Daily Brief

Oracle issued an emergency patch for a zero-day vulnerability in its E-Business Suite, exploited by Clop for data theft and extortion. The flaw is rated 9.8 on the CVSS scale. CVE-2025-61882 allows unauthenticated remote code execution, posing a significant risk to organizations using Oracle EBS. Immediate patching is advised to mitigate further exploitation. Clop's campaign involved exploiting multiple vulnerabilities in Oracle EBS, leading to significant data breaches from several victims in August 2025. Mandiant confirmed mass exploitation and emphasized the need for organizations to assess potential compromises and secure their systems promptly. Oracle's advisory warns that the vulnerability can be exploited over a network without authentication, increasing the urgency for organizations to apply the fix. Indicators suggest possible collaboration or shared tools between Clop and Scattered Lapsus$ Hunters, with new data leaks surfacing on a recent leak site. Clop has shifted tactics from ransomware to data theft and extortion, sending extortion emails to executives demanding payment to prevent data exposure. Organizations are urged to patch immediately, assume potential compromise, and investigate any signs of unauthorized access to prevent further damage.

The US Federal Emergency Management Agency (FEMA) terminated its CISO, CIO, and 22 staff members following an audit revealing severe security failings. Despite initial claims of no data loss, attackers accessed FEMA's Region 6 servers in June using stolen credentials, impacting Arkansas, Louisiana, New Mexico, Oklahoma, and Texas. The breach exploited a critical vulnerability in Citrix systems, allowing data exfiltration and bypassing multi-factor authentication. FEMA's IT department is undergoing a complete overhaul, with new staff appointed to address security deficiencies and enforce stronger access controls. The Cybersecurity and Infrastructure Security Agency (CISA) had previously issued warnings about the vulnerability, which were not acted upon promptly. This incident highlights the importance of timely vulnerability management and the consequences of failing to secure critical infrastructure.

A zero-day vulnerability in Zimbra Collaboration was exploited to target the Brazilian military, utilizing malicious ICS files to execute arbitrary code. Tracked as CVE-2025-27915, this stored cross-site scripting (XSS) flaw allowed attackers to execute JavaScript within a victim's session, leading to unauthorized actions. The attack involved spoofing the Libyan Navy's Office of Protocol and deploying ICS files designed to steal credentials, emails, and contacts, forwarding them to an external server. Zimbra addressed the vulnerability with patches released on January 27, 2025, but the flaw had already been exploited in real-world attacks. The malicious script was crafted to avoid detection by hiding UI elements and activating only after a three-day delay since its last execution. While the attackers remain unidentified, similarities in tactics suggest potential links to known groups like APT28, Winter Vivern, and UNC1151. Organizations using Zimbra should ensure systems are updated to the latest patched versions to mitigate similar threats.

Oracle issued an emergency patch for CVE-2025-61882, a critical vulnerability in its E-Business Suite, exploited by Cl0p in recent data theft operations. The flaw, with a CVSS score of 9.8, allows unauthenticated remote attackers to execute code via HTTP, posing significant security risks. Oracle's Chief Security Officer confirmed additional fixes were released following further investigations into potential exploitations. Indicators of compromise suggest involvement of the Scattered LAPSUS$ Hunters group in exploiting this vulnerability. Mandiant reported Cl0p's use of multiple vulnerabilities, including those patched in Oracle's July 2025 update, to execute high-volume email campaigns. Organizations are urged to apply patches promptly and assess if any prior breaches occurred due to the zero-day exploit. The situation remains dynamic, with ongoing updates expected as new information emerges.

Oracle has issued a critical patch for a zero-day vulnerability in its E-Business Suite, exploited by the Clop ransomware group for data theft. The flaw, identified as CVE-2025-61882, allows unauthenticated remote code execution and has a CVSS score of 9.8, indicating severe risk. Clop leveraged this vulnerability in August 2025 to steal data from multiple organizations, demanding ransom to prevent data leaks. Oracle's emergency update requires prior installation of the October 2023 Critical Patch Update to mitigate the vulnerability. Indicators of compromise shared by Oracle include IP addresses and exploit files, aiding organizations in identifying potential breaches. The exploit was initially leaked by a group known as "Scattered Lapsus$ Hunters," raising questions about their potential collaboration with Clop. This incident underscores the critical need for timely patch management and monitoring for indicators of compromise to prevent data breaches.

