This week’s Cybersecurity Intelligence Weekly (Sept 1–7, 2025) highlights a series of high-impact incidents shaping the global threat landscape. From large-scale manufacturing disruptions at Jaguar Land Rover and Bridgestone to critical zero-day exploits in WhatsApp, Apple, and Sitecore, the week underscores the growing risks faced by enterprises and individuals alike.
The report also covers state-sponsored campaigns, massive data breaches in education and finance sectors, and urgent security updates from Google Android. Each incident has been analyzed with a focus on business impact, regulatory implications, and actionable security measures.
Our goal is to provide decision-makers, security leaders, and compliance teams with timely intelligence to strengthen defenses and stay ahead of evolving cyber threats.
- Jaguar Land Rover Cyberattack Disrupts Production: Thousands of Workers Idled as Systems Outage May Extend Into October.
Jaguar Land Rover (JLR), the UK’s largest car manufacturer and a subsidiary of Tata Group, is facing a significant operational crisis after a cyberattack forced a shutdown of production across multiple facilities.
The attack, discovered last week, has impacted plants in Halewood, Solihull, Wolverhampton, and several global sites, including Slovakia, Brazil, and India. Thousands of workers have been instructed to stay home, though they will continue to receive full pay. JLR plans to “bank” the missed hours for later recovery.
The disruption extends beyond JLR’s own facilities, affecting key suppliers like Evtec, WHS Plastics, SurTec, and OPmobility, employing over 6,000 UK workers. Internal sources suggest production delays could last well into September and potentially until October.
JLR has informed the Information Commissioner’s Office and is working with cybersecurity specialists and law enforcement to investigate. While there is no confirmed data breach yet, dozens of critical systems remain offline, forcing dealers and garages to rely on manual processes for vehicle registrations and spare parts.
A hacker group linked to Scattered Spider, Lapsus$, and ShinyHunters has claimed responsibility via Telegram. JLR continues to restore systems “in a controlled and safe manner.”
Source Link — https://www.theguardian.com/business/2025/sep/07/disruption-to-jaguar-land-rover-after-cyber-attack-may-last-until-october
2. Bridgestone Confirms Cyberattack on North American Plants: Manufacturing Disruptions Reported, Customer Data Believed Unaffected
Bridgestone Americas (BSA), the North American arm of the global tire giant, confirmed that it is investigating a cybersecurity incident affecting some of its manufacturing facilities.
Reports first surfaced on September 2, 2025, when operations at two plants in Aiken County, South Carolina were disrupted. The following day, similar issues were reported at BSA’s Joliette, Quebec facility.
In an official statement, Bridgestone said its incident response teams acted quickly, isolating affected systems and following established security protocols. The company believes the attack was contained early, preventing deeper network compromise or customer data theft.
While operations have been impacted, teams are working around the clock to restore systems and minimize supply chain disruptions, which could potentially affect product availability. Bridgestone emphasized that business continuity and data protection remain top priorities.
BSA operates 50 production facilities across North America, employing over 55,000 people and contributing $12 billion in annual sales.
Although the cause of the incident is still under investigation, no ransomware group has claimed responsibility so far. Notably, Bridgestone faced a LockBit ransomware attack in 2022, making this the second major cybersecurity challenge in recent years.
Source Link — https://www.bleepingcomputer.com/news/security/tire-giant-bridgestone-confirms-cyberattack-impacts-manufacturing
3. TP-Link Router Flaws Exploited by Chinese Threat Actors: Quad7 Botnet Used End-of-Life Devices to Launch Microsoft 365 Password Attacks
TP-Link has issued critical security patches for two vulnerabilities affecting its older SOHO routers the Archer C7 and TL-WR841N/ND after discovering they were exploited by a Chinese threat group, Quad7 (aka 7777), to launch large-scale botnet attacks targeting Microsoft 365 accounts.
The flaws, identified as CVE-2025–50224 (authentication bypass, severity 6.5) and CVE-2025–9377 (remote command execution, severity 8.6), were chained together to compromise devices. Once infected, routers were pulled into a botnet used for password-spraying attacks, posing risks to individuals and businesses alike.
Notably, many ISPs worldwide, including Ziggo in Europe and several providers in North America, have distributed these routers often under rebranded names leaving thousands of users potentially exposed.
Despite the routers being end-of-life (EoL), TP-Link released emergency firmware updates due to the severity of the exploitation. Security experts urge users and organizations to check their router models, apply the latest updates, and monitor Microsoft 365 accounts for suspicious activity.
This incident highlights ongoing software supply chain risks and the rising threat of state-sponsored botnets exploiting outdated consumer hardware at scale.
