Welcome to the September edition of Upfort’s Threat Matrix! This month’s round-up features high-profile breaches across the auto, hospitality, and gaming industries—plus new threats to AI systems, smartphones, and VPNs that many businesses still rely on.

From leaked employee SSNs at Volvo to Salesforce AI agents revealing customer data, attackers are finding new ways to exploit overlooked systems, outdated software, and third-party integrations. Even your VPN or search ad clicks might be a threat vector.

But these aren’t just headlines. They’re real risks with real consequences. Our mission is to help you stay one step ahead. Read on for this month’s biggest cyber incidents—and what you can do right now to reduce your exposure.

Want to know how protected your company really is? Take two minutes to complete our interactive cybersecurity checklist or get a free cybersecurity risk assessment to uncover exploitable vulnerabilities in your network.

Volvo North America employee SSNs stolen in ransomware attack

Volvo Cars has confirmed that a ransomware attack led to the theft of sensitive personal information—including employee Social Security numbers—highlighting the growing risk to workforce data in the automotive sector.

The breach was traced back to a supply chain incident involving Miljödata, a Swedish HR software provider used by Volvo and dozens of other companies and municipalities. The ransomware group Cactus reportedly exfiltrated documents containing SSNs and other personal details, which were later leaked on the dark web after ransom demands went unmet.

According to reports, the wider breach exposed data from over 1.5 million individuals, including employees from SAS Airlines, Volvo, and more than 200 municipalities. Volvo has notified affected individuals and law enforcement, and is offering 18 months of identity protection to impacted employees.

This breach adds to a growing wave of ransomware attacks targeting critical business platforms—especially those handling HR and workforce data.

How to protect your business: Implement segmentation to isolate sensitive employee data, enforce strong authentication, and regularly audit data access logs. Proactive ransomware defenses—like endpoint monitoring and rapid patching—are essential to reduce risk.

Read More

‍

‍

Akira ransomware breaching MFA-protected SonicWall VPN accounts

Akira ransomware operators are bypassing multi-factor authentication (MFA) to breach SonicWall Secure Mobile Access (SMA) VPN appliances and infiltrate corporate networks, according to a joint alert from the FBI and CISA.

The attackers exploit unpatched or end-of-life SonicWall SMA devices and leverage stolen credentials to gain access—even when MFA is enabled. Once inside, they exfiltrate data, deploy ransomware, and extort victims with threats of public leaks.

This follows a wider pattern of ransomware groups targeting VPN gateways, especially older devices or those lacking current patches. Akira has been linked to attacks across healthcare, education, and manufacturing sectors.

How to protect your business: Immediately patch or decommission legacy VPN devices. Enforce strong password hygiene, use phishing-resistant MFA methods, and monitor VPN access logs for anomalies.

Read More

Salesforce AI agents leak sensitive data in user chats

Security researchers have discovered that AI-powered agents built with Salesforce’s Einstein Copilot and Prompt Builder may inadvertently leak sensitive information in user chats—raising concerns about data governance in enterprise AI deployments.

The issue stems from prompt injection and poor handling of user context, allowing attackers to craft queries that coax the AI into revealing confidential details such as internal documentation or customer records. In some instances, data surfaced from entirely unrelated users due to overly broad data access.

While Salesforce says it is rolling out safeguards to limit access and improve isolation across tenants, researchers warn that these kinds of issues will persist if enterprises fail to implement clear access controls and data boundaries when deploying generative AI.

How to protect your business: Limit what AI agents can access by enforcing strict user roles, audit logs, and data filtering. Validate prompts, restrict user inputs, and consider deploying AI agents in sandboxed environments when dealing with sensitive data.

Read More

‍

‍

Fake Microsoft Teams installers push Oyster malware via malvertising

Hackers are using malvertising campaigns to trick users into downloading fake Microsoft Teams installers that infect devices with the Oyster malware, a stealthy backdoor used for espionage.

The attackers buy ads that appear in search results for “Microsoft Teams,” leading users to malicious websites that mimic the official Microsoft download page. Victims who download the fake installer unknowingly install a loader that drops Oyster malware, which can collect files, take screenshots, and run remote commands.

This campaign highlights the growing threat of malvertising—especially when it impersonates popular business apps to target employees and compromise enterprise environments.