Researchers identified a zero-day attack exploiting a cross-site scripting vulnerability in Zimbra Collaboration Suite, specifically targeting versions 9.0, 10.0, and 10.1. The attack utilized .ICS calendar files to deliver a malicious JavaScript payload, exploiting insufficient HTML sanitization to execute arbitrary code. Zimbra released patches on January 27, addressing the vulnerability, but the attacks began earlier in January, before the patch was available. The threat actor impersonated the Libyan Navy’s Office of Protocol to target a Brazilian military organization, using emails with obfuscated JavaScript payloads. The payload aimed to extract sensitive data from Zimbra Webmail, including credentials, emails, and contacts, operating in asynchronous mode with complex JavaScript expressions. While attribution remains uncertain, researchers noted similarities with tactics used by UNC1151, a group linked to the Belarusian government. StrikeReady shared indicators of compromise and deobfuscated JavaScript to aid in defense against similar attacks. The incident underscores the critical need for timely patch management and vigilance against sophisticated phishing tactics.

ParkMobile concluded a class action lawsuit related to its 2021 data breach affecting 22 million users, offering a $1 in-app credit as compensation. The breach exposed sensitive data, including names, emails, and vehicle information, which was later leaked on a hacking forum. The settlement, amounting to $32.8 million, does not admit any wrongdoing by ParkMobile, a common clause in such legal resolutions. Users must manually claim the $1 credit using a promo code, which expires in 2026, except for California residents who have no expiration. ParkMobile warns of ongoing phishing attacks targeting its users, advising vigilance against fraudulent SMS messages claiming to be from the company. The company emphasizes that it will never request sensitive information or direct users to download apps or transfer funds. Users are urged to verify the legitimacy of communications and avoid engaging with suspicious links or QR codes to prevent falling victim to scams.

Discord experienced a data breach on September 20, affecting a limited number of users through a compromised third-party customer service provider. Hackers accessed personally identifiable information, including names, email addresses, government-issued IDs, and partial payment details. The breach was financially motivated, with hackers demanding a ransom to prevent the leak of stolen data. Discord promptly isolated the compromised support provider, revoked access, and initiated an investigation with a leading forensics firm and law enforcement. The Scattered Lapsus$ Hunters group claimed responsibility, exploiting a Zendesk instance used by Discord for customer support operations. The breach highlights vulnerabilities in third-party service integrations, emphasizing the need for robust security measures and regular audits. The incident could have broader implications, potentially aiding in solving crypto-related hacks and scams if the data is leaked. Discord's response includes ongoing investigations and collaboration with security experts to mitigate potential risks and prevent future breaches.

Cybersecurity researchers have identified a new attack, CometJacking, targeting Perplexity's Comet AI browser to extract sensitive data through malicious prompts embedded in URLs. The attack leverages a crafted URL to trigger unauthorized data access from connected services like email and calendar, bypassing traditional security measures. CometJacking operates without credential theft, exploiting the browser's existing authorized access to services, and uses Base64 encoding to obfuscate and transmit data. The attack is initiated when a user clicks a malicious link, redirecting the AI browser to execute hidden commands that capture and exfiltrate data. Perplexity has downplayed the security impact, but the incident reveals vulnerabilities in AI-native tools that can circumvent conventional defenses. The attack underscores the need for security-by-design in AI browsers, focusing on agent prompts and memory access rather than just page content. Organizations are urged to implement controls to detect and neutralize malicious agent prompts, as AI browsers become potential command-and-control points within enterprise environments.

GreyNoise reports a 500% rise in suspicious IPs scanning Palo Alto Networks login portals, peaking on October 3 with over 1,285 unique IPs involved. The scans primarily originated from the U.S., with additional clusters in the U.K., Netherlands, Canada, and Russia, suggesting a coordinated global reconnaissance effort. 91% of the IP addresses were deemed suspicious, while 7% were classified as malicious, indicating potential preparation for exploiting vulnerabilities. The targeted scans focused on Palo Alto GlobalProtect and PAN-OS profiles, likely sourced from public scanning tools or attacker-originated reconnaissance. GreyNoise previously linked similar scan activity to exploit preparation, though the correlation with Palo Alto products is currently weaker than past incidents. An increase in exploitation attempts on Grafana's CVE-2021-43798 vulnerability was also noted, with 110 malicious IPs, mostly from Bangladesh, targeting systems. Administrators are advised to ensure Grafana systems are patched and to block identified malicious IPs, while monitoring logs for path traversal attempts.

