Wednesday War Room – 09/24/2025

This Wednesday's threat landscape delivered a potent mix of old-school tactics and modern vulnerabilities, reminding us that even as technology advances, the fundamentals of security remain paramount.

Author

J.W. Croley
September 24, 2025

In partnership with

It’s go-time for holiday campaigns

Roku Ads Manager makes it easy to extend your Q4 campaign to performance CTV.

You can:

  • Easily launch self-serve CTV ads

  • Repurpose your social content for TV

  • Drive purchases directly on-screen with shoppable ads

  • A/B test to discover your most effective offers

The holidays only come once a year. Get started now with a $500 ad credit when you spend your first $500 today with code: ROKUADS500. Terms apply.

We saw everything from physical threats targeting national security to widespread disruption caused by ransomware and a continued barrage of zero-day exploits.

The key takeaway?

A resilient security posture requires a multi-layered approach that addresses not just the digital but also the physical and human elements of your organization.

Secret Service Seizes 300 SIM Servers in National Security Threat

Risk Level: Critical  

Business Impact: National security risk, potential for widespread telecom disruption, assassination threats

What You Need to Know: The U.S. Secret Service dismantled a network of over 300 SIM servers and 100,000 SIM cards in the New York tri-state area, discovered during the UN General Assembly. The devices were used to send anonymous assassination threats against senior U.S. officials and had the potential to disable cell towers and facilitate encrypted communications for nation-state actors. The operation uncovered empty electronic safehouses, highlighting the sophisticated physical and digital planning involved.

Why This Matters:

  • This incident is a stark reminder that physical security and digital security are inextricably linked.

  • Nation-state actors are leveraging sophisticated, commercially available technology to project power and threaten critical infrastructure.

  • The potential for widespread disruption to telecommunications from such a network cannot be overstated.

Executive Actions:

📦 Review the physical security of your critical infrastructure, especially facilities located near high-profile events or sensitive locations.

🔐 Enhance monitoring of your telecommunications infrastructure for unusual patterns or anomalies.

🧱 Brief your leadership team on the convergence of physical and digital threats and the potential for nation-state actors to target your organization.

📊 Ensure your insider threat program is equipped to detect and respond to employees who may be co-opted by nation-state actors.

Ransomware Attack on Collins Aerospace Disrupts Major European Airports

Risk Level: High

Business Impact: Operational disruption, flight cancellations, reputational damage

What You Need to Know: A ransomware attack on Collins Aerospace, a subsidiary of RTX, disrupted automated check-in systems at several major European airports, including Heathrow, Brussels, and Berlin. The attack, which began on a Friday, caused significant delays, with some airports resorting to manual check-ins and handwritten boarding passes. Brussels Airport canceled 60 flights on Monday, with only 42% of flights departing on time.

Why This Matters: 

  • This incident highlights the cascading impact of a single point of failure in a critical supply chain.

  • The reliance on third-party vendors for essential services creates a broad attack surface that can be difficult to manage.

  • The disruption to air travel demonstrates the real-world consequences of cyberattacks on critical infrastructure.

Executive Actions: 

📦 Review the security posture of your critical third-party vendors and ensure they have robust incident response plans.

🔐 Develop and test contingency plans for the failure of critical third-party services.

🧱 Conduct a thorough assessment of your supply chain to identify single points of failure and mitigate associated risks.

📊 Engage with industry peers to share threat intelligence and best practices for managing supply chain risk.

Boyd Gaming Discloses Data Breach After Cyberattack

Risk Level: Medium-High

Business Impact: Data breach, reputational damage, regulatory scrutiny

What You Need to Know: US casino and gaming operator Boyd Gaming disclosed that it suffered a cyberattack where threat actors stole employee data and information belonging to a limited number of other individuals. The company, which operates 28 properties across 10 states, has notified law enforcement and is working with external cybersecurity experts. While the company states the incident has not affected operations, the full impact of the breach is still under investigation.

Why This Matters: 

  • The gaming and hospitality industry is a prime target for cybercriminals due to the large amount of personal and financial data it handles.

  • This breach is a reminder that even large, well-resourced organizations are vulnerable to attack.

  • The disclosure via an SEC filing highlights the increasing regulatory scrutiny surrounding cybersecurity incidents.

Executive Actions: 

📦 Review and update your data protection policies to ensure they meet or exceed industry best practices.

🔐 Enhance employee training on phishing, social engineering, and other common attack vectors.

🧱 Assess the security posture of third-party vendors who have access to your data.

📊 Ensure you have a well-defined process for disclosing a data breach to customers, regulators, and the public.

Leadership Insight:

This week's events underscore the fact that cybersecurity is no longer just a technical issue… 

It is a fundamental business risk that requires a holistic and proactive approach. The convergence of physical and digital threats, the increasing sophistication of supply chain attacks, and the relentless pace of zero-day exploits all demand a new level of vigilance and preparedness.

