Ransomware Disrupts Airports, BRICKSTORM Backdoor Intrusions, Pandoc Flaw Exploited – Cybersecurity News [September 22, 2025]

by | Sep 29, 2025 | Announcements

cybersecurity news

Ransomware Disrupts Airports, BRICKSTORM Backdoor Intrusions, Pandoc Flaw Exploited – Cybersecurity News [September 22, 2025]

by DuoCircle

This week saw a wave of cyber incidents across critical sectors. A stealthy campaign used the BRICKSTORM backdoor to hide inside networks for over a year, while a flaw in Pandoc was exploited in attempts to steal AWS credentials. Libraesva patched a bug in its Email Security Gateway that attackers are already abusing. Airports across Europe faced massive disruptions after a ransomware attack, and researchers flagged ShadowV2, a new Docker-targeting botnet offering DDoS-for-hire services.

 

Ransomware Causes Major Disruptions at All-Time Busiest Airports

Airports across Europe have been struggling with major delays after a ransomware attack disabled automated check-in systems. The incident, which began late last week, affected systems supplied by Collins Aerospace and forced airlines to switch to manual processes. Passengers at Brussels and Berlin airports faced the heaviest disruption, with dozens of cancellations and long queues. At Brussels, 60 flights were cancelled on Monday and less than half of departures left on time. Berlin reported delays of more than an hour, while Heathrow and Dublin managed to reduce the impact by putting contingency measures in place.

The EU’s cybersecurity agency confirmed ransomware was to blame and said law enforcement is investigating. Collins Aerospace said it is working with airports to restore services and has rolled out updates, though many systems were still not fully operational at the start of the week. The incident highlights the growing risk ransomware poses to critical infrastructure. While large-scale attacks against transport remain rare, experts note their effects are far more visible, spilling into the physical world and directly impacting passengers. The disruption also shows how dependent airports have become on digital systems and the need for stronger resilience planning.

 

Ransomware

 

BRICKSTORM Backdoor Enables Stealthy Year-Long Intrusions

A sneaky, year long cyber campaign has just been uncovered, using a backdoor called BRICKSTORM to maintain quiet access across multiple industries. For more than a year, it’s been targeting service providers and tech companies to gather sensitive data and get a better view of their networks. BRICKSTORM itself is a Go based backdoor with a wide range of functions. It can run as a web server, manage files, execute shell commands, and even act as a SOCKS relay. The malware communicates using WebSockets and is often deployed on appliances without endpoint security, making it extremely hard to spot. In some cases, it remained hidden for more than 390 days.

The campaign also makes use of other tools, like BRICKSTEAL for capturing login credentials and SLAYSTYLE web shells to ensure it stays put. It uses stealthy in-memory techniques to avoid leaving behind any forensic evidence. The malware is still under active development, as newer samples include built-in delays and more advanced persistence methods. Researchers warn that BRICKSTORM’s sophistication and its focus on high value systems make it a significant threat. It really underlines the need for stronger monitoring of hybrid and cloud infrastructures.

 

hybrid and cloud infrastructures.

 

Pandoc Flaw Exploited in Ongoing AWS Credential Attacks

Researchers are reporting that a newly found flaw in the Pandoc utility is already being exploited out in the wild. Attackers are targeting the Amazon Web Services (AWS) Instance Metadata Service, or IMDS, by using a Server-Side Request Forgery (SSRF) vulnerability, which is tracked as CVE-2025-51591. This issue lets them trick applications on EC2 instances into requesting temporary AWS credentials. For hackers, these credentials are a huge prize since they allow access to other AWS services without needing to get onto the host directly, essentially turning the vulnerable app into a proxy.

So far, these attacks have failed thanks to the protections in IMDSv2, but it’s clear that people are actively trying to weaponize these kinds of flaws. Security experts are warning that any applications still using the older IMDSv1 protocol are at risk, especially if they’re running unpatched third party software. To protect yourself, it’s a good idea to enforce IMDSv2 everywhere, make sure you’re using least privilege IAM roles, and configure Pandoc with sandboxing to block any abuse coming from iframes.

 

Security experts

 

Researchers Uncover ShadowV2 Botnet Offering DDoS-for-Hire

A newly discovered botnet called ShadowV2 is giving attackers the ability to rent out distributed denial-of-service (DDoS) attacks, adding to the growing trend of cybercrime-as-a-service. Researchers say the botnet primarily compromises misconfigured Docker containers running on cloud servers. Once inside, the attackers deploy Go-based malware that turns the systems into attack nodes and links them to a larger network. ShadowV2 was first observed targeting honeypots in June 2025. The operation is managed through a Python-based command-and-control framework hosted on GitHub Codespaces. ShadowV2 stands out for its advanced toolkit, which includes HTTP/2 Rapid Reset attacks, attempts to bypass Cloudflare’s “under attack” mode, and large-scale HTTP floods.

Instead of dropping ready-made container images, the attackers spin up a generic Ubuntu container, install their tools, and then deploy a Go binary that maintains contact with the operators using HTTP. This approach may help them avoid leaving clear forensic evidence. Researchers say the botnet is designed with APIs and an operator interface, showing signs of being a structured DDoS-for-hire platform. The discovery comes amid a surge in large-scale DDoS activity, including record-breaking attacks mitigated by cloud providers and other botnets like AISURU infecting hundreds of thousands of devices worldwide. 

 

growing trend of cybercrime-as-a-service

 

Active Attacks Target Libraesva Email Security Gateway Flaw

A security update has just been released for a flaw in Libraesva’s Email Security Gateway (ESG) that attackers are already exploiting. The vulnerability, tracked as CVE-2025-59689, has a 6.1 severity score and happens because the gateway doesn’t properly clean up files inside compressed attachments.  This weakness lets an attacker send a specially crafted archive file to inject and run their own commands, giving them a way to execute code as a non privileged user on the system.

The issue impacts ESG versions 4.5 through 5.5.x, and a fix is available in version 5.5.7 and later releases. It’s important to note that versions below 5.0 are no longer supported and will require a manual upgrade. Libraesva has confirmed at least one case where attackers used this flaw with a high degree of precision against a specific target. Because this is being actively exploited, everyone is strongly urged to update their systems immediately. Implementing SPF, DKIM, and DMARC strengthens email security and prevents spoofing attacks. A quick update can stop attackers from bypassing email defenses and gaining access to sensitive networks.

Pin It on Pinterest

Share This