Daily Brief

CrowdStrike attributes the exploitation of Oracle E-Business Suite's CVE-2025-61882 to the threat actor Graceful Spider, known as Cl0p, with moderate confidence. The vulnerability, scoring 9.8 on the CVSS scale, allows remote code execution without authentication, posing significant risks to affected systems. An observed attack sequence involves exploiting Oracle's XML Publisher Template Manager to upload and execute malicious templates, leading to persistent access. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog, urging immediate patching by October 27, 2025. Cl0p has been actively exploiting this flaw since August 2025, leading to data theft and extortion attempts against multiple Oracle EBS users. A Telegram channel has shared the exploit while criticizing Graceful Spider, indicating potential collaboration or competition among threat actors. Security experts recommend urgent patching, aggressive threat hunting, and enhanced security controls to mitigate risks associated with this vulnerability.

Red Hat has been targeted by the ShinyHunters group, which is extorting the company following a significant data breach involving customer engagement reports (CERs). The breach, initially claimed by the Crimson Collective, resulted in the theft of nearly 570GB of data from Red Hat's internal development repositories, including sensitive customer information. Red Hat confirmed that the breach affected its GitLab instance, which was used for consulting engagements, but has not responded to extortion demands. ShinyHunters, operating as an extortion-as-a-service, is threatening to publicly release the stolen data unless Red Hat negotiates a ransom by October 10th. The leaked data includes CERs from major organizations such as Walmart, HSBC, and the Department of Defence, raising concerns about potential operational impacts. This incident underscores the growing trend of extortion-as-a-service operations, where groups like ShinyHunters facilitate data leaks for a share of the ransom. Companies are advised to strengthen their cybersecurity posture and prepare for potential extortion attempts, focusing on robust incident response and communication strategies.

A critical vulnerability in Fortra's GoAnywhere MFT tool, tracked as CVE-2025-10035, has been exploited by the Storm-1175 group in Medusa ransomware attacks. The flaw, caused by deserialization of untrusted data, allows remote exploitation without user interaction, posing significant risks to affected organizations. Microsoft confirmed that Storm-1175 has been leveraging this vulnerability since September 11, 2025, utilizing tactics aligned with known Medusa ransomware operations. Attackers maintained persistence using remote monitoring tools like SimpleHelp and MeshAgent, conducting network reconnaissance and lateral movement across compromised systems. The Medusa ransomware payloads were deployed to encrypt files, and Rclone was used for data exfiltration, impacting multiple organizations. Fortra patched the vulnerability on September 18, but the flaw was already exploited as a zero-day, prompting urgent patching and log inspections for affected users. Microsoft and Fortra recommend updating to the latest software versions and reviewing logs for specific error strings to assess potential impacts. The Medusa ransomware operation has previously affected over 300 critical infrastructure organizations, highlighting the ongoing threat posed by such vulnerabilities.

Zeroday Cloud, a new hacking contest, offers $4.5 million for exploits targeting open-source cloud and AI tools, hosted by Wiz with Google Cloud, AWS, and Microsoft. The competition will take place at the Black Hat Europe conference in London on December 10 and 11, featuring six categories with bounties ranging from $10,000 to $300,000. Researchers must achieve full target compromise, such as Container/VM Escape or 0-click RCE, with submissions to be demonstrated live at the event. Participants must register via HackerOne, complete ID verification, and submit tax forms by November 20 to compete. Entrants from embargoed or sanctioned regions, including Russia and China, are barred from participation. Trend Micro's Pwn2Own organizers accused Wiz of copying their contest rules, but Wiz acknowledged using Pwn2Own's framework as inspiration. This contest aims to advance cloud security by incentivizing researchers to uncover critical vulnerabilities in widely-used technologies.

Redis has released patches for CVE-2025-49844, a critical vulnerability allowing remote code execution on thousands of instances, impacting approximately 75% of cloud environments. The flaw stems from a 13-year-old use-after-free weakness in the Redis source code, exploitable via a crafted Lua script by authenticated users. Successful exploitation enables attackers to gain persistent access, steal credentials, deploy malware, and move laterally within victim networks. Wiz researchers identified around 330,000 Redis instances exposed online, with at least 60,000 lacking authentication, significantly increasing the risk of exploitation. Redis and Wiz recommend immediate patching, enabling authentication, disabling Lua scripting, and implementing strict network access controls to mitigate risks. The vulnerability poses a severe threat due to Redis's widespread deployment, default insecure configurations, and the potential for significant data exfiltration and resource hijacking. Historical attacks on Redis servers have included malware and cryptominer deployments, emphasizing the need for robust security measures.

