Home 
The final week of September 2025 saw critical cybersecurity incidents impacting global aviation, automotive, retail, and manufacturing sectors. Key events include a crippling ransomware attack on Collins Aerospace that disrupted European airports, a major data breach at Stellantis exposing 18 million customer records via a compromised Salesforce platform, and a system-wide outage at Japan’s Asahi Group caused by a cyberattack. Other notable developments include the Harrods breach of 430,000 customer records, Union County Ohio’s delayed ransomware disclosure, the takedown of the RaccoonO365 phishing service, and urgent patches for exploited VMware zero-day vulnerabilities. These incidents underscore the persistent threat to supply chains, third-party integrations, and operational technology environments, emphasizing the need for robust vendor security assessments, OAuth and API monitoring, OT network segmentation, and timely breach notification protocols.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Collins Aerospace Ransomware Attack – European Aviation Disruption
Overview
On September 19, 2025, Collins Aerospace (RTX) was hit by the HardBit ransomware variant, encrypting its MUSE passenger processing software across multiple European data centers. This attack forced major airports to revert to manual check-in and baggage handling procedures.
Explanation
Attackers gained initial access via spear-phishing emails containing a fake RTX firmware update (MITRE ATT&CK T1566.001). They exploited an unpatched API gateway vulnerability (CVSS 9.8) for privilege escalation (T1068), then deployed ransomware to encrypt passenger manifest databases (T1486). Logs were cleared (T1070.001) to evade detection, and lateral movement occurred via compromised credentials (T1021.001).
Impact
- Heathrow, Brussels, Berlin, and Dublin airports experienced flight delays and cancellations for three days.
- Over 500,000 itineraries were encrypted, affecting thousands of passengers and airlines’ operational continuity.
Details
Indicators of Compromise:
- Malicious firmware-update attachments
- Network traffic to known HardBit C2 domains
- Encrypted files with “.HardBit” extension
- Suspicious “vmtoolsd.exe” injection behavior
Timeline:
- 2025-09-19 22:45 GMT – Initial compromise
- 2025-09-20 02:00 GMT – Mass encryption
- 2025-09-22 – EU agency confirms ransomware
- 2025-09-25 – Arrest of suspect in UK
Takeaway for CISOs
Supply chain risk assessments and stringent vendor security requirements are paramount. Implement advanced EDR with automated rollback and maintain secondary check-in systems to ensure resilience against similar disruptions.
Stellantis Data Breach – Salesforce Compromise
Overview
On September 21, 2025, Stellantis disclosed unauthorized access to its Salesforce CRM, impacting 18 million North American customer records. The breach was attributed to the ShinyHunters group.
Explanation
Threat actors leveraged compromised OAuth tokens from a Salesloft Drift AI chat integration (T1539), obtained via vishing campaigns to steal employee credentials. They executed unauthorized API calls (T1213) to exfiltrate bulk CRM data (T1041).
Impact
- Exposure of customer names, emails, phone numbers, service histories, and marketing preferences.
- Heightened phishing risk for 18 million individuals.
Details
Proof-of-Concept Flow:
- Vishing calls to employees
- Theft of OAuth session tokens
- Persistent API access for data export
- Encrypted exfiltration channels
IOCs:
- Unusual Salesforce API access patterns outside business hours
- Suspicious IP geo-locations
- Bulk export log entries
Takeaway for CISOs
Enforce OAuth token scope limitations, implement frequent token rotation, and deploy API activity monitoring with behavioral analytics. Conduct regular social engineering resilience training focused on vishing.
Harrods Data Breach – Third-Party Supplier Compromise
Overview
On September 26, 2025, Harrods revealed a breach of a third-party data processor that exposed 430,000 customer records.
Explanation
Attackers compromised the external supplier via supply chain exploit (T1195.002), gaining access to customer databases and exfiltrating data over encrypted channels (T1041).
Impact
- Exposure of names, emails, phone numbers, loyalty program IDs, and marketing preferences.
- Potential phishing campaigns targeting affected customers.
Details
Affected Data Categories:
- Personal identifiers and contact details
- Loyalty and partnership information
- Marketing segmentation data
Remediation:
- Customer notifications and credit-monitoring offers
- Enhanced supplier security audits
- Implementation of stronger data-sharing agreements
Takeaway for CISOs
Strengthen third-party risk management with continuous security assessments, enforce data minimization, and require breach-notification SLAs in vendor contracts.
Asahi Group Cyberattack – Brewery Production Halt
Overview
On September 29, 2025, Asahi Group Holdings suspended operations nationwide after a cyberattack disabled critical business and production systems.
Explanation
While details remain limited, likely initial access was via phishing or credential compromise (T1566). The malware deployed impacted OT and IT systems, encrypting production controls (T1486) and disrupting order processing (T1487).
Impact
- Order and shipment systems offline
- Production lines halted at 30 facilities
- Call center and logistics networks down
Details
System Failures Observed:
- Order management application crashes
- SCADA system unresponsive
- Coordination networks segmented offline
Response Measures:
- Full network isolation
- Forensic analysis engagement
- Activation of business continuity protocols
Takeaway for CISOs
Ensure robust OT security by segmenting networks, conducting regular tabletop exercises for OT incidents, and maintaining offline backups of critical control system configurations.
Union County Ohio Ransomware – Delayed Disclosure
Overview
Union County, Ohio disclosed on September 24, 2025, that a ransomware attack in May had compromised data of 45,487 residents.
Explanation
Attack timeline: unauthorized access May 6–18, detection May 18. Data encrypted (T1486) before containment. Public notification delayed until September.
Impact
- Exposure of SSNs, financial account details, medical records, biometric data, and IDs for 45,487 individuals.
Details
Compromised Data Types:
- Social Security numbers and personal identifiers
- Financial account and payment card details
- Medical and biometric records
- Government ID information
Notification Timeline:
- 2025-05-18 – Detection
- 2025-09-24 – Public disclosure
Takeaway for CISOs
Implement strict incident response SLAs to ensure timely breach reporting. Classify and segment sensitive data to limit exposure scope and expedite containment.
Additional Developments
- AZpro Group Ransomware: Ransomware group “J” claimed an attack against AZpro Group, underscoring targeting of SMBs.
- RaccoonO365 Takedown: Microsoft & Cloudflare seized 338 phishing domains, disrupting a service that stole over 5,000 Microsoft 365 credentials (Takedown completed).
- VMware Zero-Day Exploitation: UNC5174 has been exploiting CVE-2025-41244 in VMware Tools since October 2024. Patches released by VMware and Broadcom address this and related NSX/vCenter vulnerabilities.
FireCompass continuously scans and detects such vulnerabilities, providing real-time risk assessments and attack surface visibility. Don’t wait for attackers to exploit your systems—stay ahead of attackers with FireCompass Continuous Automated Red Teaming (CART). Get started today.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
