All news with #ransomware tag

Oracle EBS Targeted by Cl0p Exploiting CVE-2025-61882

🚨 CrowdStrike attributes the exploitation of Oracle E-Business Suite to Graceful Spider, also known as Cl0p, with the first observed compromise on August 9, 2025. The attacks exploit a critical pre-authentication remote code execution flaw, CVE-2025-61882 (CVSS 9.8), enabling authentication bypass and the upload of malicious XSLT templates via Oracle XML Publisher. Successful exploitation leads to outbound connections from the Java web server and remote web shell deployment for data exfiltration and persistence; CISA has added the flaw to its Known Exploited Vulnerabilities catalog and urged agencies to patch immediately.

Critical GoAnywhere MFT Flaw Exploited in Medusa Attacks

⚠️ Microsoft warns that a critical deserialization vulnerability in GoAnywhere MFT (CVE-2025-10035) has been actively exploited by a Medusa ransomware affiliate tracked as Storm-1175 since early September. The License Servlet flaw enables remote compromise without user interaction, allowing attackers to gain initial access and persist via abused RMM tools. Administrators should apply Fortra's patches and inspect logs for SignedObject.getObject stack traces.

Oracle issues emergency patch for EBS zero-day RCE

🔴 Oracle has released an emergency patch addressing a critical zero-day remote code execution flaw, CVE-2025-61882, in the E-Business Suite BI Publisher Integration component. The vulnerability (affecting versions 12.2.3–12.2.14) is rated 9.8 on the CVSS scale and is exploitable remotely without authentication. Cl0p actors are linked to active exploitation and high-value extortion demands; Oracle published IoCs and strongly urges immediate patching and aggressive compromise hunting.

Active Exploitation of GoAnywhere CVE-2025-10035 Observed

🔒 Microsoft Threat Intelligence warns of active exploitation of a critical deserialization vulnerability in GoAnywhere MFT License Servlet (CVE-2025-10035, CVSS 10.0) that can allow forged license responses to trigger arbitrary object deserialization and potential remote code execution. Activity attributed to Storm-1175 included initial access via this flaw, deployment of RMM tools (SimpleHelp, MeshAgent), and at least one Medusa ransomware incident. Customers should upgrade per Fortra guidance, run EDR in block mode, restrict outbound connections, and use the provided Defender detections and IoCs for hunting and response.

Trinity of Chaos Launches TOR Data Leak Site, Exposes Data

🔓 The Trinity of Chaos collective has opened a data leak site on the TOR network, publishing previously undisclosed records tied to past breaches and listing 39 major global firms. Resecurity says the group claims more than 1.5 billion records across 760 companies and has set an October 10 negotiation deadline. Samples reportedly contain substantial PII and appear to stem from compromised SaaS environments via stolen OAuth tokens and vishing; the FBI has issued a flash alert. The group also threatened to leverage existing litigation and regulatory complaints against Salesforce, which has denied new vulnerabilities.

XWorm Backdoor Returns with Ransomware and 35+ Plugins

🛡️ New variants of the XWorm backdoor (6.0, 6.4, 6.5) are being distributed via phishing campaigns after the original author, XCoder, abandoned the project. Multiple operators have adopted these builds, which now support more than 35 plugins enabling data theft, remote control, and a ransomware module that encrypts user files and drops HTML ransom notes. Trellix observed diverse droppers and recommends layered defenses including EDR, email/web protections, and network monitoring.

Ransomware and Phishing Threats Escalate for German SMEs

🔒 German SMEs face a sharp rise in ransomware and data-exfiltration incidents, with leak-site publications more than quadrupling from 2021 to 2024. Authorities report that 80% of analyzed ransomware incidents targeted small and medium-sized enterprises, often using double extortion. Attackers favor targeted phishing—executives receive on average 57 such attempts yearly—and many firms lack adequate defenses amid staffing shortages and overly complex security stacks.

Asahi Confirms Ransomware Attack, Data Exfiltrated

🛡️ Asahi has confirmed a ransomware attack that resulted in an "unauthorized transfer of data" from its servers. The Tokyo-based brewer said it isolated affected systems and established an Emergency Response Headquarters to investigate, working with external cybersecurity experts. Operational impacts in Japan include suspended system-based ordering, shipments and call centers, with partial manual processing underway. The company has not disclosed whether a ransom demand was made.

Oracle issues emergency patch for CVE-2025-61882 exploit

🔒 Oracle has released an emergency update to address CVE-2025-61882, a critical (CVSS 9.8) vulnerability in the E-Business Suite Concurrent Processing component that can be exploited over HTTP without authentication. Oracle warned the flaw may allow remote code execution and issued additional fixes after discovering further potential exploitation vectors. Indicators shared with the advisory point to activity linked to Cl0p and a group associated with Scattered LAPSUS$ Hunters; organizations are urged to apply the patch and hunt for signs of compromise.

Oracle patches critical EBS zero-day used by Clop gang

⚠️ Oracle has released an emergency update addressing CVE-2025-61882, a critical unauthenticated remote code execution flaw in Oracle E-Business Suite (Concurrent Processing / BI Publisher Integration). The vulnerability affects versions 12.2.3–12.2.14 and carries a CVSS base score of 9.8. Customers must first install the October 2023 Critical Patch Update before applying the new fix. Intelligence firms say the Clop extortion gang actively used the bug in August 2025 to steal data.

