EU Airports Disrupted by Ransomware; CISA Analyzes Malware Exploiting Ivanti Flaws; Fortra Discloses CVSS 10.0 Flaw in GoAnywhere MFT

The European Union Agency for Cybersecurity (ENISA) has communicated to news sources that ongoing disruptions to major airline operations in Europe are the result of a ransomware attack. Starting on Friday, September 19, 2025, and continuing over the weekend, London's Heathrow Airport, Berlin Brandenburg Airport, Brussels Airport, and Dublin Airport were forced to delay and cancel flights and switch to manual check-in and boarding, with Brussels reportedly cancelling more than half of all outbound flights for Monday. The target disabled by the attack was the third-party ARINC cMUSE software (Aeronautical Radio Incorporated, Multi User System Environment) used for passenger processing, produced by Collins Aerospace, a company owned by major defense conglomerate RTX. According to a Heathrow memo seen by the BBC, Collins initially rebuilt and relaunched its systems after discovering the attack, only to find the hackers had maintained access. The memo also reportedly estimates that over a thousand Heathrow computers will have to be restored manually in person. Collins has reportedly advised airlines "not to turn off computers or log out of the Muse software if they were logged in." As of Monday, September 22, Collins has stated only that software updates are finalizing; affected airports are still waiting on the company for a fixed system. Heathrow stated, "This system is not owned or operated by Heathrow, so whilst we cannot resolve the IT issue directly, we are supporting airlines and have additional colleagues in the terminals to assist passengers." Heathrow notes that most flights are operating normally, and all affected airports are encouraging passengers to plan arrival times appropriately and check flight status before arriving for travel, as delays continue. Also on Friday, Pulkovo Airport in St. Petersburg experienced an unrelated cyberattack that disrupted its website but did not affect airline operations, and Dallas Fort Worth International Airport in Texas suffered a Terminal Radar Approach Control (TRACON) outage resulting in significant flight delays and cancellations, due to the unexplained severing of two fiber optic cables.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis report detailing "two sets of malware from an organization compromised by cyber threat actors exploiting CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (Ivanti EPMM)." The vulnerabilities, both rated high severity, affect Ivanti EPMM versions 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0 and earlier. Ivanti disclosed the vulnerabilities on May 13, 2025, and CISA added both to the Known Exploited Vulnerabilities (KEV) catalog on May 19. CISA's analysis includes a description of how the malware is delivered, as well as indicators of compromise (IoCs), and suggested mitigations.

Fortra has published a security advisory describing "a deserialization vulnerability (CVE-2025-10035) in the License Servlet of Fortra's GoAnywhere MFT [that] allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection." Fortra urges customers "to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject: If this string is present in an exception stack trace ... then the instance was likely affected by this vulnerability." Fortra has released updates to address the issue; users are advised to upgrade to the latest release 7.8.4, or the Sustain Release 7.6.3.

The HIPAA Journal's Healthcare Breach Report for August 2025 found "a 13.7% month-over-month increase in large healthcare data breaches." The US Department of Health and Human Services Office for Civil Rights (HHS OCR) received 58 reports for breaches affecting 500 or more individuals during the month of August 2025, just below the average of 63.5 breaches affecting 500 people or more over the past 12 months. The actual number of people affected by breaches reported to HHS OCR has fallen for the past two months. The number of people affected by breaches over a twelve month period is down nearly 85 percent, due in part to the Change Healthcare breach disclosed in July 2024, which exposed data belonging to 192.7 million individuals. The single largest breach reported in August 2025 was the DaVita ransomware attack and data theft that affected nearly 2.7 million individuals. The HIPAA Journal also keeps a running table of Healthcare Data Breach Statistics (see the second link below).

