Daily Brief

Oracle refutes allegations of a breach following claims by a hacker, rose87168, that they stole 6 million records from Oracle Cloud’s federated SSO login servers. Rose87168 provided evidence including text files and LDAP information purportedly from Oracle Cloud, even showing a .txt file upload to an Oracle server. The data for sale included encrypted SSO passwords and other sensitive files, with rose87168 claiming the ability to decrypt these passwords. The hacker demanded that companies pay to exclude their employees' information from the sell list, posing a targeted threat to affected enterprises. Oracle insists that no Oracle Cloud customers experienced a breach or data loss according to their investigation. The situation remains unresolved as rose87168 continues to offer the data in exchange for money or zero-day exploits, underlining the ongoing risk to the affected entities. BleepingComputer has reached out to potentially affected companies to validate the claims of stolen data; updates are pending based on these confirmations.

A new phishing campaign exploits fake Semrush Google Ads to steal Google account credentials from SEO professionals. The attackers, identified as a Brazilian threat group, focus on obtaining access to Google Ads accounts to initiate further malicious advertising activities. Malwarebytes and industry experts note this trend of cascading fraud where cybercriminals progressively shift tactics to target sensitive data indirectly through associated services. The phishing sites closely mimic legitimate Semrush services, only offering a corrupted "Log in with Google" option to harvest user credentials. Domains involved in the phishing campaign include deceptive URLs like “semrush[.]click” and “semrush-pro[.]co”, some being geographically selective in targeting. Despite discussions with Google, cybersecurity experts express concerns over the persistence of malicious Google Ads and the insufficient action by Google to address the root of such cybersecurity threats effectively. Recommendations for users include avoiding clicks on sponsored search results, using direct bookmarks for frequently visited pages, and employing password managers to ensure credentials are used on intended sites only.

Microsoft is addressing an Exchange Online bug that has caused some user emails to be wrongly flagged by anti-spam systems and quarantined. The issue, identified as critical, began nearly five hours prior to the report and is being tracked under the incident code EX1038119. This problem involves specific URLs being incorrectly categorized by Microsoft's anti-spam tools, affecting email delivery. Efforts to fix the issue by whitelisting the implicated URLs failed, leading Microsoft to attempt a manual correction of the affected messages. A separate related issue, coded EX1038200, affects access to the 'Review' page in the Email and Collaboration section of the Security portal, hindering the management of quarantined emails. Microsoft's engineers are conducting a review of diagnostic telemetry to understand and mitigate the root causes of these issues. These incidents add to a series of recent challenges for Exchange Online, including a previous false positive issue and multiple outages affecting email access and delivery.

The U.S. Treasury has removed sanctions against Tornado Cash, which was accused of laundering funds for North Korea's hacking operations. Tornado Cash is a crypto mixer implicated in multiple major cyber thefts, including the laundering of $455 million from the Ronin network hack. Sanctions were originally placed on Tornado Cash in August 2022 for laundering over $7 billion since 2019. The U.S. Justice Department has charged Tornado Cash founders with facilitating over $1 billion in laundered money. Despite lifting sanctions, the U.S. Treasury underlines a continued effort to disrupt malicious exploitation of cryptocurrency by cybercriminals like the Lazarus Group. North Korean hackers, notably the Lazarus Group, have used Tornado Cash to support the country's ballistic missile program by laundering stolen crypto assets. The removal of sanctions reflects the complex challenges and opportunities that digital assets present, emphasizing the need for securing against illicit activities.

UAT-5918, a new advanced persistent threat (APT) group, has been conducting cyber-attacks on Taiwan's critical infrastructure since at least 2023. The group uses web shells and open-source tools to establish long-term access in victim organizations for information theft and credential harvesting. Targets expand beyond critical infrastructure to include sectors such as IT, telecommunications, academia, and healthcare. UAT-5918's attack methods involve exploiting unpatched N-day security flaws to gain initial access and deploying various tools for system exploration and information gathering. Key tools used in their attacks include Fast Reverse Proxy, Neo-reGeorge, Mimikatz, LaZagne, and BrowserDataLite for creating reverse proxy tunnels and credential theft. The group also uses Chopper web shell, Crowdoor, and SparrowDoor, demonstrating tactical overlaps with other Chinese hacking groups. UAT-5918 systematically engages in data theft and continues to establish multiple points of entry into targeted organizations to secure long-term access and collect sensitive data.

