OctopusCRX Cyber Briefing: September 8–21, 2025
Overview
In our latest bi-weekly briefing, we review the cybersecurity incidents that shaped the period from September 8–21, 2025. This reporting window saw ransomware campaigns against healthcare providers in multiple countries, a large-scale supply chain compromise in the NPM ecosystem, active zero-day exploitation requiring emergency patching, and disruptions at major European airports caused by a vendor system outage.
We also examine the continuing impact of earlier incidents — including Jaguar Land Rover’s production shutdown and the Salesforce OAuth campaign — which remained disruptive throughout this timeframe. Collectively, these developments illustrate how cyber risk now flows across supply chains, critical dependencies, and geopolitical environments, with direct implications for business resilience at the leadership level.
Sector-Specific Incidents:
Healthcare Ransomware Campaign
On September 8, the KillSec ransomware group launched coordinated attacks against healthcare providers in Brazil, Colombia, Peru, and the U.S. MedicSolution (Brazil) reported the compromise of nearly 95,000 files containing patient records and diagnostic images. Other providers, including Archer Health (U.S.) and Suiza Lab (Peru), also confirmed incidents.
Additional breaches disclosed during this period included a North Carolina healthcare centre (affecting 456,000 individuals) and Pollard & Associates (nearly 18,000 people impacted).
Implication: These incidents demonstrate the continuing vulnerability of healthcare data and systems, and the potential for simultaneous targeting across different geographies.
Jaguar Land Rover Production Outage
The cyberattack on Jaguar Land Rover (JLR), first detected September 1, continued into late September. Production across three UK plants remained suspended through at least September 24. With normal output of around 1,000 vehicles per day, losses were estimated at £50–72 million per week.
Implication: Even when not sector-wide, a single disruption can cascade across suppliers and distribution networks, demonstrating the operational interdependence of modern manufacturing.
Luxury Brands Data Breach
On September 15, French luxury group Kering confirmed that attackers accessed customer records from Gucci, Balenciaga, and Alexander McQueen. Data included names, email addresses, phone numbers, physical addresses, and purchase amounts, with hackers claiming 7.4 million unique emails.
Implication: Beyond regulatory exposure, breaches involving financial behaviour or spending patterns create secondary risks such as targeted fraud against customers.
Supply Chain Compromises:
NPM Ecosystem Attacks
Beginning September 8, attackers compromised popular JavaScript packages such as chalk and debug, collectively downloaded 2.6 billion times per week. The attack started with phishing against package maintainers, enabling insertion of malware designed to intercept cryptocurrency transactions.
On September 16, the Shai-Hulud campaign expanded the compromise to more than 180 packages, using automation to steal credentials and republish malicious versions.
Implication: Open-source ecosystems remain high-value targets due to their reach. Organizations must account for the security of third-party dependencies as part of their risk posture.
Zero-Day Vulnerabilities:
Microsoft Patch Tuesday (Sept 9): 84 vulnerabilities addressed, including two zero-days (Windows SMB privilege escalation and a Newtonsoft.Json denial-of-service issue).
Google Chrome (Sept 17): CVE-2025-10585 patched within 24 hours of discovery; a type confusion flaw in the V8 engine actively exploited in the wild.
Android Security Update (Sept 2025): 120 vulnerabilities fixed, including two zero-days enabling privilege escalation without user interaction.
Implication: The continued volume of zero-day exploitation underscores the importance of rapid, risk-based patch management at scale.
Aviation Disruption:
Between September 19–21, a cyberattack on Collins Aerospace’s MUSE software disrupted check-in systems at major European airports. Brussels Airport cancelled nearly half of departures on September 21, while Heathrow and Berlin Brandenburg also reported delays.
Implication: Dependence on shared service providers introduces sector-wide operational risks when critical systems are disrupted.
Salesforce OAuth Campaign:
The OAuth supply chain campaign exploiting Salesforce integrations continued into September, with confirmed victims including:
TransUnion – 4.4 million records exposed
Allianz Life – over 1 million customers affected
Farmers Insurance – 1.1 million customers impacted
Tenable – customer contact and support case data accessed
Implication: SaaS integrations and authentication tokens represent expanding attack surfaces, requiring closer monitoring and stricter access governance.
State-Sponsored Operations:
Volt Typhoon (China): U.S. agencies confirmed persistence within critical infrastructure, in some cases exceeding five years.
Iranian-linked groups: Expanded activity combining technical compromises with disinformation and psychological operations.
Scattered Spider: Reemerged in September with attacks on a U.S. bank, leveraging Azure AD self-service password resets and moving laterally through Citrix and VPN systems.
Implication: State-backed and criminal groups continue to overlap in tactics and targeting, creating complex threat environments where organizations may be affected even if not directly targeted.
Closing Thoughts:
The events outlined in this report demonstrate that cybersecurity risk is not confined to isolated technical incidents — it is systemic and operational. Ransomware against hospitals, open-source compromises, and vendor outages all show how quickly a disruption in one part of the ecosystem can escalate into a business continuity issue.
For leadership, three themes stand out:
Dependencies define exposure. Whether in supply chains, SaaS integrations, or critical infrastructure vendors, the weakest external link can dictate organizational resilience.
Response speed is a differentiator. Zero-day exploits and fast-moving supply chain attacks reduce the margin for error. Organizations that can patch, contain, and recover quickly will experience less financial and reputational impact.
Resilience must be enterprise-wide. These incidents show the limits of treating cybersecurity as an IT function. Business continuity, vendor management, and governance need to be aligned with security strategy.
The lesson is not that the threat landscape is worsening — it is that the interdependence of digital infrastructure requires a different model of leadership oversight. Boards that approach cyber resilience as a core element of enterprise risk management will be better positioned to absorb shocks and maintain operational stability when — not if — disruption occurs.