Researchers at Radware discovered and disclosed an indirect prompt injection vulnerability in the ChatGPT Deep Research agent when integrated with Gmail, allowing the agent to directly exfiltrate inbox data without user interaction. When the agent crawls a user's inbox, it reads malicious instructions hidden in the body of an email and executes them. Notably the prompts cause the agent to exfiltrate the data using its built-in browsing tool; because the agent transmits the data directly from OpenAI servers rather than through the client-side interface, this bypasses "traditional enterprise defenses — such as secure web gateway, endpoint monitoring, or browser security policies," and is not visible to the user. Radware overcame the agent's security restrictions by employing social engineering strategies, such as asserting authority in the guise of an HR compliance message, creating urgency and negative consequences, making false security claims, providing a clear example of what the agent must do, obfuscating the request with official-sounding jargon, and insisting the agent retry multiple times, thus continuing past occasional failures. Radware notes that "the attack pattern generalizes to any data connector integrated with Deep Research," which can access many services including but not limited to Google Drive, Dropbox, Sharepoint, Outlook Mail, Outlook Calendar, Google Calendar, Microsoft Teams, Hubspot, Notion, Linear, and GitHub. The researchers recommend that enterprises sanitize email, normalizing and removing suspicious CSS and HTML elements, but state that "a more robust mitigation" involves continuously tracking the "alignment" of the agent, monitoring its behavior and intent in order to block deviations. Radware disclosed the flaw on June 18, 2025, and OpenAI patched the flaw in early August, marking it as resolved on September 3.

Multiple groups representing US state and local governments have signed a letter to legislators calling for the reauthorization of the State and Local Cybersecurity Grant Program (SLCGP). Earlier this month, the US House Homeland Security Committee voted to extend the program for a decade through the Protecting Information by Local Leaders for Agency Resilience, or PILLAR, Act, but did not address the amount of funding SLCGP should receive. The initial iteration of SLCGP allocated $1 billion over four years with matching funds required from state and local government, increasing with each year. The letter requests that "as Congress continues working to reauthorize this grant program, we urge you to strongly support its successful continuation by ensuring that any reauthorization is accompanied by a robust appropriation that will allow the program to meet the goals outlined by its authors.” Without reauthorization, SLCGP is set to expire at the end of September. Organizations signing the letter include the National Governors Association, National League of Cities, National Association of State Chief Information Officers, National Conference of State Legislatures, National Emergency Management Association, National Association of Counties, United States Conference of Mayors, Council of State Governments, and the International City/County Management Association.

In a September 19 Public Service Announcement, the US Federal Bureau of Investigation (FBI) warns that "threat actors are spoofing the FBI Internet Crime Complaint Center (IC3) government website." The FBI recommends that people wishing to visit the IC3 website type "www.ic3.gov" in the address bar instead of using a search engine; avoid clicking on sponsored results from search engines; never share sensitive information if they have doubts about a site's legitimacy; and report incidents to www.ic3.gov. They also remind users that "IC3 does not maintain any social media presence."

Multinational automobile manufacturer Stellantis says that a data security breach of a third-party service provider has compromised basic customer data for the company's North American customer service operations. Stellantis is the parent company to more than a dozen automobile brands, including Alfa Romeo, Chrysler, Citroën, Dodge, Fiat, Jeep, Opel, and Peugeot; they operate manufacturing facilities around the works and have operations in more than 130 countries. They plan to notify affected customers directly. The company has not said how many individuals are affected by the breach.

A teenage individual surrendered authorities in Las Vegas, Nevada, to face charges related to a series of cyberattacks targeting casinos in that city between August and October 2023. The unnamed individual was "booked on three counts of obtaining and using personal identifying information of another person to harm or impersonate, one count of extortion, one count of conspiracy to commit extortion, and one count of unlawful acts regarding computers." This arrest follows the arrests of two teenaged Scattered Spider suspects in the UK last week. In a separate, related story, experts from risk advisory firm Kroll speaking at the Gartner Security & Risk Management Summit 2025 described Scattered Spider's tactics and techniques and offered recommendations for organizations to protect themselves against Scattered Spider attacks.