Alan Grant | SOC Analyst | 30 September 2025        

Welcome to Fortian's September 2025 cyber environment update!

September saw a wave of significant cyber incidents highlighting the ongoing risks in supply chains and open-source ecosystems.

Arrests of Scattered Spider members underscored the challenge of disrupting decentralised groups, while the Shai-Hulud NPM worm demonstrated how trust in repositories can be weaponised at scale.

At the same time, global automakers faced ransomware and data theft, and NSW government organisations reported a rise in third-party breaches alongside three new ACSC advisories.

International cyber threat activity

Scattered Spider Arrests

The cybercriminal group known as Scattered Spider (notable for their alleged involvement in high profile attacks against brands such as Marks & Spencer, Harrods and closer to home, Qantas), is facing sustained law enforcement pressure, with a mix of arrests, surrenders and sentencing across multiple jurisdictions. In late September, a teenage affiliate surrendered to police in Las Vegas, charged with extortion, identity theft and unlawful computer use.  Similarly, arrests in the U.K. of Thalha Jubair and Owen Flowers linked the group to attacks on Transport for London and other entities, while U.S. courts recently sentenced group member Noah Michael Urban to a decade in prison and more than USD 13 million in restitution for his role in SIM-swapping and social engineering campaigns. Prosecutors allege Scattered Spider has extorted at least USD 115 million in ransom payments, underlining both the scale and persistence of its operations. (Cyberscoop, Krebs on Security, ITNews)

Scattered Spider exemplifies the decentralised and reputation-driven nature of modern cybercrime. Its members, largely English-speaking, have documented links to other groups including LAPSUS$ and ShinyHunters, with reputations and handles reused across campaigns. Whilst these arrests will have a positive impact, this is likely to be short-lived. Dismantling one cell does little to diminish the broader threat, as the hallmark methods of Scattered Spider, including social engineering, credential theft and lateral compromise, have already been widely copied across the cybercriminal ecosystem. The implication for organisations is that they must focus on countering the tactics by strengthening credential hygiene, insider threat monitoring and early detection, rather than assuming the problem disappears when individuals are taken off the field.

Shai Hulud NPM Worm Attack

In mid-September the JavaScript ecosystem was disrupted by a worm-style supply chain compromise known as Shai-Hulud, which infected more than 500 Node Package Manager (NPM) packages. For context, NPM is the world’s largest package registry for JavaScript, providing open-source modules that serve as building blocks for modern applications. Popular sites and enterprise platforms may rely on hundreds of such dependencies, often maintained by volunteers.

In this case, malicious code was added to widely used packages such as @ctrl/tinycolor, triggering post-install scripts that scanned for sensitive credentials including NPM tokens, GitHub personal access tokens and cloud API keys. These were exfiltrated to a public GitHub repository named “Shai-Hulud,” before being used to republish malicious versions of other packages under trusted maintainers’ namespaces. This self-replicating behaviour meant the worm could spread rapidly and affect projects far beyond those that explicitly imported the compromised modules. (CISA, KrebsOnSecurity)

The significance of this attack lies in both its scale and automation. Unlike previous one-off account takeovers, Shai-Hulud behaved like a worm, exploiting trust relationships within the NPM registry to propagate itself across the ecosystem. The open-source software supply chain is now an active attack surface, and defending against this new generation of self-propagating compromises requires moving from trust to verification across every stage of the development lifecycle.

The US Cybersecurity and Infrastructure and Security Agency (CISA) has advised that even organisations not directly using the affected packages may be at risk due to nested dependencies and transitive installs. Mitigation guidance includes:

• pinning packages to versions published prior to 16 September 2025
• auditing package-lock.json and yarn.lock files to uncover hidden exposure
• rotating all developer and CI/CD credentials immediately
• enabling phishing-resistant MFA on npm, GitHub and cloud accounts
• hardening GitHub security settings (removing unused OAuth apps, enforcing branch protections, enabling secret scanning)
• monitoring for suspicious outbound connections.

