This week’s cybersecurity landscape highlights how both private enterprises and government institutions remain under relentless attack from a variety of threat actors. From ransomware gangs targeting ministries in Latin America to critical vulnerabilities in industrial systems, the risks continue to evolve across geographies and sectors. Key incidents include breaches at Plex, LNER, and Vietnam’s National Credit Database, critical flaws in Dassault Apriso and Rockwell/ABB systems, and state-backed espionage campaigns linked to APT41. Apple’s unveiling of new hardware-level defenses shows how technology providers are also stepping up to raise the cost of exploitation. Together, these stories underscore the urgent need for stronger patch management, supply chain security, and proactive cyber resilience.
1.Plex Data Breach Exposes User Credentials: Streaming Platform Urges 25M+ Users to Reset Passwords and Enable 2FA After Unauthorized Access
Streaming and media server platform Plex has warned its users to reset their passwords following a recent data breach that exposed account information.
In a forum post on September 8, Plex confirmed that an unauthorized third party accessed a subset of customer data, including emails, usernames, and securely hashed passwords. No payment or credit card details were compromised, as Plex does not store that information on its servers.
While the stolen passwords were hashed according to best practices making them unreadable Plex is urging users to act out of caution. Customers are advised to log out of all sessions, reset their account passwords, and enable two-factor authentication (2FA) for additional protection.
Plex also warned users to remain alert for phishing attempts, stressing that the company will never ask for passwords or payment details via email.
The breach comes shortly after Plex patched a separate vulnerability in its Plex Media Server product in mid-August, addressing a flaw reported through its bug bounty program.
With more than 25 million active users worldwide, Plex’s proactive communication underscores the importance of security hygiene in today’s threat landscape, where even hashed credentials can pose risks if not quickly secured.
Source Link — https://www.techradar.com/pro/security/all-plex-users-should-reset-passwords-in-wake-of-data-breach
2. Hackers Breach LNER via Third-Party Supplier: Customer Contact Details and Travel History Exposed, Ticket Sales Unaffected
UK train operator LNER has confirmed that a cyber attack on one of its third-party suppliers exposed customer information, though ticket sales and train operations remain unaffected.
The breach involved customer contact details and travel history, but LNER stressed that no bank details, payment card data, or passwords were compromised. The company urged customers to be vigilant against phishing and social engineering attacks, as exposed contact details could be used in fraudulent emails or scams.
“We are treating this matter with the highest priority and working with experts and our supplier to ensure safeguards are in place,” LNER said in a statement.
Security researchers warned that while the exposed data may not seem highly sensitive, it can still be weaponized. Michael Tigges of Huntress noted that compromised third-party vendors are becoming a growing risk, with breaches at companies like SalesLoft and Drift having wider ripple effects.
The transport sector has increasingly been targeted by cybercriminals. Recent incidents have hit Transport for London and several global airlines, highlighting vulnerabilities across the industry. Experts caution that third-party risks remain one of the biggest challenges, as attackers increasingly exploit supply chain relationships to reach larger organizations.
Source Link — https://www.itpro.com/security/cyber-attacks/lner-warns-customers-to-remain-vigilant-after-personal…
3. Hackers Exploit Critical CVE-2025–5086 in Dassault’s DELMIA Apriso: Remote Code Execution Flaw Leveraged to Deploy Zapchast Spyware, CISA Orders Urgent Patching
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software to its Known Exploited Vulnerabilities (KEV) catalog, warning organizations of active attacks.
Tracked as CVE-2025–5086, the vulnerability affects Apriso versions Release 2020 through Release 2025 and carries a CVSS score of 9.0, making it critical. The flaw stems from deserialization of untrusted data, which can allow attackers to achieve remote code execution.
Evidence of exploitation has already been observed. According to the SANS Internet Storm Center, attackers are sending crafted HTTP requests to the Apriso service endpoint, delivering a Base64-encoded, GZIP-compressed Windows DLL named fwitxz01.dll. Security vendors, including Kaspersky, have flagged the file as Trojan.MSIL. Zapchast.gen, spyware capable of keylogging, screenshot capture, and application monitoring. Data collected is exfiltrated via email, FTP, or HTTP.
Zapchast malware variants have been used in phishing campaigns for years, though it’s unclear if this is a new evolution.
CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply patches by October 2, 2025, while organizations worldwide are urged to update immediately to prevent compromise.
Source Link — https://thehackernews.com/2025/09/critical-cve-2025-5086-in-delmia-apriso.html
4 .Apple A19 Chips Introduce Memory Integrity Enforcement: New Always-On Defense Makes Mercenary Spyware and Memory Corruption Attacks Against iPhone 17 Significantly More Expensive and Difficult
Apple has unveiled its A19 and A19 Pro chips, introducing a new defense called Memory Integrity Enforcement (MIE), which the company describes as “the most significant upgrade to memory safety in the history of consumer operating systems.”
Developed over five years, MIE is a comprehensive protection that spans hardware, operating systems, and software frameworks. At its core, MIE uses memory tagging — attaching invisible “watermarks” to memory regions to ensure programs can only access properly marked memory. When memory is freed, the watermark changes, preventing attackers from exploiting leftover space.
