WEEKLY TOP TEN: September 22, 2025, 16:00 GMT
- Microsoft’s September Updates Break SMBv1 Shares
Microsoft confirmed that September Patch Tuesday updates caused connection failures to legacy SMBv1 shares across multiple Windows client and server versions (Windows 11, 10; Server 2025, 2022). Admins reported authentication errors and inaccessible network resources; Microsoft published workarounds while investigating a permanent fix. While SMBv1 is deprecated, many environments still rely on it for embedded devices and legacy apps, making this a disruptive regression that also delays efforts to fully retire SMBv1. Organizations should accelerate migration off SMBv1 and apply mitigations where immediate removal isn’t feasible. - Google Patches Sixth Chrome Zero-Day of 2025 (CVE-2025-10585)
Chrome 140 fixed a V8 type-confusion zero-day (CVE-2025-10585) discovered by Google TAG and exploited in the wild. While details remain limited, the repeated exploitation of V8 issues demonstrates the need for rapid browser patching and enterprise controls to force updates. Security teams should ensure auto-update is enabled, monitor managed Chrome version drift, and consider exploit mitigations like renderer isolation. - “Shai-Hulud” npm Campaign Expands to Crowdstrike-Namespaced Packages
The ongoing “Shai-Hulud” npm attack broadened to impersonate CrowdStrike-related packages, further proving the adversary’s persistence and reach. Socket’s follow-up notes that nearly 500 packages touched across the campaign’s variants, with consistent credential-stealing/wallet-draining payloads and Telegram-based exfiltration. Defenders should scan for affected versions, rotate secrets used in CI, and implement maintainer-side protections (2FA, provenance). - Tiffany & Co. Notifies Customers of Data Breach; Gang Claims 1.5TB Theft
Tiffany & Co. disclosed that attackers accessed its systems around May 12, 2025, prompting notifications to customers in the U.S. and Canada. The company is investigating scope and strengthening controls. Luxury retail continues to face account takeover and data-theft risks given high-value clientele and integrated e-commerce ecosystems. Customers should watch for targeted phishing using stolen details. - CISA MAR: Malicious Listener Malware on Ivanti EPMM
CISA published a Malware Analysis Report (AR25-261A) on malicious listeners used in attacks exploiting Ivanti EPMM vulnerabilities (CVE-2025-4427/4428). The report provides IOCs, detection signatures, and hardening guidance, recommending that MDM be treated as an HVA and upgraded promptly. Federal agencies and enterprises should integrate the indicators into detection pipelines and review EPMM exposure and patch status. - “Shadowleak” Zero-Click Data Theft via ChatGPT
Radware researchers described “ShadowLeak,” a server-side exploit path that let attackers siphon emails and data through ChatGPT integrations, leaving minimal enterprise telemetry. OpenAI patched the issue. The piece highlights the growing attack surface of AI platform integrations and the need for robust egress controls, app-to-app least privilege, and logging that spans SaaS connectors. - Insight Partners Confirms Ransomware-Linked Data Breach
Venture firm Insight Partners said a February breach was the result of a ransomware attack affecting over 12,000 individuals. On January 16, they removed the attacker immediately after gaining access, but exfiltration still took place. Notifications and regulatory filings followed. The case highlights that financial services supply chains and investor platforms are still attractive targets for attacks; companies should separate sensitive deal information, limit access to only what is necessary, and practice their response to data theft situations. - Microsoft & Cloudflare Disrupt “RaccoonO365” PhaaS
Microsoft and Cloudflare dismantled RaccoonO365, a phishing-as-a-service operation that enabled the theft of thousands of Microsoft 365 credentials. The takedown involved domain seizures and infrastructure disruption, alongside guidance for customers. The service industrialized phishing kits and templates, lowering the barrier to entry for cybercriminals. Organizations should enforce phishing-resistant MFA, monitor impossible travel and OAuth abuse, and block known phishing infrastructure. - Critical Azure Entra ID Flaw Highlights IAM Blast Radius
Recently, a high-impact Entra ID weakness that could have enabled tenant hijacking under specific conditions was uncovered. Microsoft resolved the issue pre-disclosure, but the researcher’s analysis shows how misconfigurations and complex trust chains can magnify identity risk across multi-cloud estates. The piece recommends least privilege for app registrations, tight governance on service principals, monitoring consent grants, and conditional access tuned for privileged operations. For incident responders, it suggests scoping token abuse and unusual OAuth flows when investigating identity compromises. - CISA Releases Nine ICS Advisories Impacting Multiple Vendors
CISA published nine ICS advisories spanning industrial networking and control products, detailing vulnerabilities, severity, and mitigations. Although not all exploits occur, the timing aligns with the increased focus on OT and MDM attack paths. Asset owners should map advisories to their SBOMs, prioritize patches or compensating controls, restrict management interfaces, and monitor for abnormal field device communications. The notice provides actionable remediation steps and references vendor updates.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available: