Filter articles

Weekly Cyber Briefing 22.09.2025

Cyber Intelligence Briefing: 22 September 2025

Author: Nick Harris, CISO in Residence, Assured

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris.

Attack on Collins Aerospace plunges European airports into chaos for the third consecutive day

A suspected cyber attack targeting a third-party software supplier has caused major flight cancellations and delays at several European airports over the weekend.

London’s Heathrow Airport and terminals in Brussels, Berlin and Dublin are among those that continue to be impacted by the incident. It has been reported that Muse software, which aids with the checking in of passengers and validation of boarding passes, was targeted by cyber criminals.

Due to the critical nature of business continuity and availability, airlines and airports are increasingly obvious targets.

Assured’s CISO reacts:

Recent examples of the transport sector facing business interruption:

  • Seattle Tacoma Airport: The victim of a ransomware attack by Rhysida. The Port of Seattle’s website, along with check-in systems used by many airlines at SeaTac, were taken offline.
  • WestJet, Hawaiian, and Quantas airlines were all attacked within three weeks.
  • The March 2025 Heathrow power outage. The incident caused the shutdown of the airport for 16 hours, highlighting the issue and need for resiliency.
  • Russia’s Aeroflot airline targeted by pro-Ukrainian hackers in July 2025. The motivation behind this attack is very different to that in the MUSE incident.

On September 16, it was reported that RTX’s Collins Aerospace was awarded a NATO contract. This announcement was very recent, so I believe it unlikely that this was connected. It’s unlikely that an attacker could target them that quickly unless they had access for a period of time and laid dormant.

My advice in light of this incident is to be prepared:

  • Know your critical apps.
  • Contractual SLAs with the supplier aren’t enough – ultimately the customer owns the risk when it fails.
  • In the event of an incident, ensure you have resilience including alternative systems. It might even option in the short-term. Ensure staff are trained on this.
  • Exercise exec-level crisis response to walk through operational decision-making and PR/external comms. There was strong lock-down on messaging from Collins, which suggests they have procedure to manage this.
  • Be clear on the definition of a ‘minimum viable company’ when restoring. What is good enough in a crisis?

CVE‑2025‑55241: The actor token/Azure AD graph validation bug

A vulnerability was identified in Microsoft Entra ID (formerly Azure AD) related to the use of Actor tokens, an internal, undocumented token type used for backend service-to-service (S2S) operations with the legacy Azure AD Graph API.

Assured’s CISO reacts:

The flaw arose because the system did not properly validate whether an Actor token originated from the same tenant as the one being accessed. This gap allowed an attacker to generate an Actor token in their own tenant (such as a test or non-target environment) and reuse it to impersonate any user, including global administrators, in other tenants.

Considerations:

  • These tokens bypassed standard security controls: they were not subject to conditional access policies, nor were they subject to MFA.
  • The victim tenant did not receive actionable logs reflecting the creation or use of Actor tokens.
  • Much of what might have been exfiltrated could have been done without leaving obvious traces in the target tenant’s logs

Calm the nerves…

The press has been going heavy on this but please note:

  • The exploit requires use of Azure AD Graph (graph.windows.net) rather than only Microsoft Graph. If none of your applications/services used the legacy Azure AD Graph API, the attack surface is smaller (though not necessarily zero)
  • Microsoft fixed/mitigated the issue. Within a few days of the vulnerability being reported, a fix was deployed globally. Further mitigations included restricting applications from requesting these Actor tokens for Azure AD Graph.
  • Microsoft’s telemetry (internal monitoring) has stated that no evidencewas found of exploitation in the wild, so far.

Just in case:

 Possible Sign How to Look
Changes to global admin / privileged roles Search your Azure AD/Entra ID audit logs for any Global Admin additions or role changes that you don’t expect, especially occurring before mid‑July/August 2025. Look at who made them and timestamps. If the issuer is an unfamiliar identity or service principal, that’s a red flag.
New service principals / application registrations Check for apps/SPs created without obvious context. Especially ones with high privileges, or ones that have unusual certificates or credentials.
Conditional access / tenant setting changes Some settings changes may have been logged. Look for any configuration drift that is unexpected.
Unexpected user / group / role membership enumerations If someone exfiltrated directory data (user lists, group membership, device info, etc.), then you might see subsequent activity like bulk adds, deletes, or changes. Maybe unexpected MFA changes etc.
Suspicious activity in resources (Azure subscriptions, Microsoft 365) If Global Admin was impersonated, they could’ve accessed/subverted anything that that role touches. So check subscription role assignments, access to KeyVaults, email forwarding rules, etc. Logs in those services may show something.
Use of the old Azure AD Graph vs Microsoft Graph Look for uses of graph.windows.net in your logs or in your app configurations. That might indicate something using the old API that is more likely to have been used.
Microsoft‑published detection / hunting queries Dirk‑jan provides a KQL query in his write‑up for hunting potential misuse. You should run those detection rules. (Michael Bargury)

Feigned Retirement plans…Spiders don’t change their legs

Fifteen well-known ransomware groups, including Scattered SpiderShinyHunters and Lapsus$,  announced that they are shutting down their operations.

In their statement, the gangs said they would now shift to “silence,” with some members planning to retire on the money they had accumulated, while others would continue studying and improving the systems people rely on daily.

2 days later…

Scattered Spider has shifted focus to the financial sector, with a recent digital intrusion at a US bank. You can read more here.

While we may see the brand names of the threat groups disappear (or evolve), a lot of their staff will still want an income. I expect that many will re-group, re-brand and keep the attack level high. Stay vigilant.

Topics

Latest articles

Weekly Cyber Briefing 16.09.2025

Cyber Intelligence Briefing: 15 September 2025

Cyber Intelligence Briefing: 15 September 2025 The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Cyber attacks are hitting top execs where it hurts…in their pocket In May 2025, it was reported that the M&S CEO was set to face a […]

Read more

Be an insider. Sign up now!