This approach blocks common exploit techniques such as use-after-free and out-of-bound vulnerabilities, which are often leveraged in spyware and advanced persistent threats. Apple said that while some rare flaws, like intra-allocation buffer overflows, may persist, attackers will face significantly higher costs and complexity in developing functional exploits.
Building on ARM’s Memory Tagging Extension (MTE) and Enhanced MTE (EMTE) standards, Apple’s MIE introduces innovations like typed allocators (ensuring memory is used correctly) and tag confidentiality (hiding watermarks from attackers). It also mitigates Spectre V1 leaks with negligible CPU cost.
MIE protections extend across the kernel and over 70 user-space processes, and new security features will also be available to developers via Xcode.
Source Link — Apple’s new chip includes spyware defense | Cybernews
5. CISA Flags 14 Critical ICS Vulnerabilities Across Rockwell and ABB Systems: Flaws in ThinManager, ControlLogix, FactoryTalk, Stratix, and ABB ASPECT/NEXUS Could Enable RCE, Data Theft, and OT Network Disruption in Critical Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued 14 new ICS advisories, warning of critical flaws in Rockwell Automation and ABB systems that could expose operational technology (OT) networks in critical infrastructure to exploitation.
For Rockwell Automation, vulnerabilities span ThinManager, Stratix IOS, FactoryTalk Optix, FactoryTalk Activation Manager, ControlLogix, CompactLogix, Analytics LogixAI, and 1783-NATR hardware. Notable issues include:
- CVE-2025–9065 (SSRF in ThinManager) — risk of NTLM hash exposure, fixed in v14.1.
- CVE-2025–7350 (Stratix IOS) — injection flaw enabling remote code execution, fixed in v15.2(8)E6.
- CVE-2025–9161 (FactoryTalk Optix) — improper input validation enabling RCE, patched in v1.6.0.
- CVE-2025–7970 (Activation Manager) — cryptography flaw enabling session hijacking.
- CVE-2025–9166 (ControlLogix 5580) — DoS risk via null pointer dereferences.
Meanwhile, ABB ASPECT, NEXUS, and MATRIX products were found vulnerable to authentication bypass (CVE-2025–53187, CVSS 9.8), buffer overflows, and DoS attacks. Patches are available in firmware v3.08.04-s01.
CISA stressed that many of these vulnerabilities require network access, urging organizations to patch systems, update firmware, restrict Internet exposure, enforce MFA, and segment OT networks.
The advisories highlight ongoing risks in critical manufacturing and commercial facilities, where legacy misconfigurations and unpatched devices continue to present high-value entry points for attackers.
Source Link — https://industrialcyber.co/industrial-cyber-attacks/cisa-flags-critical-ics-vulnerabilities-across-…
6. Hackers Breach Vietnam’s National Credit Database: ShinyHunters Suspected in Attack on CIC Holding Sensitive Personal and Financial Data
Vietnamese authorities are investigating a cyberattack on the National Credit Information Center (CIC), a unit under the State Bank of Vietnam that stores highly sensitive data including personal details, credit histories, risk assessments, and credit card information.
The cybersecurity agency confirmed signs of unauthorized access aimed at stealing personal data, though the full scale of the breach is still being assessed. A letter dated September 11, sent by CIC to financial institutions, suggested the attack may have been carried out by the Shiny Hunters, an international hacker group known for targeting major firms such as Google, Microsoft, and Qantas.
Authorities stressed that operations remain unaffected, and credit services are still functioning normally. However, the potential exposure of creditor data raises concerns over possible misuse in fraud or identity theft.
Investment bank JPMorgan warned that the incident could increase cybersecurity costs for Vietnamese banks and pose risks to deposit flows, though it maintained its outlook on the sector absent wider disruption.
Vietnam has faced a surge in data leaks in recent years. A 2024 Viettel report noted 14.5 million leaked accounts, representing 12% of global exposure, underscoring the country’s growing cybersecurity challenges.
Source Link — https://www.reuters.com/sustainability/boards-policy-regulation/vietnam-investigates-cyberattack-cr…
7. US Probes Chinese-Linked Malware Email Masquerading as Lawmaker: APT41 Suspected in Attempt to Spy on Trade Talks with Beijing
U.S. authorities are investigating a malware-laced email that impersonated Representative John Moolenaar, a Republican lawmaker and vocal critic of Beijing, according to a report by the Wall Street Journal.
The email, sent in July 2025 to U.S. trade groups, law firms, and government agencies, appeared to request feedback on draft legislation but instead carried malware designed to provide access to sensitive systems. Cyber analysts traced the attack to APT41, a hacking group believed to be tied to Chinese intelligence.
The incident coincided with U.S.-China trade talks in Sweden, raising concerns that the campaign sought to gain insights into American negotiating strategies. It is unclear if the attack succeeded.
The Chinese embassy in Washington denied involvement, saying it opposes all forms of cybercrime and criticized “smearing others without evidence.”
The FBI confirmed it is working with partners to investigate, while Capitol Police also launched a probe. Moolenaar described the incident as another example of Chinese cyber operations aimed at stealing U.S. strategic information, adding: “We will not be intimidated.”
