Cybersecurity Newsletter - September 22, 2025
In this week's news: Microsoft patches catastrophic Entra ID flaw with CVSS 10.0 severity, North Korean hackers evolve tactics with ClickFix job scams, major European airports disrupted by Collins Aerospace cyberattack, and MI6 launches dark web portal to recruit Russian informants.
Microsoft's "God Mode" Vulnerability Exposes Fatal Trust Flaw
Microsoft has patched CVE-2025-55241, a maximum-severity (CVSS 10.0) vulnerability in Entra ID that could have compromised every tenant worldwide. The flaw allowed attackers to use actor tokens from any test environment to impersonate Global Administrators across all tenants, bypassing MFA and Conditional Access policies. Security researcher Dirk-jan Mollema discovered the issue, which Microsoft fixed on July 17, 2025. The vulnerability highlights fundamental architectural flaws in centralized authority systems, prompting calls for "authorityless security" approaches using distributed cryptography.
π https://thehackernews.com/2025/09/microsoft-patches-critical-entra-id.html
π https://infosecwriteups.com/the-god-mode-vulnerability-that-should-kill-trust-microsoft-forever-f83b8fe6e909
Airport Operations Disrupted Across Europe
A cyberattack on Collins Aerospace's Muse software disrupted check-in and boarding systems at major European airports including Heathrow, Brussels, and Berlin. The incident forced manual operations, causing extensive delays and thousands of stranded passengers. Collins Aerospace, which provides critical aviation infrastructure, confirmed the "cyber-related disruption" affected electronic check-in and baggage drop systems. Aviation sector attacks have surged 600% from 2024 to 2025, exposing vulnerabilities in centralized service providers.
π https://securityaffairs.com/182363/hacking/a-cyberattack-on-collins-aerospace-disrupted-operations-at-major-european-airports.html
π https://hackread.com/cyberattack-disrupts-airport-check-in-systems-europe/
macOS Users Targeted Through Fake GitHub Repositories
LastPass warns of an ongoing campaign using fraudulent GitHub repositories to distribute Atomic infostealer malware targeting macOS users. Threat actors employ SEO poisoning to push malicious sites to the top of search results, impersonating legitimate tools from tech firms, banks, and password managers. The repositories use ClickFix-style social engineering, tricking users into executing Terminal commands that install the Atomic Stealer. The campaign targets popular applications including 1Password, Dropbox, Notion, and Shopify.
π https://securityaffairs.com/182419/malware/beware-github-repos-distributing-atomic-infostealer-on-macos.html
π https://thehackernews.com/2025/09/lastpass-warns-of-fake-repositories.html
North Korean Hackers Evolve Job Scam Tactics
DPRK-linked threat actors are using ClickFix lures to deliver BeaverTail and InvisibleFerret malware through fake cryptocurrency job interviews. The campaign, dubbed "Contagious Interview," now targets marketing and trader roles rather than developers, using compiled binaries for Windows, macOS, and Linux. Attackers create fake hiring platforms on Vercel, display bogus microphone errors, and trick victims into running malicious commands. SentinelOne reports at least 230 individuals targeted between January and March 2025.
π https://thehackernews.com/2025/09/dprk-hackers-use-clickfix-to-deliver.html
MI6 Launches Dark Web Portal for Russian Informants
The UK's MI6 has launched "Silent Courier," a dark web portal designed to securely recruit agents and receive intelligence from Russia and other nations. Announced by outgoing Chief Sir Richard Moore in Istanbul, the platform allows individuals to share information about terrorism or hostile intelligence activities through Tor anonymization. This follows similar initiatives by the CIA in 2022, marking a significant shift from traditional face-to-face recruitment to digital operations amid heightened global tensions.
