Threat Pulse – September 2025 

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.  

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.  

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the most comprehensive Threat Intelligence and Open Threat Exchange databases available worldwide. 

Global Overview 

September 2025 was one of the most turbulent months of the year for global cyber security. According to multiple security intelligence reports, at least 49 distinct cyberattacks or breaches were publicly disclosed worldwide. Nearly 2 million individual records were confirmed exposed, while a further 1.5 billion records were potentially compromised in unverified large scale data thefts still under investigation.  

The month was characterised by an unusual combination of ransomware incidents, supply chain intrusions, zero-day exploitation, and high impact operational disruptions that reached well beyond the digital realm.  

Attackers appeared increasingly coordinated and opportunistic, exploiting weak vendor links and targeting critical infrastructure sectors such as manufacturing, aviation, and finance. 

The Jaguar Land Rover Production Crisis 

The most financially damaging attack of the month struck Jaguar Land Rover (JLR), the British automotive manufacturer. The incident began in late August but crippled operations throughout September. By September 1st, JLR had halted multiple production lines after a network intrusion rendered internal systems and logistics tools inoperable. Investigations revealed a sophisticated ransomware style compromise that bulldozed through its enterprise resource planning systems and disrupted supply chains across Europe. 

As of late September, the company had still not resumed full production. Early estimates placed losses at approximately £50 million per week, prompting JLR to extend its shutdown for nearly three weeks while forensic investigators worked to contain the breach.  

A collective calling itself “Scattered Lapsus$ Hunters” claimed responsibility, suggesting a loose alliance among several well-known threat actors including members of Scattered Spider, Lapsus$, and ShinyHunters. The JLR event stood as a reminder that ransomware groups can inflict massive physical and economic damage far beyond simple data theft, undermining industrial continuity and employment stability. 

Aviation Disruption Across Europe 

Only weeks later, aviation systems across Europe were brought to a standstill when Collins Aerospace, a major supplier of airline check-in and boarding platforms, was hit by a ransomware attack around 19 September.  

Airports including London Heathrow, Brussels, and Berlin reported severe check-in delays and flight cancellations as airline information systems went offline.  

Investigators initially suspected the HardBit ransomware variant, and authorities moved quickly, arresting a suspect in West Sussex under the UK’s Computer Misuse Act. Although the man was later released on conditional bail, the incident highlighted the fragility of aviation’s shared digital infrastructure. A single supplier compromise was able to disrupt travel for hundreds of thousands of passengers across multiple countries. 

The ShinyHunters SaaS Campaign 

Another major incident in September was the exposure of a vast network of organisations through SaaS and third-party compromises. On 17 September, the hacking collective ShinyHunters, already infamous for high-volume data breaches, was confirmed as the group behind a sweeping espionage campaign, known internally as UNC6395.  

The attackers reportedly used the open-source tool TruffleHog to locate exposed credentials in software repositories. By harvesting OAuth tokens for Drift, a popular marketing and communications platform, they gained indirect access to hundreds of connected Salesforce customer databases. 

Investigators believe that data from as many as 760 companies, totalling an alleged 1.5 billion records, may have been exfiltrated from Salesforce object tables such as “Accounts,” “Contacts,” and “Opportunities”.  

This incident demonstrated how the compromise of a single SaaS vendor can ripple through the global business ecosystem, granting adversaries access to sensitive customer relationship data far beyond the original breach perimeter.  

Exploitation of Zero-Day Vulnerabilities 

September 2025 also witnessed active exploitation of newly discovered zero-day vulnerabilities. A critical flaw, CVE-2025-10035, was uncovered in GoAnywhere Managed File Transfer (MFT) software, allowing remote code execution via its licence servlet component.  

Within days of disclosure, security researchers observed widespread exploitation attempts targeting enterprise installations. Patched versions 7.8.4 and 7.6.3 were released to mitigate the threat, but many organisations were caught off guard. 

Later in the month, analysts reported another high-risk zero-day, CVE-2025-53770, in Microsoft SharePoint. Attackers used it to gain initial access into government agencies and corporate intranets, underscoring the constant race between patch deployment and adversarial weaponisation.  

These events reinforced the need for regular vulnerability management and tighter patch-response cycles within enterprise environments. 

Cyber Trends for the Month 

AI / automation increasingly power cyberattacks 

Reports indicate that a high share of ransomware attacks are now AI assisted (or AI-powered). Attackers are using automation to scale phishing, credential stuffing, CAPTCHA bypass, deepfake content, and other techniques. There is rising concern about “agentic AI”, autonomous AI agents that can identify, plan, and execute attacks with minimal human oversight.  

Bot / automated traffic threats intensify, especially in the UK / Europe 

A report by DataDome highlighted that global organisations (particularly UK ones) are poorly prepared to defend against “bad bots,” with only 1.8% of major UK domains fully protected. AI driven bots that mimic human behaviour are evading traditional defences and are being used to probe, scrape, or attack at scale. 

Regulatory / legal shifts and national cyber security posture updates 

In the UK, the Home Office released its plan for tackling cybercrime/fraud, citing that 20% of UK businesses and 14% of charities experienced cyberattacks in the past year. The UK NCSC released version 4.0 of its Cyber Assessment Framework.  