4. Wealthsimple Confirms Data Breach: Third-Party Software Compromise Exposed Client SINs and Financial Information, But Accounts Remain Secure
Wealthsimple, a Canadian personal finance and investing platform, confirmed a data security incident on August 30, 2025, impacting less than 1% of its clients.
In a statement released on September 5, the company said it detected and contained the issue within hours, with help from external cybersecurity experts. According to Wealthsimple, the breach was caused by a compromised third-party software package, allowing unauthorized access to certain client data for a brief period.
The company clarified that user funds and passwords remain secure, and no accounts were compromised. However, some personal information — including contact details, government IDs, financial account numbers, IP addresses, Social Insurance Numbers (SINs), and dates of birth — may have been exposed.
Wealthsimple has notified all affected clients via email and assured those who didn’t receive an alert that their data was not impacted. Impacted users are being offered credit monitoring and protection services at no cost.
The company has also informed privacy and financial regulators and emphasized its commitment to transparency, stating:
“We apologize to the affected clients and remain dedicated to protecting your trust.
Source Link — https://globalnews.ca/news/11394858/wealthsimple-data-breach
5. CISA Orders Urgent Patching of Sitecore Zero-Day: Static Machine Key Flaw Exploited for Privilege Escalation and Server Compromise
The Cybersecurity and Infrastructure Security Agency (CISA) has directed all federal civilian agencies to patch a critical Sitecore vulnerability (CVE-2025–53690) by September 25, 2025, following reports of active exploitation.
The flaw stems from a sample machine key included in Sitecore deployment guides prior to 2017, which many customers never replaced. Attackers have leveraged these static keys to gain unauthorized access to vulnerable Sitecore instances.
Security firm Mandiant recently disrupted an attack where hackers exploited this flaw, escalating privileges and deploying WEEPSTEEL reconnaissance malware to access sensitive files and create admin accounts.
Sitecore’s updated deployments now generate unique machine keys automatically, and affected customers have been notified. The company urges organizations to:
- Rotate machine keys immediately
- Encrypt sensitive data
- Restrict admin-level file access
- Monitor for suspicious activity
CISA has added the bug to its Known Exploited Vulnerabilities Catalog, requiring immediate remediation. Both Microsoft and Mandiant are providing guidance, warning that over 3,000 publicly disclosed keys could enable similar attacks, including ViewState code injection exploits.
Organizations are advised to act quickly, as compromised keys pose a significant security risk across public and private deployments.
Source Link — https://therecord.media/cisa-orders-patch-for-sitecore-zero-day
6 . WhatsApp and Apple Zero-Days Exploited in Spyware Campaign: Sophisticated Zero-Click Attacks Target Civil Society and High-Profile Users
Meta’s WhatsApp has disclosed a zero-day vulnerability (CVE-2025–55177, CVSS 5.4) that was actively exploited in highly targeted attacks against Apple users. The flaw, caused by incomplete authorization of linked device synchronization messages, allowed attackers to trigger content processing from arbitrary URLs on victims’ devices.
WhatsApp says the bug was likely exploited together with an Apple vulnerability (CVE-2025–43300), an out-of-bounds write flaw affecting the ImageIO framework across iOS, iPadOS, and macOS. Apple patched the issue on August 20 in updates including iOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, and others.
According to Amnesty International, these vulnerabilities were chained in zero-click attacks — believed to be part of a government-linked spyware campaign targeting journalists, activists, and civil society members. Fewer than 200 individuals were notified of potential targeting.
WhatsApp patched CVE-2025–55177 in July and August across its iOS, Business, and Mac versions and sent alerts to impacted users. On September 2, CISA added the bug to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch it by September 23.Security experts warn this campaign highlights the increasing sophistication of zero-click exploits and the need for urgent patching.
Source Link — https://www.securityweek.com/whatsapp-zero-day-exploited-in-attacks-targeting-apple-users
7. US Offers $10M Bounty for Russian FSB Hackers: Dragonfly Campaign Targeted 380 Energy Firms in 135 Countries Using Havex Malware and Supply Chain Attacks
The U.S. Department of State has announced rewards of up to $10 million for information on three Russian Federal Security Service (FSB) officers accused of conducting extensive cyberattacks on the global energy sector.
The suspects Pavel Akulov, Mikhail Gavrilov, and Marat Tyukov are members of FSB Center 16 and allegedly targeted over 380 energy companies across 135 countries, including oil and gas firms, nuclear facilities, renewable energy providers, utilities, and consulting organizations.
The group is linked to the Dragonfly campaign, which involved supply chain compromises to deploy Havex malware, granting persistent access to victim networks. In the campaign’s second phase, Dragonfly 2.0, the trio allegedly conducted spear-phishing attacks on more than 500 U.S. and international companies, including U.S. government agencies.
