TL;DR
The September 2025 edition of the Security Affairs newsletter highlights critical cybersecurity incidents, including ransomware attacks, zero-day exploits, and data breaches targeting global organizations. Key threats involve Salesforce attacks by UNC6040 and UNC6395 groups, HybridPetya ransomware bypassing UEFI Secure Boot, and supply chain attacks on npm. The newsletter also covers government warnings, spyware threats, and vulnerabilities in major platforms like Chrome, SAP, and Microsoft.
---
Introduction
The cybersecurity landscape in September 2025 has been marked by high-profile attacks, zero-day vulnerabilities, and evolving ransomware tactics. From critical infrastructure threats to supply chain compromises, organizations worldwide are facing increasingly sophisticated cyber threats. This edition of the Security Affairs newsletter provides a comprehensive overview of the most significant incidents, trends, and warnings in the cybersecurity domain.
---
🔴 Critical Cybersecurity Incidents
1️⃣ FBI Warns of Salesforce Attacks by UNC6040 and UNC6395 Groups
The FBI has issued a warning about targeted attacks on Salesforce instances by cybercriminal groups UNC6040 and UNC6395[^1]. These groups are exploiting vulnerabilities to steal data and extort victims. Organizations using Salesforce are urged to enhance security measures and monitor for suspicious activity.
---
2️⃣ HybridPetya Ransomware Bypasses UEFI Secure Boot
A new variant of Petya ransomware, dubbed HybridPetya, has emerged, capable of bypassing UEFI Secure Boot[^2]. This tactic echoes the destructive Petya/NotPetya attacks of 2017, posing a significant threat to enterprise systems. Organizations are advised to update firmware and implement advanced endpoint protection.
---
3️⃣ Cisco Fixes High-Severity IOS XR Flaws Enabling DoS Attacks
Cisco has patched multiple high-severity vulnerabilities in its IOS XR software, which could allow attackers to bypass security measures and launch Denial-of-Service (DoS) attacks[^3]. Network administrators are encouraged to apply patches immediately to mitigate risks.
---
4️⃣ Samsung Patches Actively Exploited Zero-Day
Samsung has addressed a zero-day vulnerability that was actively exploited in the wild[^4]. The flaw, reported by WhatsApp, highlights the growing threat of mobile exploits. Users are advised to update their devices to the latest firmware.
---
5️⃣ UK Train Operator LNER Discloses Data Breach
London North Eastern Railway (LNER) has disclosed a data breach affecting customer information[^5]. The incident underscores the risks to critical infrastructure and the need for robust cybersecurity measures in the transportation sector.
---
🔴 Ransomware and Malware Threats
1️⃣ LunaLock Ransomware Threatens Victims with AI Data Exploitation
The LunaLock ransomware group has introduced a new extortion tactic: feeding stolen data into AI models to pressure victims into paying ransoms[^6]. This approach escalates the stakes for organizations facing ransomware attacks.
---
2️⃣ KillSec Ransomware Targets Brazilian Healthcare Institutions
The KillSec ransomware group has launched attacks on healthcare institutions in Brazil, disrupting critical services[^7]. Healthcare organizations are high-value targets due to their sensitive data and reliance on operational continuity.
---
3️⃣ Akira Ransomware Exploits Year-Old SonicWall Flaw
The Akira ransomware group is exploiting a year-old vulnerability in SonicWall devices to gain initial access to networks[^8]. Organizations using SonicWall are urged to apply patches and monitor for suspicious activity.
---
4️⃣ AsyncRAT Malware Distributed via ConnectWise ScreenConnect
Attackers are abusing ConnectWise ScreenConnect to deploy AsyncRAT malware, a remote access trojan (RAT)[^9]. This campaign highlights the risks of compromised legitimate software in cyberattacks.
---
🔴 Government Warnings and Intelligence
1️⃣ Apple Issues Spyware Warnings as CERT-FR Confirms Attacks
Apple has notified users of spyware attacks, with CERT-FR confirming the threats[^10]. These attacks target high-profile individuals, emphasizing the need for vigilance against state-sponsored threats.
---
2️⃣ U.S. CISA Adds Dassault Systèmes DELMIA Apriso Flaw to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability in Dassault Systèmes DELMIA Apriso to its Known Exploited Vulnerabilities (KEV) catalog[^11]. Organizations are advised to patch immediately to prevent exploitation.
---
3️⃣ Czech Cyber Agency NUKIB Flags Chinese Espionage Risks
The Czech National Cyber and Information Security Agency (NÚKIB) has warned about Chinese espionage risks targeting critical infrastructure[^12]. This alert highlights the geopolitical dimensions of cybersecurity threats.
---
🔴 Supply Chain and Software Vulnerabilities
1️⃣ Supply Chain Attack Targets npm, Exposing Billions of Downloads
A supply chain attack has targeted npm packages, exposing over 2 billion weekly downloads to potential compromise[^13]. Developers are urged to audit dependencies and implement secure coding practices.
---
2️⃣ Critical Flaw in Commerce and Magento Platforms Enables Account Hijacking
A critical vulnerability, dubbed SessionReaper, affects Adobe Commerce and Magento platforms, allowing attackers to hijack customer accounts[^14]. E-commerce businesses must apply patches to protect user data.
---
3️⃣ Google Pixel 10 Introduces C2PA to Combat AI-Generated Misinformation
Google’s Pixel 10 now includes C2PA technology to detect AI-generated or edited images[^15]. This feature aims to combat misinformation and enhance digital content authenticity.