Global Automakers Under Attack

September saw a string of seemingly unrelated cyber incidents affecting leading carmakers, highlighting the sector’s growing exposure to ransomware, supply chain breaches, and intellectual property theft.  Automakers affected included the following:

• ‍BMW: Third Party Breach. BMW confirmed that U.S. supplier Change2Target was compromised by the Everest ransomware group, which claims to have exfiltrated 600,000 lines of sensitive internal data. BMW stressed that its own infrastructure was not breached. (CyberDaily)‍
• Stellantis: Third Party Breach. One of Stellantis’ (which includes the brands Chrysler, Fiat, Peugeot, RAM, and Jeep) third party North American service providers was hacked, exposing customer contact data. Stellantis reported no financial or sensitive information loss but warned affected individuals about possible phishing attempts. (Reuters)‍
• Jaguar Land Rover: Data theft and Production Shutdown. A cyberattack forced Jaguar Land Rover to halt vehicle production for almost a month after attackers accessed internal SAP systems and stole data, forcing it to turn off systems in the UK, Solvakia, India and Brazil. A group calling itself “Scattered Lapsus$ Hunters” claimed responsibility, linking the incident to broader extortion campaigns. The shutdown is estimated to have cost about 1.7 billion pounds in lost revenue. The exact details of how the breach occurred is still as yet speculative. (BleepingComputer, the Guardian)‍
• Nissan: Subsidiary Compromise.  Nissan’s Tokyo-based Creative Box subsidiary was hit by Qilin ransomware, with claims of ~4 TB of stolen design data, including sketches and 3D models. The breach raises strategic risks around intellectual property theft and counterfeit exposure. (Cysecurity)‍
• Bridgestone: Manufacturing Disruption. Bridgestone confirmed a cyberattack that disrupted operations in two of its manufacturing facilities in South Carolina and Quebec. The company contained the incident quickly, reporting no evidence of customer data loss, but manufacturing continuity was affected. (BleepingComputer)

Taken together, these incidents indicate that automakers are being targeted across several aspects of their digital footprint: third parties, subsidiaries and their core operations. Attackers are going after customer records as well as compliance data, design and intellectual property information, along with live manufacturing environments.

Different groups have claimed responsibility from Everest to Qilin to Scattered Lapsus$ Hunters and as such the convergence of attacks appears to be coincidence.  Regardless, it seems evident that cybercriminals increasingly view automakers as high-value targets, exploiting suppliers and subsidiaries as weak points in the chain.

 

Australian Incidents and Events

NSW Governments Sees Sharp Rise in Third-Party Cyber Incidents

Cyber incidents tied to third-party systems used by New South Wales government agencies have more than quadrupled over the past two years, according to figures obtained under the state’s Government Information Public Access Act disclosures. In FY 2023-24 the state recorded 17 such incidents, more than double the eight from the previous year and over four times the number from FY 2021-22. (ITnews)

While the NSW Government says agencies are required to embed cybersecurity obligations into vendor contracts and conduct vendor risk assessments, the sharp increase suggests that oversight of third parties remains a persistent vulnerability.  This is a recurring theme across sectors from global SaaS providers to automotivace supply chains, where attackers often exploit weak external links in addition to breaching core systems directly.

NSW South Coast Man Facing Phishing Scam Charges

A 36-year-old man from Tomakin, NSW, has been charged by the Australian Federal Police in relation to a mobile phishing (smishing) scam targeting customers of a telecommunications provider. The alleged campaign began in August 2025, when the suspect sent text messages warning recipients of “service restrictions” and directing them to a malicious website designed to harvest personal and banking data. Authorities seized computers, laptops, mobile devices, SIM cards (some devices were even found hidden in an in-ground drain), and forensic analysis revealed files containing credentials and personal identifiable information. ( AFP)

Perth engineering firm allegedly breached by Akira ransomware

The Akira ransomware gang has allegedly breached Intellect Systems, a Perth-based operational technology and engineering firm recently acquired by Quanta Services, claiming to have stolen 10GB of highly sensitive corporate and personal data including passports, contracts, and financial records. The attack is tied to Akira’s wider campaign exploiting SonicWall firewall vulnerabilities (notably CVE-2024-40766 and related flaws), with researchers at Rapid7 noting the group’s abuse of weak credentials, misconfigured LDAP default groups, and SonicWall’s Virtual Office Portal to bypass MFA and gain access. The incident highlights Akira’s ongoing targeting of Australian organizations and underscores persistent weaknesses in firewall configurations and patch management. (Cyberdaily)