Debate and criticism emerged over the UK Government’s proposed mandatory digital ID -the so called “Britcard” – with warnings that a large central digital ID database would become a major hacking target. 

State linked / geopolitical threat activity escalates 

The US government reported new hacking intrusions under suspicion of Chinese linked threat actors, exploiting vulnerabilities in Cisco firewall hardware. Cyber threat trends are increasingly being viewed through a geopolitical lens, with adversaries targeting critical infrastructure, supply chains, and government networks. 

Cyber Incidents in September 

Volvo (via HR software vendor Miljödata)

When: Late August into September 2025.
What happened: Miljödata, a Swedish HR software vendor, was hit with ransomware. This attack exposed sensitive employee data for multiple companies, including Volvo.
Why it matters for tech: Even though the attack targeted HR software, it highlights the risk of third-party SaaS and cloud services being exploited to compromise much bigger enterprises. 

Luxury Brands Breach (Gucci, Balenciaga – via SaaS/Platform Tech)

When: September 2025.
What happened: Cyberattacks hit the parent company Kering (owner of Gucci and Balenciaga), reportedly exploiting third-party SaaS or platform providers.
Why it matters for tech: Although the victims were fashion houses, the breach was enabled by SaaS and cloud technology platforms — another example of how attackers go after the technology supply chain behind the scenes. 

Engel & Völkers (Germany / Europe) – Real Estate Brokerage & Property Services

When: 29 September 2025
What happened: A data breach was reported, attributed to the DragonForce group. The precise scale (leak size) is unknown.
Why it matters for real estate: Engel & Völkers is a high-profile luxury real estate brokerage. A data breach here might involve client details, property listings, financial records, buyer/seller identities, and brokerage commissions. For premium real estate firms, reputation is critical, so even “just” a data leak could damage client confidence.

HB Asset Management (South Korea) – Real Estate Finance / Asset Management

When: 15 September 2025
What happened: The firm suffered a breach (leak / data exposure) attributed to the Qilin threat actor. The firm deals in real estate financing, funds, and structuring.
Why it matters for real estate: Asset management firms in real estate handle capital flows, investor information, valuation data, project plans, and sometimes legal and development documents. Exposure of such data could allow financial fraud, insider advantage in deals, or loss of competitive intelligence. 

Bridgestone (Tyre Manufacturing)

When: Early September 2025 — the incident was publicised around 5 September.
What happened: Bridgestone confirmed a cyberattack had impacted operations at some of its North American manufacturing plants (in South Carolina and Quebec). The company stated that the intrusion was contained before deeper compromise or data theft.
Why it matters for manufacturing: Even when an attack is caught early, any disruption in production lines or operational systems can have ripple effects on supply, distribution, and contracts. This incident underscores how manufacturing facilities remain a prime target for disruption, even if data theft isn’t the main goal.

Asahi Group (Beverage / Food Manufacturing)

When: Disruptions reported around late September / moving into October 2025.
What happened: Asahi (a major Japanese beverage and food manufacturer) suspended domestic operations — specifically order handling, shipping, and customer service systems — due to a cyberattack.
Why it matters for manufacturing: Beyond automotive and heavy industry, food & beverage manufacturers are also vulnerable. In this case, while no confirmed data breach was initially reported, the disruption to logistics and operations showed how attackers can target the business processes that keep production and delivery running. 

Wealthsimple (Fintech / Investment Platform)

When: Public disclosure in early September 2025 (incident discovered 30 August)
What happened: The company reported a supply-chain attack via a compromised third-party software package. The breach exposed personal information of “less than 1%” of its clients.
Data / impact: Exposed data included contact details, government-issued IDs used during signup, dates of birth, IP addresses, account numbers, and Social Insurance Numbers (SINs). Importantly, no passwords or funds were accessed and client accounts remained secure, according to Wealthsimple.
Why it matters for finance:
Shows how the finance sector is vulnerable not only to direct breaches but to third-party / vendor compromise. Even with limited exposure, the breach of identity data (SINs, IDs) creates risk of identity fraud, phishing, and reputational damage. The rapid containment is a positive sign — but trust damage is harder to reverse.

FinWise Bank / American First Finance (AFF) – Insider Data Breach

When: Reported in September 2025 (disclosure)
What happened: A former employee (insider) accessed sensitive customer information belonging to American First Finance, which is a partner / client of FinWise.
Data / impact: Approximately 689,000 customers’ data was impacted. The disclosed data included full names and other personally identifiable details (not fully detailed).
Why it matters for finance:
Insider threat is always high risk in finance, given privileged access to sensitive data. Even if the access was after termination, residual access or weak controls can be exploited. The sheer scale (hundreds of thousands) underscores how one insider can do widespread damage.

Office of the Comptroller of the Currency (OCC) – Email System Security Incident

When: Reported during September 2025
What happened: The U.S. OCC (a regulator overseeing national banks) identified a security incident involving its email system. The affected administrative accounts were disabled, and the incident was reported to CISA.
Data / impact: The disclosure emphasises there is no indication of impact to the broader financial sector or bank customers.
Why it matters for finance: Even regulatory bodies are vulnerable; attacks there can be leveraged for intelligence or phishing campaigns against banks. The incident highlights the need for strict internal control over administrative systems in financial oversight institutions. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, while you take care of business.     

Talk to the team to see how you can start protecting your business against cyberattacks today.