How to protect your business: Train employees to download software only from verified vendor websites. Use DNS filtering and endpoint protection to block access to malicious domains. Monitor for unusual network traffic and lateral movement.

Read More

CISA orders agencies to patch Cisco flaws exploited in zero-day attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring federal agencies to patch multiple actively exploited zero-day vulnerabilities in Cisco software.

The flaws affect Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Attackers have been exploiting these bugs in the wild to gain remote access and control over targeted networks, prompting CISA to mandate immediate remediation steps across federal systems.

Agencies have until October 17 to apply patches and take mitigation actions. The urgency stems from confirmed reports of ongoing exploitation by advanced threat actors.

How to protect your business: Apply Cisco’s latest patches without delay. Audit VPN and firewall configurations for signs of compromise. Use endpoint detection tools to monitor for post-exploitation activity.

Read More

Unpatched flaw in OnePlus phones lets rogue apps read your text messages

A newly disclosed vulnerability in OnePlus smartphones could allow malicious apps to read users’ text messages without permission, posing a serious risk to privacy and security.

The flaw affects multiple OnePlus models, including recent devices, and stems from improper permission handling in the “com.oneplus.message” system app. A rogue app installed on the device could exploit this weakness to gain unauthorized access to SMS content, including one-time passwords (OTPs) and private conversations.

Security researcher Erye Hernandez discovered the bug and reported it to OnePlus months ago, but the company has yet to issue a patch. This delay increases the window of opportunity for attackers to exploit the flaw in real-world attacks.

How to protect your business: Avoid installing untrusted apps, especially from outside the Play Store. Use mobile threat detection tools on company devices. Limit the use of SMS for authentication and sensitive data transmission where possible.

Read More

Boyd Gaming discloses data breach after suffering a cyberattack

Boyd Gaming has confirmed a data breach stemming from a cyberattack earlier this year, exposing sensitive personal information of an undisclosed number of individuals.

The breach, which occurred in April 2024, involved unauthorized access to internal systems where attackers stole data including names, Social Security numbers, driver’s license numbers, and financial account details. The casino and entertainment company disclosed the incident in a regulatory filing and has begun notifying affected individuals.

While Boyd says its operations have since been restored, the scope of the attack and the identity of the threat actors remain unclear. This marks yet another high-profile breach in the hospitality and entertainment sector, a growing target for cybercriminals due to the volume of customer data handled.

How to protect your business: Segment networks, apply strong access controls, and monitor for unauthorized activity. Encrypt sensitive personal and financial data to minimize exposure during breaches.

Read More

Stellantis confirms data breach after Salesforce hack

Automaker giant Stellantis has confirmed it suffered a data breach affecting customers and prospective buyers, stemming from a third-party compromise involving Salesforce systems.

The breach occurred between June 2023 and September 2023, when unauthorized access to a Salesforce Marketing Cloud instance exposed personal data including names, addresses, phone numbers, email addresses, and vehicle information. Stellantis says no financial or highly sensitive information was compromised, but the exposed data still poses risks for phishing and identity-based attacks.

The incident is part of a broader wave of breaches tied to Salesforce environments, which have impacted major organizations across insurance, HR, and automotive industries in recent months. Stellantis is now notifying affected individuals and has offered free identity protection services.

How to protect your business: Regularly audit third-party integrations, enforce strict access controls, and encrypt sensitive customer data—even in marketing and CRM platforms.

Read More

FBI warns of fake FBI crime portals used in cybercrime schemes

The FBI has issued a warning about fraudulent websites impersonating its official Internet Crime Complaint Center (IC3), tricking victims into submitting sensitive personal information under the guise of reporting cybercrime.

According to the alert, these spoofed portals are designed to closely mimic the legitimate IC3 site, ic3.gov, and are being used to harvest names, contact details, and descriptions of incidents—data that can later be used for identity theft, extortion, or social engineering attacks.

The campaign comes amid a broader trend of cybercriminals impersonating trusted institutions and government agencies. In this case, spoofed FBI domains and web forms create a convincing trap for victims who believe they’re reporting a crime, when in reality they’re becoming victims of one.

How to protect your business: Bookmark official reporting websites, verify URLs before submitting sensitive data, and train employees to recognize spoofed domains. Always access government portals directly—never through links in unsolicited messages.

Read More

‍