The attack highlights the persistent use of state-backed cyber espionage to influence geopolitical negotiations and the risks facing government, legal, and trade institutions.
Source Link — https://www.reuters.com/world/us/us-probes-malware-email-targeting-trade-talks-with-china-wsj-repor…
8. INC Ransom Group Claims Breach of Panama’s Ministry of Economy and Finance: 1.5TB of Financial Documents and Internal Emails Allegedly Stolen
Panama’s Ministry of Economy and Finance (MEF) has confirmed a security incident after detecting malicious software on one of its workstations. The Ministry said it immediately activated security protocols to contain the intrusion and emphasized that its critical systems and core platforms remain unaffected.
In its statement, MEF noted that the threat was quickly isolated and preventive measures were reinforced across its network. The Ministry reaffirmed its commitment to protecting both institutional and personal data, stressing adherence to cybersecurity best practices.
However, the INC ransomware group has publicly claimed responsibility for the breach. The group alleges it stole more than 1.5 terabytes of sensitive data, including financial documents, internal communications, budgets, and confidential records. In a statement, the gang threatened to leak the stolen material unless MEF engaged with them, releasing a small sample as proof.
While MEF has not disclosed further technical details, the incident underscores the increasing pressure on government entities in Latin America from ransomware operators. Such attacks often target institutions holding valuable financial and citizen data, seeking either ransom payments or leverage through data exposure.
The investigation is ongoing as authorities work to assess the full scope of the breach.
Source Link — INC ransom group claimed the breach of Panama’s Ministry of Economy and Finance
9 . SonicWall SSL VPN Flaw (CVE-2024–40766) and Misconfigurations Exploited by Akira Ransomware: Brute-Force, LDAP Group Abuse, and Virtual Office Portal Attacks Enable Ransomware Deployment Across Industrial and Transportation Sectors
Cybersecurity researchers are warning of a surge in Akira ransomware attacks targeting SonicWall SSL VPN appliances, exploiting both a year-old critical flaw and common misconfigurations.
The flaw, CVE-2024–40766 (CVSS 9.3), stems from user passwords being carried over during migration without being reset. Attackers have combined this with brute-force attempts on credentials, exploitation of LDAP SSL VPN Default User Groups, and misuse of the Virtual Office Portal. In misconfigured setups, even low-level Active Directory accounts can gain elevated access, effectively bypassing intended restrictions.
According to Rapid7, intrusions linked to these weaknesses have climbed into the double digits since July 2025, aligning with Akira’s resurgence. The group has leveraged these vectors to deploy ransomware through its standard playbook: initial access via SSL VPN, privilege escalation, data theft, backup deletion, and encryption at the hypervisor level.
Recent Akira campaigns have also incorporated SEO poisoning to deliver trojanized IT management tools, deploying the Bumblebee loader and AdaptixC2 framework for persistence, lateral movement, and data exfiltration.
Mitigations include rotating SonicWall local account passwords, removing unused accounts, enforcing MFA/TOTP, restricting Virtual Office Portal access to internal networks, and reviewing LDAP group configurations.
The Australian Cyber Security Centre (ACSC) confirmed Akira is also actively targeting vulnerable organizations in Australia.
Source Link — SonicWall SSL VPN Flaw and Misconfigurations Actively Exploited by Akira Ransomware Hackers
10 . The Texas General Land Office (GLO) has disclosed a data breach that exposed the personal information of 44,485 residents, many of whom were applicants for disaster recovery grants.
The incident stemmed from a “software misconfiguration” in the Texas Integrated Grant Reporting system, which allowed users to view other applicants’ private information. Exposed data included names, addresses, Social Security numbers, banking details, medical records, and dates of birth. The issue was discovered in late July after a user reported the glitch and was immediately resolved, though the agency could not confirm when the problem began.
The breach primarily affected victims of natural disasters between 2015 and 2024 seeking assistance for home repairs, rebuilding, or buyouts. Critical grant applications related to the July 4 Hill Country floods were not impacted.
Land Commissioner Dawn Buckingham said the agency has strengthened its cybersecurity processes, including tighter access controls and improved system monitoring. The GLO reaffirmed its commitment to protecting Texans’ data as they recover from disasters.
This marks at least the third major state-level data incident in the past year, adding to a growing list of breaches impacting Texas agencies, schools, and local governments highlighting urgent concerns around basic cybersecurity hygiene.
Source Link — Data Breach Hit Texas General Land Office Online System
The events of this week confirm that no industry is immune — transport, finance, government, and technology providers alike are all under threat. While attackers are leveraging ransomware, supply chain compromises, and state-backed espionage, defenders are also advancing with innovations like Apple’s Memory Integrity Enforcement and coordinated advisories from CISA. Organizations must act quickly: patch vulnerabilities, enforce multi-factor authentication, and strengthen monitoring against phishing and data exfiltration.
#Finsteincyber #CyberSecurity #DataBreach #Ransomware #ThreatIntelligence #CVE #Infosec #CriticalInfrastructure #SupplyChainSecurity #APT #CyberAwareness
