The Check Point Research 29th September 2025 Threat Intelligence Report aggregates multiple cyber threats and vulnerabilities impacting global and European organizations. The report highlights a data breach at Stellantis, a major automotive conglomerate owning European brands such as Citroën, FIAT, Jeep, Chrysler, and Peugeot. Attackers accessed over 18 million Salesforce records through a compromised third-party platform, exposing North American customer contact information. Similarly, Volvo Group North America suffered a ransomware attack via its third-party HR software provider Miljödata, leaking employee personal data including Social Security numbers. Union County, Ohio, experienced a ransomware attack compromising sensitive personal data of over 45,000 individuals. In Europe, the UK nursery chain Kido was hacked by the Radiant group, which stole sensitive data of approximately 8,000 children and staff, including safeguarding notes, and demanded ransom. This incident is under investigation by UK authorities. The report also details critical vulnerabilities patched in SolarWinds Web Help Desk (CVE-2025-26399) allowing unauthenticated remote code execution via unsafe deserialization, and multiple Cisco ASA and FTD zero-days (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) actively exploited in the wild. A newly disclosed vulnerability in OnePlus OxygenOS (CVE-2025-10184) allows any installed app to silently read SMS/MMS data without user permission or interaction, enabling bypass of SMS-based multi-factor authentication. Iranian state-linked threat actor Nimbus Manticore is targeting European defense and telecom sectors using spear-phishing, fake HR portals, and advanced malware with valid signatures and evasion techniques, indicating nation-state capabilities. The report also warns of over 4,300 domains registered to impersonate FIFA World Cup 2026 branding, used for scams involving fake tickets and merchandise, with a concentration on registrars popular in Europe. LockBit 5.0 ransomware variants have evolved to target Windows, Linux, and ESXi environments, employing obfuscation, DLL reflection, and clearing event logs, while avoiding Russian systems. The report underscores the ongoing threat landscape complexity, combining data breaches, ransomware, zero-day exploits, and nation-state espionage targeting European organizations across multiple sectors.

European organizations face multifaceted risks from these threats. The Stellantis breach, while primarily exposing North American customer data, signals risks to European automotive subsidiaries due to shared platforms and supply chains. The Kido nursery chain attack directly impacts UK childcare providers, threatening privacy and regulatory compliance under GDPR, with potential reputational damage and legal consequences. The vulnerabilities in SolarWinds and Cisco products pose significant risks to European enterprises and government agencies relying on these widely deployed IT management and network security solutions, potentially enabling remote code execution and unauthorized access. The OnePlus OxygenOS flaw threatens mobile device security, particularly for European users relying on SMS-based MFA, increasing risk of account compromise. Nimbus Manticore’s targeted espionage against European defense and telecom sectors could lead to intellectual property theft, disruption of critical communications infrastructure, and national security concerns. The proliferation of FIFA World Cup 2026 scam domains may lead to widespread phishing and fraud targeting European consumers and organizations. LockBit ransomware’s cross-platform capabilities threaten European businesses running virtualized environments, with potential for severe operational disruption and data loss. Collectively, these threats could result in data breaches, financial losses, regulatory penalties, operational downtime, and erosion of trust in affected organizations.

European organizations should implement targeted mitigation strategies beyond generic advice: 1) Conduct thorough security assessments of third-party platforms and suppliers, especially those integrated with critical systems like Salesforce and HR software, enforcing strict access controls and continuous monitoring. 2) Apply all available patches promptly for SolarWinds Web Help Desk and Cisco ASA/FTD products, and monitor for indicators of compromise related to these vulnerabilities. 3) For mobile device fleets, especially those using OnePlus devices, deploy mobile threat defense solutions and consider alternative MFA methods less reliant on SMS. 4) Enhance phishing detection and user awareness training focused on spear-phishing and fake HR portal tactics used by advanced threat actors like Nimbus Manticore. 5) Monitor domain registrations and DNS traffic for suspicious activity related to major events such as FIFA World Cup 2026, employing domain reputation services and blocking known malicious domains. 6) Implement robust ransomware defenses including network segmentation, offline backups, endpoint detection and response (EDR) tools, and incident response plans tailored for cross-platform ransomware variants like LockBit 5.0. 7) For sectors handling sensitive personal data, such as childcare and healthcare, enforce strict data access policies, encryption at rest and in transit, and rapid breach notification procedures to comply with GDPR. 8) Collaborate with national cybersecurity centers and law enforcement to share threat intelligence and coordinate responses to nation-state and ransomware threats.