All news with #active exploitation tag

Nezha Agent Linked to New Web Application Compromises

🔍 Huntress analysts uncovered a sophisticated campaign beginning in August 2025 that used log poisoning to plant a PHP web shell and then manage compromised servers via AntSword. The operators downloaded a file named 'live.exe' — identified as the open-source Nezha agent — which connected to a command server at c.mid[.]al and enabled remote tasking. Nezha was used to execute PowerShell commands to disable Windows Defender and to deploy 'x.exe', a Ghost RAT variant that persisted as 'SQLlite'. More than 100 systems, primarily in Taiwan, Japan, South Korea and Hong Kong, were observed communicating with the attackers' dashboard.

JLR Cyber-Attack Drives 25% Decline in Q2 Volume Sales

🔒 Jaguar Land Rover has reported a 25% drop in volume sales in the three months to 30 September after a cyber incident severely disrupted production and sales. Wholesales in Q2 FY2026 were 66,165 units, down 24.2% year-on-year, while retail sales fell 17.1%. The company began a controlled, phased restart of UK manufacturing from 8 October and launched a supplier financing scheme to ease cashflow during the restart.

Oracle EBS Zero-Day Exploited by Clop Since August

🔒 CrowdStrike reports the Clop ransomware gang has been exploiting an Oracle E-Business Suite zero-day, CVE-2025-61882, since early August to steal sensitive documents. The flaw resides in the BI Publisher Integration of Concurrent Processing and allows unauthenticated remote code execution via a single HTTP request. Oracle issued a patch and warned customers to apply updates immediately as extortion emails tied to stolen EBS data are being circulated.

Qilin Claims Responsibility for Asahi Cyber Attack

🔒 The Qilin ransomware group has claimed responsibility for a cyber-attack on Japan's Asahi Group, asserting it exfiltrated about 27 GB of files containing employee personal data and sensitive business documents. Consumer site Comparitech listed the data on Qilin's leak site on October 7, and Asahi has confirmed an earlier ransomware incident involving an 'unauthorized transfer of data'. The breach disrupted order, shipment and call-centre operations as the brewer implemented manual processes while investigating.

NCSC Urges Patch for Critical Oracle E-Business Bug

🔔 The UK's National Cyber Security Centre has urged Oracle E-Business Suite customers to apply an emergency update for CVE-2025-61882, a critical unauthenticated remote code execution vulnerability in the BI Publisher Integration component affecting EBS 12.2.3–12.2.14. Security firm Mandiant reports the Clop ransomware group exploited the bug as a zero-day in August, and the exploit has since been leaked, raising the risk of wider attacks. The NCSC and Rapid7 recommend immediate compromise assessments using Oracle's IoCs, contacting Oracle PSIRT and the NCSC if compromise is suspected, installing the latest EBS update (with the October 2023 CPU applied first), and reducing internet exposure of EBS instances.

Microsoft Links Storm-1175 to GoAnywhere Flaw, Medusa

🔒 Microsoft attributed active exploitation of a critical Fortra GoAnywhere vulnerability (CVE-2025-10035, CVSS 10.0) to the cybercriminal group Storm-1175, which has been observed deploying Medusa ransomware. The flaw is a deserialization bug that can permit unauthenticated command injection when a forged license response signature is accepted. Fortra released fixes in GoAnywhere 7.8.4 and Sustain Release 7.6.3; organizations should apply updates immediately and hunt for indicators such as dropped RMM tools, .jsp web shells, Cloudflare tunnels and Rclone usage.

Critical GoAnywhere MFT Flaw Exploited in Medusa Attacks

⚠️ Microsoft warns that a critical deserialization vulnerability in GoAnywhere MFT (CVE-2025-10035) has been actively exploited by a Medusa ransomware affiliate tracked as Storm-1175 since early September. The License Servlet flaw enables remote compromise without user interaction, allowing attackers to gain initial access and persist via abused RMM tools. Administrators should apply Fortra's patches and inspect logs for SignedObject.getObject stack traces.

Cl0p Exploits Critical Oracle E-Business Suite Flaw

🔒 Oracle released an emergency patch to address a critical unauthenticated vulnerability in E-Business Suite (CVE-2025-61882) with a CVSS score of 9.8. The flaw allows remote code execution against the Oracle concurrent processing component over HTTP and has been actively exploited by the Cl0p group in large-scale data theft. Security firms report mass email-based distribution from hundreds of compromised accounts and recommend immediate patching and forensic checks for listed IoCs and suspicious GET/POST activity.

Weekly Cyber Recap: Oracle 0-Day, BitLocker Bypass

🛡️Threat actors tied to Cl0p exploited a critical Oracle E-Business Suite zero-day (CVE-2025-61882, CVSS 9.8) to steal large volumes of data, with multiple flaws abused across patched and unpatched systems. The week also spotlights a new espionage actor, Phantom Taurus, plus diverse campaigns from WordPress-based loaders to self-spreading WhatsApp malware. Prioritize patching, strengthen pre-boot authentication for BitLocker, and increase monitoring for the indicators associated with these campaigns.

Mass Exploitation of Oracle E-Business Suite Zero-Day

🔒 CrowdStrike is tracking a mass exploitation campaign abusing a novel zero-day, CVE-2025-61882, against Oracle E-Business Suite (EBS) that enables unauthenticated remote code execution and data exfiltration. First observed on 2025-08-09, activity accelerated after a proof-of-concept surfaced on 2025-10-03 and Oracle released an advisory with IOCs on 2025-10-04. CrowdStrike assesses likely involvement by the actor tracked as GRACEFUL SPIDER (moderate confidence) while acknowledging multiple actors may be exploiting internet-exposed EBS instances; detection and mitigation guidance and Falcon tooling are provided to help defenders.