π https://hackread.com/mi6-dark-web-portal-silent-courier-russia-secrets/
Canada Shuts Down TradeOgre Exchange, Seizes $40M
The Royal Canadian Mounted Police has dismantled the TradeOgre cryptocurrency exchange and seized over $40 million in suspected criminal proceeds. This marks Canada's first crypto exchange shutdown and largest asset seizure. TradeOgre, which focused on privacy coins like Monero and didn't require KYC verification, was operating illegally without FINTRAC registration. The platform went offline in July 2025 following a Europol tip about money laundering activities.
Critical Infrastructure & Enterprise Security
Fortra GoAnywhere MFT Critical Vulnerability: Fortra released patches for CVE-2025-65577 (CVSS 10.0), an authentication bypass flaw in GoAnywhere MFT's License Servlet that allows remote code execution without authentication.
π https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.html
π https://www.bleepingcomputer.com/news/security/fortra-warns-of-max-severity-flaw-in-goanywhere-mfts-license-servlet/
CISA Exposes Ivanti EPMM Attack Tools: CISA revealed malware kits used in attacks against Ivanti Endpoint Manager Mobile, helping defenders identify and mitigate ongoing threats to mobile device management systems.
π https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-deployed-in-ivanti-epmm-attacks/
SystemBC Powers REM Proxy Network: Researchers uncovered a botnet of 1,500+ compromised Mikrotik routers using SystemBC malware to create residential proxy services for cybercriminal operations.
π https://thehackernews.com/2025/09/systembc-powers-rem-proxy-with-1500.html
AI & Emerging Threats
ShadowLeak Zero-Click Gmail Vulnerability: Radware discovered a critical ChatGPT flaw allowing attackers to extract Gmail data through specially crafted prompts without user interaction.
π https://thehackernews.com/2025/09/shadowleak-zero-click-flaw-leaks-gmail.html
AI-Generated Fake CAPTCHAs: Attackers are using AI tools to create convincing fake CAPTCHA challenges that trick users into downloading malware or revealing credentials.
π https://www.infosecurity-magazine.com/news/attackers-abuse-ai-fake-captchas/
Cybersecurity AI Framework Released: An open-source framework called CAI has been released to help security teams build AI-driven tools for offensive and defensive operations, supporting over 300 AI models.
π https://www.helpnetsecurity.com/2025/09/22/cybersecurity-ai-cai-open-source-framework-ai-security/
Enterprise Security Insights
Juventus Football Club's Cyber Risk Strategy: The club employs threat-led, outcomes-driven security based on NIST Framework, with heightened posture during matchdays and transfer windows, demonstrating lessons applicable to high-stakes environments.
π https://www.helpnetsecurity.com/2025/09/22/mirko-rinaldini-juventus-juventus-cyber-risk-strategy/
Kubernetes Evolution with AI and GitOps: New report shows over 50% of organizations run AI/ML workloads on Kubernetes, with GitOps adoption rising and platform engineering teams emerging to manage complexity.
π https://www.helpnetsecurity.com/2025/09/22/report-kubernetes-ai-gitops-trends/
Threat Intelligence Updates
Gamaredon-Turla Collaboration: Russian APT groups Gamaredon and Turla are collaborating in attacks against Ukraine, sharing infrastructure and tools in coordinated campaigns.
π https://thehackernews.com/2025/09/russian-hackers-gamaredon-and-turla.html
FBI Warns of Fake Crime Portals: The FBI alerts about fraudulent websites impersonating FBI crime complaint portals to harvest personal information and conduct cybercrime.
π https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-fbi-crime-complaint-portals-used-for-cybercrime/
Security Tools & Resources
ImmuniWeb SSL Security Test: Free tool for comprehensive SSL/TLS configuration testing and vulnerability assessment.
π https://www.helpnetsecurity.com/2025/09/19/immuniweb-ssl-security-test/
Active Exploits in the Wild
CVE-2025-24813: Critical vulnerability actively exploited
π https://inthewild.io/vuln/CVE-2025-24813CVE-2025-0282: Security flaw under active exploitation
π https://inthewild.io/vuln/CVE-2025-0282CVE-2024-3393: Ongoing attacks observed
π https://inthewild.io/vuln/CVE-2024-3393