Ransomware Halts Asahi Production, Japan Faces Shortage

🍺 A ransomware attack has forced Asahi Group Holdings to suspend production at nearly all of its 30 domestic breweries after ordering, delivery and call‑centre systems were disabled. The disruption has prompted the postponement of 12 new product launches and suspension of multiple beverage lines, with retailers warning that popular Asahi Super Dry could run out in days. Asahi reports no evidence so far of personal data leakage while investigations and recovery continue.

Asahi Confirms Ransomware Attack Disrupting Japan Operations

🔒 Asahi Group Holdings has confirmed a ransomware attack caused IT disruptions that forced shutdowns at its Japanese factories and prompted a switch to manual order and shipment processing. The company says investigations found evidence suggesting potential unauthorized data transfer from compromised devices. Asahi has established an Emergency Response Headquarters and is working with external cybersecurity experts; no cybercriminal group has publicly claimed responsibility.

Oracle Links Clop Extortion to July EBS Vulnerabilities

🔒 Oracle said some customers received extortion emails tied to its E-Business Suite and linked the campaign to vulnerabilities patched in the July 2025 Critical Patch Update. While Oracle did not attribute the activity to a specific ransomware group, its investigation found potential use of previously identified EBS flaws, including three that were remotely exploitable. Security firms reported executives began receiving ransom demands on or before September 29, 2025. Oracle urged customers to apply the latest patches and contact support if they need assistance.

Hackers Target Unpatched Oracle E-Business Suite Flaws

⚠️ Oracle has warned customers that attackers may be exploiting unpatched instances of Oracle E-Business Suite, following alerts from the Google Threat Intelligence Group and reports of extortion emails sent to company executives. The vendor’s investigation points to vulnerabilities addressed in the July 2025 Critical Patch Update, and it urges organizations to apply those fixes immediately. The July update fixed nine EBS flaws, including three critical issues and several that can be exploited remotely without authentication, raising urgent remediation priorities for affected deployments. Security teams should verify patch status, hunt for indicators of compromise, and validate account integrity.

Manufacturing Under Fire: Strengthening Cyber Defenses

🔒 Manufacturers face growing, targeted cyber threats driven by legacy OT, complex supply chains, and high-value IP. Attackers increasingly use credential theft, social engineering and sophisticated malware to achieve prolonged access, data theft and ransomware extortion that can halt production and ripple across partners. Building resilience with MFA, prompt patching and continuous detection such as MDR — offering 24/7 threat monitoring, expert hunting and rapid containment — reduces downtime and strengthens supply chain security while aligning with Zero Trust principles.

Cl0p-linked Extortion Targets Oracle E-Business Suite

🔒 Researchers at Halcyon, Google, and Mandiant report an extortion campaign attributed to actors likely affiliated with the Cl0p gang, targeting Oracle E‑Business Suite (EBS) via exposed local login pages. Attackers allegedly abused the AppsLocalLogin.jsp password‑reset workflow to obtain local credentials that bypass SSO and often lack MFA, then sent executive extortion demands with proof samples. Demands range into seven and eight figures, reportedly up to $50 million; defenders are advised to restrict public EBS access, enforce MFA, and review logs immediately.

US Government Shutdown Threatens Federal Cybersecurity

⚠️ The US government shutdown will sharply reduce federal cybersecurity capacity, with CISA set to furlough approximately 1,651 of its 2,540 staff (about 65%), leaving only 889 employees, and NIST estimated to retain roughly 34% of its workforce. Core functions such as vulnerability management, guidance, the CVE program and website operations will be curtailed until appropriations resume. The pause raises immediate operational risks, complicates incident response and increases opportunities for threat actors and fraud.

Extortion Emails Target Executives Claiming Clop Ties

📧 An individual or group claiming to work with the Clop ransomware gang has been sending extortion emails to executives at multiple organizations since September 29, according to Google. Researchers at Mandiant and the Google Threat Intelligence Group are investigating and report a high-volume campaign launched from hundreds of compromised accounts, with at least one account previously linked to FIN11. The messages include contact information that matches addresses on the Clop data leak site, suggesting the actor may be leveraging Clop's brand; however, investigators emphasize this does not prove direct Clop involvement and advise targeted organizations to search for indicators of compromise.

ThreatsDay Bulletin: Exploits Target Cars, Cloud, Browsers

🔔 From unpatched vehicles to hijacked clouds, this ThreatsDay bulletin outlines active threats and defensive moves across endpoints, cloud, browsers, and vehicles. Observers reported internet-wide scans exploiting PAN-OS GlobalProtect (CVE-2024-3400) and campaigns that use weak MS‑SQL credentials to deploy XiebroC2 for persistent access. New AirBorne CarPlay/iAP2 flaws can chain to take over Apple CarPlay in some cases without user interaction, while attackers quietly poison browser preferences to sideload malicious extensions. On defence, Google announced AI-driven ransomware detection for Drive and Microsoft plans an Edge revocation feature to curb sideloaded threats.

Google, Mandiant Probe Extortion Claims Targeting Oracle EBS

📧 Google Mandiant and the Google Threat Intelligence Group report a new high-volume extortion campaign that claims stolen data from Oracle E-Business Suite. The operation began on or before September 29, 2025, uses hundreds of compromised accounts, and includes contact addresses verified on the Cl0p data leak site. Mandiant notes at least one sending account has ties to FIN11, a TA505 subset. Investigations are ongoing and organizations are urged to inspect for compromise.