Oracle issues emergency patch for CVE-2025-61882 exploit

🔒 Oracle has released an emergency update to address CVE-2025-61882, a critical (CVSS 9.8) vulnerability in the E-Business Suite Concurrent Processing component that can be exploited over HTTP without authentication. Oracle warned the flaw may allow remote code execution and issued additional fixes after discovering further potential exploitation vectors. Indicators shared with the advisory point to activity linked to Cl0p and a group associated with Scattered LAPSUS$ Hunters; organizations are urged to apply the patch and hunt for signs of compromise.

Oracle patches critical EBS zero-day used by Clop gang

⚠️ Oracle has released an emergency update addressing CVE-2025-61882, a critical unauthenticated remote code execution flaw in Oracle E-Business Suite (Concurrent Processing / BI Publisher Integration). The vulnerability affects versions 12.2.3–12.2.14 and carries a CVSS base score of 9.8. Customers must first install the October 2023 Critical Patch Update before applying the new fix. Intelligence firms say the Clop extortion gang actively used the bug in August 2025 to steal data.

Zero-day XSS in Zimbra abused via malicious .ICS files

📅 Researchers found a zero-day XSS in Zimbra Collaboration Suite exploited through malicious .ICS (iCalendar) attachments that delivered obfuscated JavaScript. The vulnerability, tracked as CVE-2025-27915, affects ZCS 9.0, 10.0 and 10.1 and was patched by Zimbra on January 27 with releases ZCS 9.0.0 P44, 10.0.13 and 10.1.5. StrikeReady determined attacks began in early January and involved a spoofed Libyan Navy email targeting a Brazilian military organization. The injected script is capable of stealing credentials, emails, contacts and shared folders, manipulating filters to forward mail, and using the Zimbra SOAP API to exfiltrate data.

Hackers Target Unpatched Oracle E-Business Suite Flaws

⚠️ Oracle has warned customers that attackers may be exploiting unpatched instances of Oracle E-Business Suite, following alerts from the Google Threat Intelligence Group and reports of extortion emails sent to company executives. The vendor’s investigation points to vulnerabilities addressed in the July 2025 Critical Patch Update, and it urges organizations to apply those fixes immediately. The July update fixed nine EBS flaws, including three critical issues and several that can be exploited remotely without authentication, raising urgent remediation priorities for affected deployments. Security teams should verify patch status, hunt for indicators of compromise, and validate account integrity.

Cavalry Werewolf Targets Russian Public Sector with RATs

🚨 BI.ZONE warns of a campaign dubbed Cavalry Werewolf that has targeted Russian state agencies and critical industrial sectors using FoalShell and StallionRAT. Attackers used spear-phishing with spoofed Kyrgyz government emails and RAR attachments to deploy lightweight reverse shells and a RAT that exfiltrates data via a Telegram bot. Observed tooling and Telegram commands indicate organized post-compromise operations and use of socks proxies for lateral movement. BI.ZONE links the activity to groups including Tomiris and YoroTrooper, suggesting possible Kazakhstan ties.

CISA Adds Meteobridge Command Injection CVE-2025-4008

⚠️ CISA has added a high-severity command injection flaw, CVE-2025-4008, affecting Smartbedded Meteobridge to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The vulnerability allows unauthenticated remote attackers to execute arbitrary commands as root via a vulnerable /cgi-bin/template.cgi endpoint that improperly uses eval calls. ONEKEY reported the issue and Meteobridge issued a fix in version 6.2 on May 13, 2025.

Cl0p-linked Extortion Targets Oracle E-Business Suite

🔒 Researchers at Halcyon, Google, and Mandiant report an extortion campaign attributed to actors likely affiliated with the Cl0p gang, targeting Oracle E‑Business Suite (EBS) via exposed local login pages. Attackers allegedly abused the AppsLocalLogin.jsp password‑reset workflow to obtain local credentials that bypass SSO and often lack MFA, then sent executive extortion demands with proof samples. Demands range into seven and eight figures, reportedly up to $50 million; defenders are advised to restrict public EBS access, enforce MFA, and review logs immediately.

Chinese-speaking Group UAT-8099 Targets IIS Servers

🔐 Cisco Talos recently disclosed activity by a Chinese-speaking cybercrime group tracked as UAT-8099 that compromises legitimate Internet Information Services (IIS) web servers across several countries. The actors use automation, custom malware and persistence techniques to manipulate search results for profit and to exfiltrate sensitive data such as credentials and certificates. Talos notes the group maintains long-term access and actively protects compromised hosts from rival attackers. Organizations should hunt for signs of BadIIS, unauthorized web shells and anomalous RDP/VPN activity and share IOCs promptly.

CISA Adds Five Vulnerabilities to KEV Catalog — Oct 2025

🔔 CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after observing evidence of active exploitation. The additions are CVE-2014-6278 (GNU Bash), CVE-2015-7755 (Juniper ScreenOS), CVE-2017-1000353 (Jenkins), CVE-2025-4008 (Smartbedded Meteobridge), and CVE-2025-21043 (Samsung mobile). Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged CVEs by their due dates; CISA urges all organizations to prioritize timely mitigation and patching.

Credential ZIP Lures Use Malicious LNKs to Deploy DLLs

📎 BlackPoint researchers tracked a campaign that distributes credential-themed ZIP archives containing malicious Windows shortcut (.lnk) files. When opened, the shortcuts launch minimized, obfuscated PowerShell that downloads DLL payloads disguised as .ppt files, saves them to the user profile and invokes them via rundll32.exe. The dropper assembles commands from byte arrays, probes for antivirus processes and uses quiet flags to minimize visible indicators. Recommended mitigations include blocking LNKs in archives, enforcing Mark of the Web, denying execution from user-writable locations, and enabling PowerShell script block logging and AMSI.