo-locations
Bulk export log entries

Takeaway for CISOs

Enforce OAuth token scope limitations, implement frequent token rotation, and deploy API activity monitoring with behavioral analytics. Conduct regular social engineering resilience training focused on vishing.

Harrods Data Breach – Third-Party Supplier Compromise

Overview

On September 26, 2025, Harrods revealed a breach of a third-party data processor that exposed 430,000 customer records.

Explanation

Attackers compromised the external supplier via supply chain exploit (T1195.002), gaining access to customer databases and exfiltrating data over encrypted channels (T1041).

Impact

Exposure of names, emails, phone numbers, loyalty program IDs, and marketing preferences.
Potential phishing campaigns targeting affected customers.

Details

Affected Data Categories:

Personal identifiers and contact details
Loyalty and partnership information
Marketing segmentation data

Remediation:

Customer notifications and credit-monitoring offers
Enhanced supplier security audits
Implementation of stronger data-sharing agreements

Takeaway for CISOs

Strengthen third-party risk management with continuous security assessments, enforce data minimization, and require breach-notification SLAs in vendor contracts.

Asahi Group Cyberattack – Brewery Production Halt

Overview

On September 29, 2025, Asahi Group Holdings suspended operations nationwide after a cyberattack disabled critical business and production systems.

Explanation

While details remain limited, likely initial access was via phishing or credential compromise (T1566). The malware deployed impacted OT and IT systems, encrypting production controls (T1486) and disrupting order processing (T1487).

Impact

Order and shipment systems offline
Production lines halted at 30 facilities
Call center and logistics networks down

Details

System Failures Observed:

Order management application crashes
SCADA system unresponsive
Coordination networks segmented offline

Response Measures:

Full network isolation
Forensic analysis engagement
Activation of business continuity protocols

Takeaway for CISOs

Ensure robust OT security by segmenting networks, conducting regular tabletop exercises for OT incidents, and maintaining offline backups of critical control system configurations.

Union County Ohio Ransomware – Delayed Disclosure

Overview

Union County, Ohio disclosed on September 24, 2025, that a ransomware attack in May had compromised data of 45,487 residents.

Explanation

Attack timeline: unauthorized access May 6–18, detection May 18. Data encrypted (T1486) before containment. Public notification delayed until September.

Impact

Exposure of SSNs, financial account details, medical records, biometric data, and IDs for 45,487 individuals.

Details

Compromised Data Types:

Social Security numbers and personal identifiers
Financial account and payment card details
Medical and biometric records
Government ID information

Notification Timeline:

2025-05-18 – Detection
2025-09-24 – Public disclosure

Takeaway for CISOs

Implement strict incident response SLAs to ensure timely breach reporting. Classify and segment sensitive data to limit exposure scope and expedite containment.

Additional Developments

AZpro Group Ransomware: Ransomware group “J” claimed an attack against AZpro Group, underscoring targeting of SMBs.
RaccoonO365 Takedown: Microsoft & Cloudflare seized 338 phishing domains, disrupting a service that stole over 5,000 Microsoft 365 credentials (Takedown completed).
VMware Zero-Day Exploitation: UNC5174 has been exploiting CVE-2025-41244 in VMware Tools since October 2024. Patches released by VMware and Broadcom address this and related NSX/vCenter vulnerabilities.

FireCompass continuously scans and detects such vulnerabilities, providing real-time risk assessments and attack surface visibility. Don’t wait for attackers to exploit your systems—stay ahead of attackers with FireCompass Continuous Automated Red Teaming (CART). Get started today.