Cybersecurity News | Daily Recap [09 Sep 2025]

Daily Recap, A sweeping review of recent cybersecurity incidents and industry shifts, from breaches impacting individuals and organizations to supply-chain compromises and AI-driven threats. It highlights notable events like the Sapphos data exposure, Plex breach, Nexar’s 130 TB of video, and the evolving landscape of ransomware, supply-chain attacks, and state-backed surveillance, along with emerging defenses and policy responses. #Sapphos #Plex #Nexar #WayneBreach #Wealthsimple #Lovesac #Salesloft #GhostAction #npmHijack #Chaos #ScatteredSpider #LockBit #LunaLock #APT41 #SaltTyphoon #KazMunayGas #JLR #Calcio #NozomiNetworks #ObservoAI #BlackHat

Daily Cybersecurity Recap

Brazil dating app Sapphos taken offline after a flaw exposed photos and ID-verification selfies, prompting DB deletion and a promised secure rebuild – Sapphos Leak
Plex urges password resets after a breach exposed emails, usernames and hashed passwords and warns about phishing and session logouts – Plex Breach, Plex Notice
Nexar dashcam database hack exposed > 130 TB of video in an unsecured AWS bucket, raising major privacy and national-security concerns – Nexar Hack
Wayne Memorial Hospital ransomware incident compromised personal and medical data for over 160,000 people; systems were disconnected and identity-protection steps offered while the gang Monti claimed responsibility – Wayne Breach, Wayne Notice
Canadian fintech Wealthsimple discloses a third-party supply-chain breach affecting less than 1% of customers; no funds stolen but personal/financial data exposed – Wealthsimple Breach
Retailer Lovesac confirms a data breach after claims from the RansomHub gang threatening leaks of stolen records – Lovesac Breach

A wave of developer-focused supply-chain compromises: a compromised GitHub/Salesloft repo and stolen OAuth tokens led to Salesforce data exposures across dozens of firms, GitHub GhostAction workflows exfiltrated > 3,325 secrets, and popular npm packages were hijacked in an attack affecting ~2 billion weekly downloads to deploy crypto‑theft/backdoors – Salesloft Breach, GhostAction, npm Hijack (HackerNews), npm Hijack (BC)
Follow-up reporting ties the Salesloft intrusion to March GitHub compromise and March-to-August OAuth/Salesforce data theft—highlighting the persistent risk of exposed API credentials in CI/CD – Salesloft Follow-up, GitHub Compromise

Ransomware losses are rising as AI-enhanced phishing and triple-extortion tactics scale, with research highlighting increased sophistication from groups like Chaos and Scattered Spider – Ransomware Trend
Adversaries evolve: LockBit markets a comeback with LockBit 5.0, new actors like LunaLock threaten to feed stolen creative works into AI training data for extortion, and analysts link tools/tactics across Play, RansomHub and DragonForce operations – LockBit 5.0, LunaLock, Ransomware Link
Research shows AI-powered ransomware prototypes (e.g., Ransomware 3.0 / PromptLock PoC) are moving from proof-of-concept to real-world misuse, using LLMs for automation, reconnaissance and tailored social engineering – AI Ransomware

SAP issued critical updates for NetWeaver and fixed maximum-severity remote-command-execution flaws across its portfolio—admins must patch urgently – SAP Patches, SAP Fixes
Exposed Docker APIs are being abused to deploy miners and build botnets via container manipulation and privilege escalation, while surge scans targeting Cisco ASA devices raise concern about imminent exploits—harden and monitor internet-facing services – Docker APIs, Cisco ASA Scans

Phishing campaigns increasingly abuse HTTP clients like Axios plus Microsoft Direct Send to bypass defenses and scale Microsoft 365 attacks—enterprises should tune email controls and monitor anomalous SMTP usage – Axios Abuse
Malvertising delivers advanced loaders: GPUGate uses Google Ads and fake GitHub commits to trick IT firms into GPU‑decryption workflows, while Microsoft’s anti-spam bug has also been blocking legitimate links in Exchange Online and Teams—monitor for false positives and blocked URLs – GPUGate, MS Anti-Spam

Threat hunters uncovered 45 previously unreported domains tied to Chinese-linked Salt Typhoon / UNC4841, revealing long‑running espionage against telcos, ISPs and US mobile metadata—global orgs should review IOCs – Salt Typhoon Report, Salt Typhoon (HackerNews)
Google/Mandiant link state-sponsored actor APT41 to a campaign impersonating a US lawmaker to deliver malware to trade groups, underscoring targeted pre-negotiation espionage – APT41 Campaign
The US Treasury sanctions operators behind large cyber‑scam centers in Cambodia and Myanmar tied to billions in losses, while policy debates continue domestically as the Cyber Command/NSA “dual hat” leadership remains intact – US Sanctions, Cyber Command/NSA Policy
Kazakhstan’s oil firm KazMunayGas says a reported Russian-linked cyberattack was actually a planned internal phishing drill, highlighting incident attribution challenges – KazMunayGas Drill

A major cyberattack forced extended factory shutdowns at Jaguar Land Rover, halting UK vehicle production and disrupting global supply chains with warnings it could hit national economic growth – JLR Outage, JLR Economic Impact
Railway systems are flagged as increasingly vulnerable due to legacy infrastructure, broad networks and geopolitical tensions—AI both helps defenders and empowers attackers; sector hardening is urgent – Railway Risks

Mitsubishi Electric to acquire OT/IoT security firm Nozomi Networks for about $883M (nearly $1B), expanding industrial-security capabilities while retaining Nozomi’s independence – Nozomi Deal, Nozomi Coverage
SentinelOne to buy Observo AI for $225M to strengthen AI-native data pipelines for security telemetry and response, reflecting M&A focus on AI data tooling – SentinelOne Deal
Authorities and rights-holders shut down the massive illegal sports streaming site Calcio (≈123M yearly visits) in a coordinated takedown with ACE and DAZN – Calcio Takedown

Enterprises struggle to stop employees from sharing sensitive data with public AI tools, increasing exposure and compliance risk—organisations must enforce controls and monitoring for AI data flows – AI Data Risk
Microsoft tests AI features in Windows 11 File Explorer (image edits, background removal, reverse-image search) for Insiders, while Signal launches opt-in end-to-end encrypted cloud backups—balancing convenience and data protection is key – Win11 AI, Signal Backups
Black Hat USA 2025 CISO podcast discusses how AI reshapes threat detection and defense strategy, stressing governance, ethics and adversarial risks as orgs adopt AI – Black Hat Podcast