Hello, stay ahead with CISO Brief 🚀

Why CISO Tenures Are Shortening and What It Means?

🔁 CISO tenures now often last only 18–36 months, driven by burnout, startup pace, and escalating liability concerns. The role demands constant readiness for breaches, extensive cross‑functional communication, and navigation of company politics, which many find unsustainable long term. Larger enterprises typically retain CISOs longer thanks to scale and resources. As a result, some leaders pursue fractional roles, vendor careers, or advisory positions while organizations push for clearer standards and better board-level alignment.

Oracle EBS Targeted by Cl0p Exploiting CVE-2025-61882

🚨 CrowdStrike attributes the exploitation of Oracle E-Business Suite to Graceful Spider, also known as Cl0p, with the first observed compromise on August 9, 2025. The attacks exploit a critical pre-authentication remote code execution flaw, CVE-2025-61882 (CVSS 9.8), enabling authentication bypass and the upload of malicious XSLT templates via Oracle XML Publisher. Successful exploitation leads to outbound connections from the Java web server and remote web shell deployment for data exfiltration and persistence; CISA has added the flaw to its Known Exploited Vulnerabilities catalog and urged agencies to patch immediately.

ShinyHunters Joins Extortion Effort After Red Hat Breach

🔐 Red Hat is facing renewed extortion after a breach of its GitLab instance used by Red Hat Consulting was claimed to have exposed nearly 570GB of compressed data across thousands of repositories, including about 800 Customer Engagement Reports (CERs). The Crimson Collective initially claimed the theft and says it received no ransom response. The group announced a collaboration with Scattered Lapsus$ Hunters and has used the newly launched ShinyHunters leak site to press extortion demands, publishing CER samples and setting an October 10 deadline. Red Hat did not respond to inquiries.

Inside Microsoft Threat Intelligence: Calm in Chaos

🔎 Microsoft’s Incident Response (IR) team emphasizes calm, clarity, and rapid action when customers encounter major breaches. Adrian Hill explains how IR establishes trust within the first 30 seconds and coordinates with other vendors and stakeholders to stabilize compromised environments. Field discoveries are fed back into Microsoft Threat Intelligence, enabling new detections and product protections. Follow-up recovery, containment, and strategic guidance turn response into lasting partnership.

Critical GoAnywhere MFT Flaw Exploited in Medusa Attacks

⚠️ Microsoft warns that a critical deserialization vulnerability in GoAnywhere MFT (CVE-2025-10035) has been actively exploited by a Medusa ransomware affiliate tracked as Storm-1175 since early September. The License Servlet flaw enables remote compromise without user interaction, allowing attackers to gain initial access and persist via abused RMM tools. Administrators should apply Fortra's patches and inspect logs for SignedObject.getObject stack traces.

Azure AI Foundry Brings Multimodal OpenAI Models at Scale

🚀 Azure AI Foundry now integrates new OpenAI models—GPT-image-1-mini, GPT-realtime-mini, and GPT-audio-mini—alongside safety upgrades to GPT-5. The rollout, with most customers able to get started on October 7, 2025, targets efficient, low-latency multimodal workloads for developers and enterprises. Microsoft also highlighted the open-source Microsoft Agent Framework, multi-agent workflows, unified observability, Voice Live API GA, and Responsible AI enhancements to accelerate production-grade agentic solutions.

Oracle issues emergency patch for EBS zero-day RCE

🔴 Oracle has released an emergency patch addressing a critical zero-day remote code execution flaw, CVE-2025-61882, in the E-Business Suite BI Publisher Integration component. The vulnerability (affecting versions 12.2.3–12.2.14) is rated 9.8 on the CVSS scale and is exploitable remotely without authentication. Cl0p actors are linked to active exploitation and high-value extortion demands; Oracle published IoCs and strongly urges immediate patching and aggressive compromise hunting.

Microsoft bug: Multiple Office apps break Copilot pane

🔧 Microsoft is investigating a bug that prevents the Copilot pane and other WebView2-dependent features from launching when multiple Office applications (Excel, Word, PowerPoint, OneNote, Publisher, Access) run concurrently. The issue occurs when one app initializes a WebView2 instance and a second app attempts to start another; closing the first app allows the pane to open normally. The Office team is working on a resolution and will provide updates when available.

Zeroday Cloud contest: $4.5M bounties for cloud tools

🔐 Zeroday Cloud is a new hacking competition focused on open-source cloud and AI tools, offering a $4.5 million bug bounty pool. Hosted by Wiz Research with Google Cloud, AWS, and Microsoft, it takes place December 10–11 at Black Hat Europe in London. The contest features six categories covering AI, Kubernetes, containers, web servers, databases, and DevOps, with bounties ranging from $10,000 to $300,000. Participants must deliver complete compromises and register via HackerOne.