---
🔴 Conclusion
The cybersecurity landscape in September 2025 is defined by evolving threats, zero-day exploits, and sophisticated ransomware tactics. Organizations must prioritize patching, monitoring, and employee training to mitigate risks. As state-sponsored attacks and supply chain vulnerabilities continue to rise, proactive cybersecurity measures are essential to safeguard critical systems and data.
Stay informed, stay secure, and follow @securityaffairs for the latest updates.
---
📌 References
[^1]: Pierluigi Paganini (2025-09-14). "[FBI warns of Salesforce attacks by UNC6040 and UNC6395 groups](https://securityaffairs.com/182159/cyber-crime/fbi-warns-of-salesforce-attacks-by-unc6040-and-unc6395-groups.html)". Security Affairs. Retrieved 2025-09-14.
[^2]: Pierluigi Paganini (2025-09-14). "[HybridPetya ransomware bypasses UEFI Secure Boot echoing Petya/NotPetya](https://securityaffairs.com/182149/malware/hybridpetya-ransomware-bypasses-uefi-secure-boot-echoing-petya-notpetya.html)". Security Affairs. Retrieved 2025-09-14.
[^3]: Pierluigi Paganini (2025-09-14). "[Cisco fixes high-severity IOS XR flaws enabling image bypass and DoS](https://securityaffairs.com/182144/security/cisco-fixes-high-severity-ios-xr-flaws-enabling-image-bypass-and-dos.html)". Security Affairs. Retrieved 2025-09-14.
[^4]: Pierluigi Paganini (2025-09-14). "[Samsung fixed actively exploited zero-day](https://securityaffairs.com/182135/hacking/samsung-fixed-actively-exploited-zero-day.html)". Security Affairs. Retrieved 2025-09-14.
[^5]: Pierluigi Paganini (2025-09-14). "[UK train operator LNER (London North Eastern Railway) discloses a data breach](https://securityaffairs.com/182128/data-breach/uk-train-operator-lner-london-north-eastern-railway-discloses-a-data-breach.html)". Security Affairs. Retrieved 2025-09-14.
[^6]: Pierluigi Paganini (2025-09-14). "[LunaLock Ransomware threatens victims by feeding stolen data to AI models](https://securityaffairs.com/182014/malware/lunalock-ransomware-threatens-victims-by-feeding-stolen-data-to-ai-models.html)". Security Affairs. Retrieved 2025-09-14.
[^7]: Pierluigi Paganini (2025-09-14). "[KillSec Ransomware is Attacking Healthcare Institutions in Brazil](https://securityaffairs.com/182063/cyber-crime/killsec-ransomware-is-attacking-healthcare-institutions-in-brazil.html)". Security Affairs. Retrieved 2025-09-14.
[^8]: Pierluigi Paganini (2025-09-14). "[Akira Ransomware exploits year-old SonicWall flaw with multiple vectors](https://securityaffairs.com/182112/cyber-crime/akira-ransomware-exploits-year-old-sonicwall-flaw-with-multiple-vectors.html)". Security Affairs. Retrieved 2025-09-14.
[^9]: Pierluigi Paganini (2025-09-14). "[Attackers abuse ConnectWise ScreenConnect to drop AsyncRAT](https://securityaffairs.com/182090/malware/attackers-abuse-connectwise-screenconnect-to-drop-asyncrat.html)". Security Affairs. Retrieved 2025-09-14.
[^10]: Pierluigi Paganini (2025-09-14). "[Apple issues spyware warnings as CERT-FR confirms attacks](https://securityaffairs.com/182129/malware/apple-issues-spyware-warnings-as-cert-fr-confirms-attacks.html)". Security Affairs. Retrieved 2025-09-14.
[^11]: Pierluigi Paganini (2025-09-14). "[U.S. CISA adds Dassault Systèmes DELMIA Apriso flaw to its Known Exploited Vulnerabilities catalog](https://securityaffairs.com/182020/hacking/u-s-cisa-adds-dassault-systemes-delmia-apriso-flaw-to-its-known-exploited-vulnerabilities-catalog.html)". Security Affairs. Retrieved 2025-09-14.
[^12]: Pierluigi Paganini (2025-09-14). "[Czech cyber agency NUKIB flags Chinese espionage risks to critical infrastructure](https://securityaffairs.com/181976/intelligence/czech-cyber-agency-nukib-flags-chinese-espionage-risks-to-critical-infrastructure.html)". Security Affairs. Retrieved 2025-09-14.
[^13]: Pierluigi Paganini (2025-09-14). "[Supply chain attack targets npm, +2 Billion weekly npm downloads exposed](https://securityaffairs.com/182030/security/supply-chain-attack-targets-npm-2-billion-weekly-npm-downloads-exposed.html)". Security Affairs. Retrieved 2025-09-14.
[^14]: Pierluigi Paganini (2025-09-14). "[Critical flaw SessionReaper in Commerce and Magento platforms lets attackers hijack customer accounts](https://securityaffairs.com/182075/security/critical-flaw-sessionreaper-in-commerce-and-magento-platforms-lets-attackers-hijack-customer-accounts.html)". Security Affairs. Retrieved 2025-09-14.
[^15]: Pierluigi Paganini (2025-09-14). "[Google Pixel 10 adds C2PA to camera and Photos to spot AI-generated or edited images](https://securityaffairs.com/182068/security/google-pixel-10-adds-c2pa-to-camera-and-photos-to-spot-ai-generated-or-edited-images.html)". Security Affairs. Retrieved 2025-09-14.