In August 2025, the FBI warned that FSB’s Center 16 also tracked as Berserk Bear, Energetic Bear, Dragonfly, and Ghost Blizzard has recently exploited older Cisco device vulnerabilities to gain long-term access and collect configuration data.
The U.S. government seeks public assistance to disrupt ongoing Russian state-sponsored operations targeting critical infrastructure worldwide.
Source Link — https://www.securityweek.com/us-offers-10-million-for-three-russian-energy-firm-hackers
8 . Texas Sues PowerSchool Over Massive Data Breach: 62M Students and 9.5M Teachers Exposed Amid Alleged Security Failures
The State of Texas has filed a lawsuit against PowerSchool, an education technology provider, after a December 2024 data breach that exposed sensitive information belonging to 62.4 million students and 9.5 million teachers nationwide.
According to Attorney General Ken Paxton, the breach impacted over 880,000 Texans and involved names, addresses, Social Security numbers, disability records, special education data, and even bus stop information — posing potential safety risks for children.
The lawsuit alleges that PowerSchool misled customers about the strength of its security measures and failed to implement multi-factor authentication (MFA) before the breach, despite marketing itself as providing “state-of-the-art protections.”
PowerSchool serves 18,000 K-12 schools, with around 6,500 clients affected. The company reported the breach to Paxton’s office in May 2025.
Paxton stated:
“Parents should never have to worry that the information they provide to enroll their children in school could be stolen and misused.”
A Massachusetts college student has since pleaded guilty to carrying out the hack. PowerSchool has not publicly commented on the lawsuit.
The case underscores growing concerns about data security in education technology and the risks of inadequate protections for student information.
Source Link — https://therecord.media/powerschool-data-breach-texas-lawsuit-ken-paxton
9 . Google September Android Security Update: Two Actively Exploited Zero-Days and 120 Vulnerabilities Patched Across Kernel, Runtime, and OEM Components
Google has released its September 2025 Android security update, addressing 120 vulnerabilities the largest patch set this year including two zero-day flaws under active exploitation.
The high-severity bugs, CVE-2025–38352 (affecting the kernel) and CVE-2025–48543 (affecting Android Runtime), allow privilege escalation without user interaction. Google says there are indications of limited, targeted attacks leveraging these vulnerabilities.
This month’s update introduces two patch levels:
- 2025–09–01 → Addresses framework, system, Widevine DRM, and Google Play system vulnerabilities.
- 2025–09–05 → Includes fixes for kernel, ARM components, Imagination Technologies, MediaTek, and Qualcomm issues.
Among the most critical vulnerabilities is CVE-2025–48539 in the system component, which could allow remote code execution. Additionally, three Qualcomm flaws CVE-2025–21450, CVE-2025–21483, and CVE-2025–27034 have been rated critical.
Google has confirmed that source code patches will be published in the Android Open Source Project (AOSP) by Thursday.
Users and enterprises are strongly advised to apply updates immediately and ensure device vendors release compatible firmware, given the active exploitation risks.
Source Link — https://cyberscoop.com/android-security-update-september-2025
10. Pennsylvania Attorney General’s Office Confirms Ransomware Attack: Two-Week Outage Disrupts Services but No Ransom Paid
The Office of the Pennsylvania Attorney General (OAG) has confirmed that a ransomware attack caused a two-week service outage, impacting critical systems, including the public website, email, and phone lines.
In an official statement, Attorney General David W. Sunday Jr. said the attackers encrypted files to demand payment, but the office refused to pay any ransom. He added that the incident is under active investigation, limiting the details that can be shared publicly.
The OAG first reported the cybersecurity incident on August 11, 2025. Since then, partial recovery of email and phone services has been achieved, while staff continue operating through alternate communication channels. Courts have also issued time extensions for ongoing criminal and civil cases to offset service disruptions.
At this stage, there is no confirmation that sensitive data was stolen. However, the OAG has pledged to notify impacted individuals if evidence of data exfiltration emerges.
No ransomware group has claimed responsibility so far. This marks the third ransomware attack on Pennsylvania state entities since 2017, underscoring growing threats against government systems and the need for stronger cybersecurity measures.
Source Link — https://www.bleepingcomputer.com/news/security/pennsylvania-ag-office-says-ransomware-attack-behind-recent-outage
At Finstein Cyber, we remain committed to delivering timely intelligence and actionable insights that empower organizations to strengthen security, ensure compliance, and build resilience against emerging threats.
Stay ahead of the threat curve connect with us for tailored cybersecurity strategies and compliance support.
#CybersecurityWeekly #GlobalThreatLandscape #FinsteinCyber #DataProtection #ThreatIntelligence #ZeroDay #CyberResilience #Ransomware #SecurityUpdate #DigitalDefense