Sydney Real Estate Firm Hit by Kairos Ransomware Attack

In September 2025, The Property Business Australia, a Sydney real estate firm, was allegedly breached by the Kairos ransomware gang. Attackers claimed to have stolen sensitive tenant and agent data, including ID scans, credit card details, and tenancy agreements, posting samples on their dark web site. Kairos, active since 2024, gave the firm seven days to respond or risk public data leaks and further reputational damage. The company has declined to comment. (REB)

 

ACSC Advisories

The ACSC published three advisories in September, covering Cisco and SonicWall vulnerabilities as well as online code repositories.

Multiple vulnerabilities affecting Cisco ASA 5500-X Series devices

• The ACSC (Australian Cyber Security Centre) has issued a critical alert on active exploitation of multiple vulnerabilities in Cisco ASA 5500-X Series devices running ASA or FTD software. Key issues include:
  
  • CVE-2025-20333 (Critical): Authenticated attackers can execute arbitrary code via the VPN web server. 
  • CVE-2025-20363 (Critical): Remote code execution via web services (unauthenticated on ASA/FTD; low-privilege authenticated on IOS/IOS XE/IOS XR). 
  • CVE-2025-20362 (Medium): Unauthenticated access to restricted VPN endpoints. 
• Affected versions: ASA 9.12–9.23x and FTD 7.0–7.7x. Cisco confirms global active exploitation, with additional warnings from the UK’s NCSC about persistent malware campaigns (RayInitiator, LINE VIPER) targeting Cisco devices.
• Mitigation: Patch immediately per Cisco advisories, investigate for compromise (including ROMMON checks such as “Bootloader verification failed” messages or altered firmware-update.log), treat compromised configurations as untrusted.  (ACSC)

Active Exploitation of SonicWall SSL VPN Vulnerability (CVE-2024-40766) in Australia

• The ACSC issued a high-severity alert on the active exploitation of SonicWall SSL VPNs through CVE-2024-40766, a critical flaw first disclosed in 2024. The vulnerability allows attackers to gain unauthorised access and, in some cases, crash the firewall. Exploitation has been observed in Australia, with the Akira ransomware group using the flaw to compromise organisations.Affected devices include Gen 5 and Gen 6 models, as well as Gen 7 firewalls running SonicOS 7.0.1-5035 and earlier. SonicWall has released patches, but systems remain vulnerable if credentials are not changed after updating the firmware. Organisations should immediately patch to the latest firmware, and update all associated passwords. (ACSC)

Ongoing targeting of online code repositories.

The ACSC raised the alarm on an ongoing wave of attacks targeting online code repositories, warning that threat actors are using phishing, stolen credentials, malicious packages and token abuse to access private or public repos. (ACSC)

This alert dovetails closely with the recent CISA advisory on the Shai-Hulud NPM worm, outlined above.

The ACSC advises organisation to:

• Investigate affected systems: Review logs for recent package installations, suspicious processes, and unexpected modifications in developer repositories. Analyse any system that hosted a compromised package for malicious activity.
• Validate packages: Validate that only trusted, verified packages are in use; check packages for signs of compromise before installation and updating.
• User awareness: Inform users on the dangers of unverified and under verified software packages.
• Monitor for secret scanning: Use code repositories’ native security functions to detect malicious secret scanning.
• Rotate potentially exposed secrets: Rotate any secrets found in code repositories accessible from compromised systems.
• Review previous advice on mitigating cyber supply chain risk.

 

Wrap up

Across September 2025, a recurring theme has been the exploitation of trust, whether in open-source ecosystems, SaaS integrations, government supply chains, or industrial partnerships.  From the self-replicating Shai-Hulud NPM worm to the growing wave of third-party breaches in both government and the private sector, adversaries are increasingly targeting weaker external links.

For Australian organisations, the key takeaway is that supply chain security must be treated as a frontline priority, not a compliance exercise. That means embedding enforceable security obligations in vendor contracts, validating and monitoring third-party integrations, and investing in rapid detection and response. Repositories and code pipelines must be treated as a risk: enforce phishing-resistant MFA for developers, rotate tokens, scan repos for exposed secrets, and validate package provenance before deployment.

‍

 

‍