Scattered Lapsus$ Hunters has initiated a crowdsourced extortion campaign, offering $10 in Bitcoin to individuals who pressure executives into paying ransoms. The group claims to have distributed $1,000 to participants, incentivizing harassment of executives via personal email accounts for higher rewards. Communications from the group, marked by poor grammar, suggest non-native English speakers, raising questions about their origins and capabilities. The extortion scheme targets organizations allegedly breached through a Salesforce integration, with a data leak site listing victims and setting a ransom deadline. Salesforce, in response, stated no compromise of its platform has been identified, attributing the claims to past or unverified incidents. The attack exploited OAuth tokens from Salesloft Drift, a Salesforce integration, allowing unauthorized access to CRM systems. Google and Salesforce preemptively informed potentially affected organizations before the data leak site was launched. Despite recent law enforcement actions against its members, the group continues its activities, maintaining its presence through revived Telegram channels.

The cybersecurity landscape is evolving with attackers using AI-driven tactics, requiring organizations to adopt advanced technologies for defense. Wazuh, an open-source security platform, integrates AI to enhance detection, investigation, and situational awareness across various environments. AI capabilities in Wazuh include anomaly detection, log correlation, and threat intelligence, offering speed and scalability beyond traditional methods. The platform's AI assistant feature, powered by Claude 3.5 Haiku, provides contextual insights, bridging the gap between alerts and actionable responses. AI-driven threat hunting in Wazuh employs semantic search capabilities, allowing analysts to uncover hidden threats through natural language queries. Wazuh's AI analyst service aims to augment security teams by providing automated alerts summaries, contextual enrichment, and next-step guidance. By embedding AI into its cloud platform, Wazuh offers a scalable security solution that adapts to the growing complexity of cyber threats.

Recorded Future's report connects BIETA and CIII to China's Ministry of State Security, suggesting these firms support intelligence and counterintelligence missions. Evidence includes affiliations of at least four BIETA personnel with MSS officers and ties to the University of International Relations. BIETA and CIII are involved in developing technologies for steganography, malware deployment, and military communications, enhancing China's national security capabilities. CIII has developed applications for network simulations, penetration testing, and covert communications, indicating a focus on advanced cyber capabilities. The report suggests these organizations act as fronts for cyber-enabled intelligence operations, supporting Beijing's strategic objectives. The disclosure follows a recent finding of a Chinese proxy service used in North Korean cyber campaigns, highlighting the complexities of APT infrastructure. This development emphasizes the ongoing challenge of distinguishing between commercial and state-sponsored cyber activities.

A critical vulnerability in the Unity game engine, tracked as CVE-2025-59489, allows code execution on Android and privilege escalation on Windows. The flaw affects Unity versions starting from 2017.1, impacting both gaming and non-gaming applications built on this platform. Steam and Microsoft have issued warnings, prompting users to update or uninstall vulnerable games until patches are applied. Valve's response includes a Steam Client update to block custom URI schemes, while Microsoft advises uninstalling vulnerable games. Popular titles like Hearthstone, DOOM (2019), and Forza Customs are among those potentially affected by this security issue. Unity has released patches for versions starting from 2019.1, but older unsupported versions will not receive updates. No active exploitation has been observed, but developers are urged to recompile and redeploy applications with the latest Unity updates. The vulnerability was discovered by GMO Flatt Security’s researcher at the Meta Bug Bounty Researcher Conference in May.

Radiant Group, a new ransomware actor, has claimed responsibility for an attack on a Minnesota hospital, demanding compliance within seven days to avoid data exposure. This group previously attacked Kido Schools, leaking sensitive data of preschoolers and their parents, sparking significant backlash from media and rival cybercriminals. Following criticism, Radiant Group removed the children's data and vowed to avoid targeting minors in future operations. Despite retracting from targeting children, the group has not hesitated to attack healthcare institutions, indicating a shift in their victim profile. Radiant Group's actions have prompted ongoing investigations and collaboration with law enforcement, cybersecurity experts, and regulators to ensure data deletion and prevent future attacks. The group's decision-making and operations suggest a familiarity with Western systems, contrasting with typical Russian ransomware groups. The incident underscores the persistent threat of ransomware to critical sectors, emphasizing the need for robust cybersecurity measures and incident response strategies.

