Week that Was for 09.27.25

Top stories.

1. CISA orders US Federal agencies to patch Cisco flaws immediately.
2. Ransomware attack disrupts European airports.
3. Jaguar Land Rover extends shutdown until October.
4. Microsoft revokes certain cloud services from the Israeli military.
5. Researchers analyze maximum-severity Fortra vulnerability.
6. Libraesva fixes actively exploited flaw.
7. China-nexus threat actor deploys BRICKSTORM backdoor against the tech and legal sectors.

CISA orders US Federal agencies to patch Cisco flaws immediately.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an emergency directive ordering federal civilian agencies to mitigate against actively exploited vulnerabilities affecting Cisco Adaptive Security Appliances (ASAs) by midnight on September 26th. The vulnerabilities (CVE-2025-20333 and CVE-2025-20362) were exploited as zero-days to achieve unauthenticated remote code execution and establish persistence through reboots and system upgrades. Cisco issued patches for the flaws on Thursday, attributing the exploitation to the same threat actor responsible for the ArcaneDoor operation in 2023 and 2024. The Washington Post cites security experts as saying Chinese hackers are behind the campaign, and CISA did not dispute this conclusion.

The agency stated, "CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service. These actions are directed to address the immediate risk, assess compromise, and inform analysis of the ongoing threat actor campaign."

While the agency's directive only applies to Federal agencies, private entities should also treat the matter with urgency. A twenty-four-hour deadline from CISA is rare, and highlights the severity of the flaws.

Ransomware attack disrupts European airports.

Several European airports delayed hundreds of flights following a cyberattack against Collins Aerospace, a subsidiary of RTX (formerly Raytheon) that provides automatic flight check-in systems. The incident, which began on September 19th, affected the UK's Heathrow and airports in Berlin, Brussels, and Dublin. Reuters says Collins is still working to recover its systems, causing flight delays throughout the week. SecurityWeek cites researchers as saying the HardBit ransomware was used in the attack, and Collins is struggling with reinfections following cleanup attempts.

British police on Tuesday arrested a suspect in connection with the attack. The UK's National Crime Agency (NCA) said in a statement Wednesday morning, "NCA officers, supported by the South East ROCU, arrested a man in his forties in West Sussex yesterday evening on suspicion of Computer Misuse Act offences. He has been released on conditional bail."

Jaguar Land Rover extends shutdown until October.

Jaguar Land Rover (JLR) has extended its pause in production until at least October 1st, the Record reports. The company shut down its auto manufacturing plants in the UK at the beginning of September following a cyberattack, and is estimated to be losing up to £70 million (US$94 million) per day. The incident is also causing significant financial impacts to the company's supply-chain businesses across the UK, according to the Register.

JLR stated, "We have made this decision to give clarity for the coming week as we build the timeline for the phased restart of our operations and continue our investigation. Our teams continue to work around the clock alongside cybersecurity specialists, the NCSC, and law enforcement to ensure we restart in a safe and secure manner."

Microsoft revokes certain cloud services from the Israeli military.

Microsoft has stopped providing certain cloud services to the Israeli military as the company investigates alleged mass surveillance of Palestinians, CNBC reports. Microsoft initiated the investigation following an August report from the Guardian that claimed the IDF's Unit 8200 was using Microsoft's Azure servers in Europe to store millions of recordings of phone calls made by Palestinian civilians. Microsoft's President, Brad Smith, said in a letter to employees on Thursday, "While our review is ongoing, we have found evidence that supports elements of The Guardian’s reporting. This evidence includes information relating to IMOD consumption of Azure storage capacity in the Netherlands and the use of AI services."

Smith outlined the following two reasons for cutting the services: "First, we do not provide technology to facilitate mass surveillance of civilians. We have applied this principle in every country around the world, and we have insisted on it repeatedly for more than two decades. This is why we explained publicly on August 15 that Microsoft’s standard terms of service prohibit the use of our technology for mass surveillance of civilians. Second, we respect and protect the privacy rights of our customers. This means, among other things, that we do not access our customers’ content in this type of investigation."

Microsoft will continue providing other services to Israel, including those related to cybersecurity.

Researchers analyze maximum-severity Fortra vulnerability.

Researchers at watchTowr have published an analysis of a maximum-severity vulnerability (CVE-2025-10035) affecting Fortra's GoAnywhere Managed File Transfer (MFT) solution. Fortra issued patches for the flaw last week, and users are urged to ensure their deployments are up-to-date. Fortra says users should "[i]mmediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet." watchTowr says 20,000 GoAnywhere instances are currently exposed to the Internet.

Fortra hasn't stated whether the vulnerability has been exploited, but the company stated "Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject: If this string is present in an exception stack trace (similar to the following), then the instance was likely affected by this vulnerability." watchTowr notes that this ambiguous wording may imply in-the-wild exploitation.

Libraesva fixes actively exploited flaw.

Email security firm Libraesva has issued an emergency patch for a flaw in its security gateway that was being exploited as a zero-day by a nation-state threat actor, BleepingComputer reports. The vulnerability (CVE-2025-59689) is a "command injection flaw that can be triggered by a malicious e-mail containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user."

Libraesva users are advised to upgrade to the latest version.

China-nexus threat actor deploys BRICKSTORM backdoor against the tech and legal sectors.

Mandiant warns that the China-linked group UNC5221 is using a new version of the BRICKSTORM backdoor to target legal entities, SaaS providers, business process outsourcers, and technology companies. Mandiant notes that "[t]he value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims."

The researchers explain, "BRICKSTORM includes SOCKS proxy functionality and is written in Go, which has wide cross-platform support. This is essential to support the actor’s preference to deploy backdoors on appliance platforms that do not support traditional EDR tools. Mandiant has found evidence of BRICKSTORM on Linux and BSD-based appliances from multiple manufacturers. Although there is evidence of a BRICKSTORM variant for Windows, Mandiant has not observed it in any investigation."