🔐 September 2025 Cybersecurity Newsletter

📰 Top Headlines & Incidents

🛫 Airport Disruptions: Ransomware Hits European Check-In Networks

Major European airports (UK, Germany, Belgium) experienced severe disruptions to check-in, baggage, and boarding systems after a ransomware attack hit Collins Aerospace’s MUSE check-in software. Airlines had to revert to manual processing, causing flight delays, backlogs, and operational chaos.ENISA confirmed the attack was ransomware-driven. Al Jazeera+2World Economic Forum+2This incident underscores how targeting provider software can cascade across critical infrastructure networks. World Economic Forum+1

🚨 Cisco Firewall Zero-Days & Urgent Federal Directive

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED 25-03 requiring federal agencies to identify, analyze, and mitigate potential compromises in Cisco ASA and Firepower devices. CISA+2CISA+2Vulnerabilities CVE-2025-20333 and CVE-2025-20362 were officially added to the Known Exploited Vulnerabilities list. CISA+2CISA+2End-of-support ASA hardware must be disconnected by September 30, 2025; supported hardware requires patching by September 26, 2025. CISA+1

🔗 Supply Chain & Software Compromise Alerts

• npm Supply Chain CompromiseCISA issued an alert about a widespread supply chain compromise affecting the npm ecosystem, urging software teams to inspect dependencies and verify package integrity. CISA

• China-linked Malware in Software Vendor ChainsThreat actors linked to China have been found injecting stealth malware into software supplier ecosystems, allowing backdoor access and persistent espionage. Cybersecurity Dive

🧠 Resurgence & New Malware Threats

• Scattered Spider ResurfacesThe cybercrime group Scattered Spider reappeared targeting financial organizations, using social engineering and account access tactics—despite previous claims of retirement. DIESEC

• macOS / XCSSET Variant Targets FirefoxA new version of the XCSSET macOS malware is leveraging browser targeting and clipboard hijacking (especially Firefox) for persistence and data theft. The Hacker News

• ForcedLeak Vulnerability in Salesforce AgentforceResearchers disclosed a critical prompt injection / forced-leak vulnerability (called ForcedLeak) in Salesforce’s AI/CRM integration module, allowing data exfiltration under certain conditions. The Hacker News

🏥 Regulatory & Policy Updates

• New Cyber Requirements for NY HospitalsStarting October 2, 2025, New York hospitals must comply with 10 NYCRR § 405.46, which includes stricter obligations than HIPAA, such as the designation of a CISO (or qualified designee). Holland & Knight

• Congress Pushes Phishing-Resistant AuthenticationThe 2025 NDAA language encourages the DoD and related agencies to adopt modern forms of authentication (e.g. hardware security keys, FIDO2), reflecting growing legislative focus on phishing resilience. FedNews Network

• Cybersecurity Awareness Month 2025 LaunchesDHS and CISA announced their leadership of Cybersecurity Awareness Month (October 2025), with the theme “Building a Cyber Strong America.” U.S. Department of Homeland Security

🧩 Emerging Trends & Observations

• Targeting of Software Providers as Force MultipliersThe airport disruption and npm supply chain issues show that attacking a single software supplier can ripple through many dependent organizations.

• Zero-Day Exploits in Networking DevicesCisco firewall zero-days highlight how advanced attackers focus on edge devices with high leverage. Regular patching and segmentation are more critical than ever.

• Evolving Malware & Attack TechniquesThreat actors are launching more sophisticated persistence tactics, supply chain tampering, and AI/CRM-layer vulnerabilities. Defense must be multi-layered.

• Zero-Trust, Identity, and Phishing Resistance RisingPolicy pushes (e.g. NDAA) and regulation (NY hospital rules) emphasize stronger authentication and identity control as foundational security controls.

✅ Key Takeaways & Action Steps