Hackers accessed Discord user data by compromising a third-party customer service provider on September 20, impacting users who interacted with Discord's support teams. The breach exposed personally identifiable information, including names, email addresses, and partial payment details, affecting a limited number of users. Attackers demanded a ransom from Discord, indicating a financially motivated breach, with threats to leak the stolen information. Discord responded by isolating the compromised provider, launching an internal investigation, and enlisting a forensic firm and law enforcement for remediation. Exposed data includes sensitive information such as government-issued ID photos and partial billing info, raising significant privacy concerns. The breach could aid in solving crypto-related hacks, as many scammers use Discord, according to Hudson Rock's CTO. The exact number of affected users remains undisclosed, and further details on the third-party provider and access vector are awaited.

GreyNoise reported a 500% increase in scanning activity targeting Palo Alto Networks login portals on October 3, 2025, marking the highest level in three months. Approximately 1,300 unique IP addresses participated in the scanning, with 93% classified as suspicious and 7% as malicious, predominantly geolocated in the U.S. The scanning activity shares characteristics with recent Cisco ASA scanning, including regional clustering and tooling overlap, suggesting a coordinated effort. GreyNoise's analysis indicates a dominant TLS fingerprint linked to infrastructure in the Netherlands, affecting both Palo Alto and Cisco ASA login portals. Past patterns suggest that such scanning surges often precede the disclosure of new CVEs, potentially indicating upcoming vulnerabilities in Palo Alto Networks technology. GreyNoise's Early Warning Signals report from July 2025 noted that malicious scanning often leads to new CVE disclosures within six weeks, as seen in recent Cisco ASA incidents. Organizations using Palo Alto Networks are advised to ensure their systems are updated to the latest software versions to mitigate potential threats.

Infoblox has identified Detour Dog as the operator behind campaigns distributing the Strela Stealer malware, utilizing DNS TXT records for command-and-control communications. The threat actor has been active since at least February 2020, initially focusing on redirecting traffic to scams before evolving to malware distribution. Detour Dog's infrastructure hosts the first stage of the attack using StarFish, a reverse shell that facilitates the deployment of Strela Stealer. The malware is distributed via spam emails originating from botnets like REM Proxy and Tofsee, with Detour Dog's infrastructure playing a key role. DNS-based communications allow the malware to persist undetected by executing remote code on compromised sites, which appear normal 90% of the time. Infoblox, in collaboration with the Shadowserver Foundation, has taken action to sinkhole two of Detour Dog's command-and-control domains, disrupting their operations. The shift to malware distribution suggests financial motivations, with Detour Dog functioning as a distribution-as-a-service provider, complicating threat detection efforts.

Signal has launched the Sparse Post-Quantum Ratchet (SPQR) to protect against future quantum computing threats, enhancing its encryption capabilities for up to 100 million users. SPQR ensures forward secrecy and post-compromise security, safeguarding future messages even if current encryption keys are compromised. The new system integrates post-quantum Key-Encapsulation Mechanisms (ML-KEM) and efficient chunking to manage large key sizes without increasing bandwidth. SPQR forms part of Signal's Triple Ratchet system, creating a "mixed key" for heightened security through a Key Derivation Function. Developed with PQShield, AIST, and NYU, SPQR's design is based on research from USENIX 2025 and Eurocrypt 2025, and has been formally verified. Signal's rollout of SPQR will be gradual, requiring users to update their clients, while ensuring backward compatibility during the transition phase. Once fully deployed, SPQR will be enforced across all Signal sessions, marking a significant advancement in protecting communications against quantum threats.

Rhadamanthys Stealer, a prominent information-stealing malware, now includes device and browser fingerprinting, enhancing its threat to both personal and corporate data security. The malware is marketed under a malware-as-a-service (MaaS) model, with tiered pricing from $299 to $499 per month, indicating a professional business approach. Recent updates feature steganographic techniques to conceal payloads within PNG files, complicating detection and analysis efforts for cybersecurity teams. The stealer's infrastructure includes sophisticated checks to evade sandbox environments, ensuring its execution only on legitimate targets. Rhadamanthys' evolution includes a Lua runner for additional plugins, allowing for extensive data theft and advanced customization options. The threat actor behind Rhadamanthys has rebranded as "RHAD security" and "Mythical Origin Labs," signaling long-term business intentions. Security analysts are advised to monitor changes in payload delivery methods and update detection tools to address the stealer's evolving obfuscation techniques.