Major Incidents or Breaches

  • Jaguar Land Rover experienced a severe cyberattack, forcing the disconnection of systems and causing significant disruption to both retail and manufacturing operations.
  • Workiva, a major SaaS provider, disclosed a data breach after attackers accessed customer data via a compromised third-party Salesforce CRM system.
  • Multiple security firms, including Cloudflare, Palo Alto Networks, and Zscaler, were impacted by a breach involving Salesforce, Salesloft, and Drift, resulting in the exposure of customer contact information and case data.
  • The Pennsylvania Attorney General’s office confirmed a ransomware attack that caused weeks-long outages of email, phone, and web services. No ransom was paid.
  • Wiz Research reported a data leak at Chinese AI company DeepSeek, exposing over 1 million sensitive log streams.
  • The US Department of Justice filed a lawsuit against Apitor Technology for exposing children’s geolocation data to a Chinese third party without consent.
  • Disney agreed to pay $10 million to settle US FTC claims regarding the improper collection of children’s data on YouTube.

Newly Discovered Vulnerabilities

  • Google released September 2025 Android updates addressing over 100 vulnerabilities, including at least two zero-days (CVE-2025-2355, CVE-2025-2356) that are actively exploited.
  • A high-severity use-after-free vulnerability in Google Chrome’s V8 JavaScript engine was patched, preventing potential remote code execution.
  • CISA flagged an actively exploited vulnerability in TP-Link TL-WA855RE Wi-Fi range extenders, allowing attackers to reset and hijack affected devices. CISA recommends retiring these discontinued devices.
  • Exploit attempts were observed for CVE-2025-5086, a vulnerability in Dassault DELMIA Apriso used in manufacturing environments.
  • A WhatsApp bug, in conjunction with an Apple zero-day, is being used in targeted zero-click attacks against iPhone users, potentially for spyware deployment.

Notable Threat Actor Activity

  • An Iran-linked group, identified as Homeland Justice APT and associated with MOIS, conducted a coordinated spear-phishing campaign targeting over 100 embassy and consulate email accounts globally, aiming to spy on diplomats and international organisations.
  • Russian APT28 (Fancy Bear) is leveraging new ‘NotDoor’ malware to abuse Microsoft Outlook for covert data exfiltration.
  • North Korean IT worker scams remain a focus of regional countermeasures, with Japan and South Korea collaborating with private sector partners to disrupt these operations.
  • Malicious npm packages targeting Ethereum smart contract developers were discovered, using blockchain smart contracts to perform malicious actions on compromised systems.
  • Automated sextortion spyware, identified as a variant of “infostealer” malware, is taking screenshots and webcam photos of victims viewing adult content for extortion purposes.
  • Threat actors are using X’s Grok AI assistant to bypass link posting restrictions and distribute malicious links on the platform.
  • PayPal users are being targeted in a sophisticated email scam with the subject “Set up your account profile.”

Trends, Tools, or Tactics of Interest

  • Threat actors are rapidly adopting AI-powered offensive tools, specifically HexStrike AI, to exploit newly disclosed n-day vulnerabilities, including Citrix flaws, within days of public disclosure.
  • Increasing use of generative AI by attackers to craft more convincing phishing emails.
  • Endpoint security is seeing a shift towards AI-driven solutions, as highlighted in the 2025 Gartner Magic Quadrant, with a focus on countering advanced ransomware and phishing attacks.
  • Research indicates that compromised routers can remain undetected and accessible on the internet for years, highlighting persistent risks to infrastructure.
  • Geolocation data is being increasingly weaponised in advanced persistent threat (APT) operations and malware, enabling targeted attacks based on physical location.

Regulatory or Policy Developments

  • CISA, NSA, and 19 international partners released a joint statement outlining a shared vision for the Software Bill of Materials (SBOM), promoting its role in securing global software supply chains.
  • The US Department of State announced a $10 million bounty for information on three Russian FSB officers involved in cyberattacks against US critical infrastructure.
  • Law enforcement, in cooperation with the Alliance for Creativity and Entertainment, disrupted Streameast, the world’s largest illegal sports streaming platform, with arrests made in Egypt.