As leaders, we must ensure that our organizations are not only investing in the right technologies but also in the people and processes needed to build a truly resilient security posture.

Privacy-first email. Built for real protection.

End-to-end encrypted, ad-free, and open-source. Proton Mail protects your inbox with zero data tracking.

Google Patches Sixth Chrome Zero-Day of 2025

Risk Level: Critical

Business Impact: Browser compromise, arbitrary code execution, data theft

What You Need to Know: Google has released a patch for CVE-2025-10585, a type confusion vulnerability in the V8 JavaScript engine that is being actively exploited in the wild. This is the sixth Chrome zero-day vulnerability to be exploited this year, highlighting the persistent threat to browser security. The flaw allows for arbitrary code execution, giving attackers full control over a compromised browser.

Why This Matters:

  • The web browser is a primary entry point for attackers, and zero-day vulnerabilities in popular browsers like Chrome pose a significant threat to organizations.

  • The frequency of these exploits underscores the importance of a rapid patching cycle and a defense-in-depth security strategy.

Executive Actions: 

📦 Prioritize the deployment of the latest Chrome updates across your organization.udit all Salesforce instances for unusual administrative access or configuration changes.

🔐 Implement web filtering to block access to malicious websites and prevent the exploitation of browser vulnerabilities.

📊 Educate users on the importance of keeping their browsers up to date and the risks of clicking on suspicious links.

🧪 Review and update your browser security policies to restrict the use of outdated or unsupported browsers.

SolarWinds Patches Critical RCE Flaw for the Third Time

Risk Level: Critical

Business Impact: Remote code execution, system compromise, supply chain risk

What You Need to Know: SolarWinds has released a hotfix for CVE-2025-26399, a critical remote code execution vulnerability in its Web Help Desk software. This is the third time the company has had to patch the same underlying flaw, which was previously addressed by CVE-2024-28988 and CVE-2024-28986. The original vulnerability was actively exploited in the wild, and while there is no evidence of the latest bypass being exploited, the history of this flaw suggests it is only a matter of time.

Why This Matters: 

  • The repeated failure to properly patch this vulnerability highlights the challenges of software security and the persistence of determined attackers.

  • The fact that the original flaw was actively exploited underscores the urgency of applying this latest patch.

  • SolarWinds remains a high-profile target, and any vulnerability in its products should be treated with the utmost seriousness.

Executive Actions:

🔍 Monitor your systems for any signs of exploitation of this vulnerability.

📊 Re-evaluate the risk posed by SolarWinds and other critical vendors in your supply chain.

🔐 Prioritize the deployment of the SolarWinds Web Help Desk 12.8.7 HF1 hotfix across your organization.

📜 Review your patch management processes to ensure that you are able to quickly deploy critical updates.

CISA Shares Critical Incident Response Lessons Learned from a Federal Agency Breach

Risk Level: High 

Business Impact: Government compromise, data exfiltration, operational disruption

What You Need to Know: CISA has released an advisory detailing the lessons learned from an incident response engagement at a federal agency that was compromised via a vulnerability in GeoServer. The threat actors maintained access for three weeks, exploiting two separate servers and moving laterally to web and SQL servers. The advisory highlights three key failures: delayed patching, an untested incident response plan, and inadequate EDR monitoring.

Why This Matters: 

  • This incident is a textbook example of how basic security hygiene failures can lead to a significant compromise.

  • The fact that the vulnerability was known and a patch was available for 11 days before the first exploitation is a critical failure.

  • The lack of a tested incident response plan and the failure to monitor EDR alerts compounded the problem, allowing the attackers to dwell in the network for an extended period.

Executive Actions:

🧱 Ensure that your EDR alerts are being continuously monitored and that your team is trained to respond to them.

📦 Review your patching cadence to ensure that critical vulnerabilities are being addressed in a timely manner.

🔐 Regularly test your incident response plan to ensure that it is effective and that your team is prepared to respond to a real-world incident.

📊 Implement comprehensive logging and aggregate logs in a centralized, out-of-band location to facilitate incident response.

⚙️ Immediate Leadership Checklist ⚙️

🔄 Review Physical Security: Assess the physical security of your critical assets, especially in light of the Secret Service's findings.

📦 Assess Supply Chain Risk: Initiate a comprehensive review of your critical vendors and their security posture.

🧠 Brief Your Board: Brief your board on the key takeaways from this week's threat landscape and the steps you are taking to mitigate the associated risks.

📊 Prioritize Patching: Ensure that your team is prioritizing the patching of critical vulnerabilities, especially those that are being actively exploited.

📜 Test Your Incident Response Plan: Schedule a tabletop exercise to test your incident response plan against a realistic scenario.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder – it's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

HR is lonely. It doesn’t have to be.

The best HR advice comes from those in the trenches. That’s what this is: real-world HR insights delivered in a newsletter from Hebba Youssef, a Chief People Officer who’s been there. Practical, real strategies with a dash of humor. Because HR shouldn’t be thankless—and you shouldn’t be alone in it.