Top 5 Cybersecurity News Stories September 19, 2025

Cybersecurity threats are constantly evolving as threat actors seek access to your data and money. To help you stay secure, we have searched the internet for the top five cybersecurity news stories of the week that we think you should be aware of.  No story is too big or small as we look at threats from espionage to security flaws in everyday devices:

1. Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims

The cybercrime group Scattered Spider has re-emerged, targeting financial institutions, refuting prior announcements that it had gone dark. According to ReliaQuest, the group gained access via social engineering of an executive’s account using Azure AD Self-Service Password Management.

From there, it moved laterally through VPNs and Citrix, exploited VMware ESXi, elevated privileges, and attempted data exfiltration from platforms including Snowflake and AWS. Observed tactics include resetting Veeam service account credentials and obtaining global admin rights. The group’s earlier retirement announcement appears more as a strategic cover to evade law enforcement. Researchers warn organizations to assume persistence and adapt their defenses accordingly.
Read more on The Hacker News

2. Cyber attacks cost German economy 300 bln euros in past year, survey finds

A survey by Bitkom estimates that cyberattacks cost Germany nearly €300 billion over the past year, with foreign intelligence services increasingly responsible, particularly those based in Russia and China. Among 1,002 surveyed companies, 34% reported ransomware attacks last year (up from 12% in 2022), and one in seven had paid ransoms.

Economic losses were largely due to production downtime and theft; legal and remediation expenditures were also significant. Small and medium enterprises remain disproportionately vulnerable. Respondents noted that distinctions between cybercriminal activities and state-sponsored espionage are becoming increasingly blurred.
Read more on Reuters

3. Swedish Data Breach Exposes 1.5 Million People’s Personal Information

Sweden’s Miljodata, an IT services provider, suffered a cyberattack during August 23-24 that exposed personal information of approximately 1.5 million individuals—roughly 15% of the national population. Exposed data includes names, addresses, and contact details. The breach impacted multiple municipalities, regional authorities, and private companies, including Volvo, SAS, and GKN Aerospace.

A group called Datacarry claimed responsibility, demanding 1.5 bitcoin (~US$170,000) for withholding the stolen data, which later appeared on the darknet. Investigations are ongoing; so far, no evidence links state actors to the incident.
Read more on Tasnim News Agency

4. Self-propagating supply chain attack hits 187 npm packages

Researchers have discovered a worm-style supply chain attack, dubbed “Shai-Hulud,” that compromises at least 187 npm packages. The campaign began with the widely used @ctrl/tinycolor package and expanded into CrowdStrike’s published packages. The malicious payload propagates by modifying package metadata and injecting a bundle.js script that abuses TruffleHog to search hosts for secrets.

It creates workflows, downloads malware via multiple vectors, and exfiltrates credentials to a hardcoded webhook. CrowdStrike confirmed the removal of compromised packages and key rotations. The incident underscores the risks across dependency chains and the need for strict controls in open-source ecosystems.
Read more on BleepingComputer

5. CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader

A malware loader named “CountLoader” is being used by Russian ransomware affiliates, including LockBit, Black Basta, and Qilin, to deploy post-exploitation tools such as Cobalt Strike, AdaptixC2, and PureHVNC RAT. CountLoader has three variants (.NET, PowerShell, JavaScript), with the JavaScript version offering the most capabilities, including multiple download, code execution, and device reconnaissance methods.

Attacks employ PDF phishing lures impersonating Ukraine’s National Police. The loader maintains persistence via scheduled tasks, staging in innocuous directories, and uses LOLBins like certutil. Analysts note weak brand allegiance in Russian ransomware operations and emphasize that shared operational tools and human assets are central to their agility.
Read more on The Hacker News

At DIESEC, our experts are ready to assist with all your cybersecurity needs. We ensure your system is safe and secure and provide training for your employees to avoid falling victim to social engineering tactics.

For more information, please contact us now!