Valve has removed the game 'Sniper: Phantom's Resolution' from Steam after it was found to install malware. The game's demo installer, sourced from an external GitHub repository, infected users' systems with information-stealing malware. Analysis revealed the installer contained malicious tools like a privilege escalation utility and Fiddler, used for intercepting cookies. Users reported that game assets and descriptions appeared copied from other games, raising initial suspicions. GitHub has since taken down the malicious repository upon user reports; the developer's website is also offline. Valve's previous incident involved the PirateFi game that distributed Vidar malware to up to 1,500 users. Affected users are advised to uninstall the game and conduct a full system scan to remove any remaining malicious files.

Medusa ransomware-as-a-service uses a malicious driver, ABYSSWORKER, to disable anti-malware tools via a BYOVD (Bring Your Own Vulnerable Driver) approach. ABYSSWORKER mimics a legitimate CrowdStrike Falcon driver and is packed with features targeting endpoint detection and response (EDR) systems. It is signed using likely stolen, revoked certificates from Chinese companies, allowing it to bypass security checks by appearing as a trusted entity. The malicious driver has been effective in blinding security products by removing all registered notification callbacks, a method known as EDR killing. This incident is part of a broader trend of threat actors exploiting legitimate but vulnerable kernel drivers to gain elevated privileges and disable Windows security features. Check Point has patched vulnerabilities in its driver used by ZoneAlarm antivirus after threat actors exploited it to gain full system control and exfiltrate sensitive data. The RansomHub operation is also noted for using a multi-function backdoor named Betruger, indicating a strategic development in ransomware attacks to combine multiple malicious techniques.

China-linked APT group Aquatic Panda executed a global espionage campaign named Operation FishMedley, targeting entities across six countries. The campaign ran from January to October 2022, affecting governments, NGOs, catholic charities, and think tanks in nations such as Taiwan, Hungary, Turkey, Thailand, France, and the USA. Aquatic Panda utilized a variety of malware including ShadowPad, SodaMaster, and Spyder, known to be associated with Chinese cyber operations. The group, also known as Bronze University among other names, operates under the larger umbrella of the Winnti Group (APT41) and is supported by the Chinese contractor i-Soon. The initial access vector for the attacks remains unidentified, but a variety of methods and implants including a new loader named ScatterBee and a C++ implant called RPipeCommander were employed. This campaign highlights ongoing sophisticated cyber espionage efforts by state-aligned groups, using shared and evolving malware tools.

vPenTest performed over 10,000 automated internal network penetration tests last year, exposing significant security gaps in many businesses. Businesses often rely on firewalls, endpoint protection, and SIEMs, which may not be sufficient against real-world attack scenarios. Common security vulnerabilities uncovered include weak passwords, system misconfigurations, and unpatched vulnerabilities. The analysis of findings shows that security issues are often basic, avoidable mistakes rather than sophisticated, advanced hacking techniques. The security gaps repeated across various network sizes and types, indicating ongoing vulnerabilities in systems. Regular, automated pentesting with platforms like vPenTest can help organizations identify and address vulnerabilities more efficiently than annual tests. This continuous security verification approach helps pinpoint weaknesses that could be exploited by attackers between annual audits. vPenTest offers on-demand, automated pentesting to help close security gaps and enhance defense against cyber threats.

Kaspersky identified collaboration between two threat groups, Head Mare and Twelve, targeting Russian entities using shared C2 servers and tools. Head Mare utilized a patched WinRAR vulnerability (CVE-2023-38831) for initial access, deploying malware and ransomware such as LockBit and Babuk. Twelve's operations focused on data encryption and destruction of infrastructure via publicly available tools and custom wipers. New analysis revealed Head Mare's adoption of CobInt, a backdoor linked to other attacks on Russian organizations, and a new implant named PhantomJitter for remote command execution. Additional access techniques by Head Mare included exploiting Microsoft Exchange vulnerabilities and phishing emails, often infiltrating through contractors' networks. The joint campaigns led to the use of ransomware deployment, urging victims to contact for decryption via Telegram after extensive concealment of their activities. The activity from Head Mare and Twelve indicates a broader pattern of sophisticated cyber attacks involving multiple threat actors within Russia. Related cyber activities by other groups, such as ScarCruft and Bloody Wolf, show a trend of increased and diversified threats targeting the region.

