Weekly Top 10: 09.29.2025: Emergency Directive on Cisco ASA/FTD Zero-Days; Cloudflare Mitigates 22.2 Tbps DDoS; Workforce PII Stolen in Supplier Ransomware Breach, and More.

WEEKLY TOP TEN: September 29, 2025, 16:00 GMT

1. Emergency Directive on Cisco ASA/FTD Zero-Days
   
   CISA issued Emergency Directive 25-03, requiring federal civilian agencies to take immediate action due to the active exploitation of Cisco ASA/FTD zero-days. The directive mandates inventories, configuration checks, and rapid containment steps to prevent lateral movement and data theft, reflecting escalating exploitation across government networks.
   
   It also outlines strict reporting timelines and remediation milestones. For defenders beyond .gov, the directive is a high-urgency signal to validate appliance exposure, audit remote-access policies, and hunt for webshell or post-exploitation traces on edge devices. The order underscores the risk profile of network boundary gear amid ongoing exploitation campaigns.
2. UK Arrests Suspect for RTX Airport Ransomware
   
   BleepingComputer reports the UK National Crime Agency arrested a suspect tied to the RTX/Collins MUSE ransomware attack. The story quotes NCA statements and references conflicting early claims about which ransomware family was deployed (e.g., HardBit vs. Loki), underscoring attribution ambiguity in fast-moving incidents. It details the operational impact at Heathrow, Brussels, Dublin, and Berlin airports, and notes RTX’s SEC filing acknowledging disruptions. For defenders, the piece reinforces monitoring vendor advisories and filings for concrete technical and containment clues during large-scale outages.
3. Cloudflare Mitigates 22.2 Tbps DDoS
   
   Cloudflare has stopped a distributed denial-of-service (DDoS) attack that reached a record-breaking 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps). According to security analysts, this trend, although increasingly short, results in massive blasts that stress routers, firewalls, and load balancers. This DDoS attack is a reminder to tune scrubbing, ensure upstream DDoS mitigation contracts are active, and validate the handling limits of device packets per second—not just bandwidth. It also underscores the value of detection/telemetry parity between cloud and on-prem edges for bursty attacks.
4. Brickstorm Backdoor Enables Espionage into Tech and Legal Sectors Gang Claims 1.5TB Theft
   
   A stealthy backdoor has been used in U.S. intrusions across legal services, SaaS, BPOs, and tech since March 2025, according to the Google Threat Intelligence Group. The post includes hunting rules/tools and indicators (including webshell patterns) to spot persistence on *nix appliances and Java web apps. It stresses the risk that stolen codes and footholds could aid zero-day development and downstream pivots. For blue teams, the outcome is high-fidelity threat intel to load into hunts, with practical scripts and YARA-like patterns to accelerate detection.
5. Zero-Day Exploitation Reported Against Managed File Transfer
   
   The widely used managed file transfer platform faced reports of in-the-wild exploitation of a recently disclosed vulnerability, with indicators that attacks began before public advisories were issued. External researchers called attention to the timeline and urged rapid patching and compromise assessment. Operators are encouraged to review internet exposures for administrative interfaces, rotate credentials and keys, and examine logs for suspicious access around the relevant dates associated with the issue.
6. Federal Agency Breach Traced to GeoServer Flaw
   
   Authorities disclosed that attackers exploited a critical vulnerability in an open-source geospatial server to penetrate a federal environment. The incident underscores how business-specific middleware and data-layer services can become initial footholds when internet-exposed. Recommended defenses include rapid patching, strict authentication on admin interfaces, and segmentation to prevent service-to-service pivots.
   
   The report highlights the importance of addressing hidden vulnerabilities beyond traditional security devices and keeping an eye on outgoing data from application layers for unusual activity that could suggest a more serious security
7. Casino Operator Discloses Employee Data Theft
   
   A Boyd Gaming group reported that intruders accessed systems and stole data, including employee information and a limited number of other records. Operations were not materially impacted, and the organization expects insurance to offset costs. No threat group had publicly claimed responsibility at the time of disclosure. The notice shows a trend of theft aimed at stealing identities, which leads to fraud, highlighting the need for strict controls and vigilance around HR systems and identity storage, as well as prompt help for those affected.
8. State-Sponsored Actors Exploit Email Gateway Vulnerability
   
   Nation-state operators exploited a command-injection flaw in a commercial email security product, using malicious attachments to achieve code execution. Reporting includes technical indicators and a vulnerability identifier, with guidance to patch affected versions and review for signs of compromise. The campaign demonstrates continued targeting of security controls themselves to gain privileged positions in mail flows and underscores the importance of rigorous change management and monitoring around filtering infrastructure.
9. AI-Obfuscated Phishing Uses SVG Trick to Hide Payloads
   
   Threat hunters observed a credential-phishing operation likely assisted by AI to generate obfuscated codes and synthetic structures. Malicious logic was embedded within SVG files to evade scanning and lure recipients with business-style content. Defensive recommendations include filtering for suspicious SVG content, strengthening authentication, and increasing user awareness around unusual document formats in email workflows. The case reflects rapid attacker adoption of tooling that automates evasive encoding and polymorphism.
10. Workforce PII Stolen in Supplier Ransomware Breach
    
    An enterprise confirmed that employee Social Security numbers were stolen after a third-party HR software provider was compromised. The disclosure reflects how attackers target identity and payroll systems to facilitate downstream fraud. Recommended mitigations include enforcing least-privilege access in HR platforms, monitoring for unusual data queries, and providing affected staff with identity protection and notifications to reduce harm. The case adds to a cluster of supplier-driven compromises impacting manufacturers during the period.