Active Exploitation of GoAnywhere CVE-2025-10035 Observed

🔒 Microsoft Threat Intelligence warns of active exploitation of a critical deserialization vulnerability in GoAnywhere MFT License Servlet (CVE-2025-10035, CVSS 10.0) that can allow forged license responses to trigger arbitrary object deserialization and potential remote code execution. Activity attributed to Storm-1175 included initial access via this flaw, deployment of RMM tools (SimpleHelp, MeshAgent), and at least one Medusa ransomware incident. Customers should upgrade per Fortra guidance, run EDR in block mode, restrict outbound connections, and use the provided Defender detections and IoCs for hunting and response.

Amazon EKS and EKS Distro Add Kubernetes 1.34 Support

🚀 AWS announced that Amazon EKS and EKS Distro now support Kubernetes version 1.34. Starting today, you can create new clusters or upgrade existing clusters via the EKS console, eksctl, or infrastructure-as-code tools, with EKS Distro images available in ECR Public Gallery and GitHub. Kubernetes 1.34 introduces projected service account tokens for kubelet image credential providers, Pod-level resource requests and limits for simpler multi-container resource management, and Dynamic Resource Allocation prioritized alternatives to improve device scheduling and workload placement. AWS recommends using EKS Cluster Insights and consulting EKS version lifecycle guidance before upgrading.

ChatGPT Pulse Heading to Web; Pro-only for Now, Plus TBD

🤖 ChatGPT Pulse is being prepared for the web after a mobile rollout that began on September 25, but OpenAI currently restricts the feature to its $200 Pro subscription. Pulse provides personalized daily updates presented as visual cards, drawing on your chats, feedback and connected apps such as calendars. OpenAI says it will learn from early usage before expanding availability and has given no firm timeline for Plus or free-tier rollout.

Cl0p Exploits Critical Oracle E-Business Suite Flaw

🔒 Oracle released an emergency patch to address a critical unauthenticated vulnerability in E-Business Suite (CVE-2025-61882) with a CVSS score of 9.8. The flaw allows remote code execution against the Oracle concurrent processing component over HTTP and has been actively exploited by the Cl0p group in large-scale data theft. Security firms report mass email-based distribution from hundreds of compromised accounts and recommend immediate patching and forensic checks for listed IoCs and suspicious GET/POST activity.

OpenAI Tests ChatGPT-Powered Agent Builder Tool Preview

🧭 OpenAI is testing a visual Agent Builder that lets users assemble ChatGPT-powered agents by dropping and connecting node blocks in a flowchart. Templates like Customer service, Data enrichment, and Document comparison provide editable starting points, while users can also create flows from scratch. Agents are configurable with model choice, custom prompts, reasoning effort, and output format (text or JSON), and they can call tools and external services. Reported screenshots show support for MPC connectors such as Gmail, Calendar, Drive, Outlook, SharePoint, Teams, and Dropbox; OpenAI plans to share more details at DevDay.

Cost-Saving Strategies When Migrating to Google Cloud

💡 Google Cloud presents practical strategies to lower Compute Engine and block storage costs during migration and modernization. The article recommends adopting latest-generation VMs and specialized instance families, right-sizing or using custom machine types, and tuning storage with Hyperdisk and storage pools to align capacity and performance. It also emphasizes financial levers—committed use discounts, Spot VMs, autoscaling, and recommender-driven actions—to reduce spend while preserving performance.

Redis warns of critical Lua RCE flaw in many instances

🔒 The Redis security team has released patches for CVE-2025-49844, a maximum-severity use-after-free in the bundled Lua interpreter that can enable remote code execution when an attacker supplies a specially crafted Lua script. Wiz researchers, who disclosed the issue at Pwn2Own Berlin and dubbed it RediShell, found approximately 330,000 Redis instances exposed online and at least 60,000 requiring no authentication. Administrators should apply the published fixes (for example, 7.22.2-12 and later; OSS/CE/Stack variants also updated) immediately and implement mitigations such as enabling authentication, disabling Lua scripting where possible, running Redis as a non-root user, and restricting network access.

Europol Urges Stronger EU Data Laws to Aid Investigations

🔐 At Europol’s 4th Annual Cybercrime Conference in The Hague, officials warned that criminals are exploiting encryption, anonymization and emerging technologies faster than law enforcement and regulators can adapt. Speakers including Europol executive director Catherine De Bolle and European commissioner Magnus Brunner urged stronger cooperation, updated laws and enhanced cross-border data-sharing to ensure lawful access to digital evidence while respecting privacy.

Trinity of Chaos Launches TOR Data Leak Site, Exposes Data

🔓 The Trinity of Chaos collective has opened a data leak site on the TOR network, publishing previously undisclosed records tied to past breaches and listing 39 major global firms. Resecurity says the group claims more than 1.5 billion records across 760 companies and has set an October 10 negotiation deadline. Samples reportedly contain substantial PII and appear to stem from compromised SaaS environments via stolen OAuth tokens and vishing; the FBI has issued a flash alert. The group also threatened to leverage existing litigation and regulatory complaints against Salesforce, which has denied new vulnerabilities.