Paul Roberts, former CEO of Kubient, was sentenced to over a year in prison for committing financial fraud by falsifying company records. Kubient claimed to deliver fraud detection services using its KAI software, which in reality involved no actual work or valid data, leading to fabricated service reports. The company falsely reported $1.3 million in revenue from a non-existent service exchange with an unnamed company to inflate its financials. These misrepresented figures were used to deceitfully boost the company's revenue reports ahead of its public listing, which subsequently raised over $33 million through IPOs. The U.S. Securities and Exchange Commission charged Roberts and other executives after discovering the fraud, leading to Roberts' guilty plea and legal consequences. Despite earlier claims of effectiveness, Kubient's KAI software's capabilities were questionable as the company delisted from NASDAQ and canceled a significant merger. Following the scandal, Kubient appears to have ceased operations.

Citizen Lab report asserts Israeli Paragon Solutions' spyware was misused against journalists and activists instead of its advertised purpose of targeting criminals and terrorists. Details of the misuse were unearthed when WhatsApp, aided by Citizen Lab, notified approximately 90 individuals identified as targets, revealing the involvement of multiple government customers. Spyware, known as Graphite, developed by Paragon aims for constrained surveillance, purportedly restricting full control over the target's phone. Data breach at SpyX, a company providing parental control software, resulted in the leak of nearly two million account details, including sensitive user information. The report identifies misuse of spyware in countries including Italy, where notable journalists and humanitarian groups faced unwarranted surveillance. The U.S. military dismissed claims about possessing a 'kill switch' in F-35 jets, underlining the plane’s software and hardware security considerations. The ongoing use and export of spyware tools raise concerns about oversight and potential misuse internationally, impacting civil liberty groups and political dissenters.

Ongoing cyber attacks are targeting previously disclosed vulnerabilities in Cisco Smart Licensing Utility. Two critical vulnerabilities allow attackers administrative access and the ability to extract sensitive log data. Affected versions are 2.0.0, 2.1.0, and 2.2.0, but these have been patched in the latest release, version 2.3.0. The exploits are active even though patches were released by Cisco back in September 2024. Additional vulnerabilities, including an information disclosure flaw in Ncast products, are also being weaponized by attackers. The identity of the attackers and their ultimate objectives remain unclear. Organizations are urged to apply the patches immediately to prevent potential data breaches and system compromises.

Paige Thompson, convicted of stealing data from over 100 million Capital One customers and installing cryptomining software, may face a sterner sentence after an appeals court decision. Originally receiving a sentence of time served plus probation, the appeals court ruled this punishment as too lenient considering the severity of the data breach. Thompson exploited misconfigured AWS S3 cloud storage buckets to extract sensitive financial data and boasted about her activities on GitHub. The data theft resulted in approximately $40 million in damages and forced Capital One to pay hefty fines totalizing $270 million due to poor data security practices and customer lawsuits. The Department of Justice argues for stricter sentencing, highlighting the breach as the second largest US data theft incident to date. The appeals court emphasized that despite Thompson’s personal vulnerabilities due to her autistic and transgender status, the sentence must reflect the seriousness of the offense and federal sentencing goals. Thompson continued unlawful online activities and financial transactions even following her arrest.

Veeam has addressed a severe remote code execution vulnerability tagged CVE-2025-23120 in its Backup & Replication software, affecting domain-joined systems. The security flaw involves a deserialization issue in specific .NET classes, allowing potential attackers to remotely execute malicious code. The vulnerability predominantly affects the Veeam Backup & Replication version 12.3.0.310 and all prior version 12 builds, with a patch issued in version 12.3.1. Security research group watchTowr Labs discovered the flaw, noting Veeam's prior ineffective mitigation strategies, which involved blacklisting exploitable classes or objects. Ransomware gangs have previously targeted Veeam Backup & Replication servers, emphasizing the criticality of this vulnerability due to its potential to facilitate data theft and hinder data restoration. There are no current reports of this flaw being exploited in the wild, but detailed disclosures may prompt imminent threat actor exploration and exploits. Veeam strongly advises all users to promptly upgrade to the latest patched version and to adhere to best practice recommendations, including isolating backup servers from Windows domains.