Discord confirmed a data breach impacting user information due to a security compromise at an unnamed third-party customer support vendor. Exposed data includes names, email addresses, billing information, and potentially images of government IDs used for age verification. Attackers accessed support tickets and related data, with intentions to extort Discord for financial gain. Discord has severed ties with the compromised vendor, initiated an internal investigation, and involved law enforcement. Affected users are being notified to remain vigilant against potential scams or misuse of their personal information. While the breach did not involve Discord's own systems, the incident raises concerns about the security of outsourced services. The exact number of affected users remains undisclosed, posing challenges for Discord in maintaining user trust and confidence.

XWorm malware, initially developed by XCoder, has resurfaced with new versions 6.0, 6.4, and 6.5, featuring over 35 plugins and a ransomware module. The latest variants are being distributed in phishing campaigns, with malware operators exploiting its modular architecture for data theft and remote control. XWorm's ransomware module, Ransomware.dll, encrypts user files, avoiding system directories, and demands ransom payments via Bitcoin, using HTML instructions. Researchers identified code similarities between XWorm’s ransomware module and the NoCry ransomware, indicating shared techniques in encryption and analysis evasion. XWorm is being deployed through various methods, including malicious JavaScript and AI-themed lures, with a significant increase in samples on VirusTotal since June. Trellix researchers recommend multi-layered defense strategies, including EDR solutions and proactive email protections, to mitigate the threat posed by XWorm. The malware's popularity among cybercriminals is evident, with 18,459 infections reported, primarily affecting Russia, the United States, India, Ukraine, and Turkey.

Organizations are increasingly adopting AI Security Posture Management (AI-SPM) solutions to safeguard AI ecosystems and ensure compliance with evolving data protection regulations. Effective AI-SPM tools offer comprehensive visibility and control over AI models, datasets, and infrastructure, mitigating risks related to compliance and unauthorized data exposure. These solutions must address AI-specific risks, including protecting training data and ensuring datasets comply with privacy regulations to maintain AI model integrity. Compliance with global regulations like GDPR and HIPAA is crucial; AI-SPM solutions should automate policy enforcement and provide real-time compliance monitoring. Scalability is essential for AI-SPM solutions to manage security in dynamic, cloud-native, and multi-cloud environments, ensuring consistent security policies across various platforms. Seamless integration with existing security tools and AI/ML platforms is vital to prevent operational disruptions and maintain a robust security posture. Proactive AI security measures empower organizations to innovate confidently, safeguarding business futures against emerging threats.

Cl0p ransomware group has targeted Oracle E-Business Suite, exploiting a zero-day vulnerability, CVE-2025-61882, with a critical CVSS score of 9.8, to facilitate data theft. The flaw allows unauthenticated attackers to compromise the Oracle Concurrent Processing component via HTTP, posing significant risks to affected organizations. Mandiant at Google Cloud reported multiple vulnerabilities were exploited, including those patched in Oracle's July 2025 update and the recent zero-day. The rapid exploitation of vulnerabilities by threat actors emphasizes the critical need for timely patch management to prevent breaches. Organizations are urged to prioritize patching and implement robust security measures to mitigate potential exploitation risks. This incident underscores the ongoing threat posed by ransomware groups leveraging unpatched vulnerabilities for large-scale data theft. Security teams should enhance monitoring and response strategies to detect and mitigate similar threats promptly.

Jaguar Land Rover (JLR) is preparing to restart production after a prolonged cyberattack halted operations, affecting its three main UK manufacturing plants. The Wolverhampton site is expected to resume first, with Solihull and Halewood following, although full operational capacity may take weeks to achieve. The cyber incident has reportedly cost JLR an estimated £2.2 billion ($2.9 billion) in revenue and £150 million ($202 million) in profit due to the extended downtime. The UK government has intervened with a £1.5 billion ($2 billion) loan guarantee to support JLR's financial recovery and safeguard jobs across its supply chain. The disruption impacted over 100,000 jobs at JLR suppliers, with many small businesses facing financial uncertainty due to halted invoice processing. The attack's ripple effect reached beyond JLR, affecting local economies and businesses reliant on the automaker's workforce, including pubs and cafes. The incident is regarded as one of the most severe crises faced by JLR, surpassing challenges like the global financial crisis and the semiconductor shortage.