Vulnerabilities
- Oracle Patches EBS Zero-Day Exploited In Clop Data Theft Attacks
"Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks. The flaw is within the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration) and has a CVSS base score of 9.8, due to its lack of authentication and ease of exploitation. "This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite," reads a new Oracle advisory."
https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/
https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
https://thehackernews.com/2025/10/oracle-rushes-patch-for-cve-2025-61882.html
https://www.darkreading.com/application-security/clop-ransomware-oracle-customers-zero-day-flaw
https://therecord.media/fbi-uk-urge-orgs-to-patch-after-clop-campaign
https://www.securityweek.com/oracle-e-business-suite-zero-day-exploited-in-cl0p-attacks/
https://www.theregister.com/2025/10/06/clop_oracle_ebs_zeroday/
https://www.helpnetsecurity.com/2025/10/06/cl0p-oracle-data-theft-extortion-cve-2025-61882/
https://cyberscoop.com/oracle-zero-day-clop/
https://securityaffairs.com/183029/security/oracle-patches-critical-e-business-suite-flaw-exploited-by-cl0p-hackers.html - Redis Warns Of Critical Flaw Impacting Thousands Of Instances
"The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances. Redis (short for Remote Dictionary Server) is an open-source data structure store used in approximately 75% of cloud environments, functioning like a database, cache, and message broker, and storing data in RAM for ultra-fast access. The security flaw (tracked as CVE-2025-49844) is caused by a 13-year-old use-after-free weakness found in the Redis source code and can be exploited by authenticated threat actors using a specially crafted Lua script (a feature enabled by default)."
https://www.bleepingcomputer.com/news/security/redis-warns-of-max-severity-flaw-impacting-thousands-of-instances/ - It's Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604)
"Welcome back, and what a week! We’re glad that happened for you and/or sorry that happened to you. It will get better and/or worse, and you will likely survive. Today, we’re walking down the garden path and digging into the archives, publishing our analysis of a vulnerability we discovered and disclosed to Dell in March 2025 within their UnityVSA solution. As part of our continued enhancement of our Preemptive Exposure Management technology within the watchTowr Platform, we perform zero-day vulnerability research in technology that we see across the attack surfaces of organisations leveraging the watchTowr Platform. This enables proactive defence for our clients and provides forward visibility of vulnerabilities while we liaise with vendors and projects for suitable fixes."
https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-auth-command-injection-cve-2025-36604/
https://hackread.com/dell-unityvsa-flaw-command-execution-without-login/ - CVE-2025-59489: Arbitrary Code Execution In Unity Runtime
"Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc In May 2025, I participated in the Meta Bug Bounty Researcher Conference 2025. During this event, I discovered a vulnerability (CVE-2025-59489) in the Unity Runtime that affects games and applications built on Unity 2017.1 and later. In this article, I will explain the technical aspects of this vulnerability and its impact. This vulnerability was disclosed to Unity following responsible disclosure practices."
https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/
https://therecord.media/unity-game-engine-vulnerability-android-windows-linux-macos
https://www.bleepingcomputer.com/news/security/steam-and-microsoft-warn-of-unity-flaw-exposing-gamers-to-attacks/
https://www.securityweek.com/microsoft-and-steam-take-action-as-unity-vulnerability-puts-games-at-risk/ - CISA Adds Seven Known Exploited Vulnerabilities To Catalog
"CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability
CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
CVE-2025-61882 Oracle E-Business Suite Unspecified Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/10/06/cisa-adds-seven-known-exploited-vulnerabilities-catalog
Malware
- XWorm’s Evolving Infection Chain: From Predictable To Deceptive
"A sophisticated and evolving prevalent XWorm backdoor campaign has recently been identified by the Trellix Advanced Research Center, marking a significant strategic shift in the malware's deployment. Previously, XWorm campaigns often relied on more predictable and somewhat discernible distribution mechanisms. However, the current campaign reveals a deliberate move towards more deceptive and intricate methods, designed to evade detection and increase the success rate of the malware."
https://www.trellix.com/blogs/research/xworms-evolving-infection-chain-from-predictable-to-deceptive/
https://www.bleepingcomputer.com/news/security/xworm-malware-resurfaces-with-ransomware-module-over-35-plugins/ - How We Trained An ML Model To Detect DLL Hijacking
"DLL hijacking is a common technique in which attackers replace a library called by a legitimate process with a malicious one. It is used by both creators of mass-impact malware, like stealers and banking Trojans, and by APT and cybercrime groups behind targeted attacks. In recent years, the number of DLL hijacking attacks has grown significantly."
https://securelist.com/building-ml-model-to-detect-dll-hijacking/117565/ - Detecting DLL Hijacking With Machine Learning: Real-World Cases
"Our colleagues from the AI expertise center recently developed a machine-learning model that detects DLL-hijacking attacks. We then integrated this model into the Kaspersky Unified Monitoring and Analysis Platform SIEM system. In a separate article, our colleagues shared how the model had been created and what success they had achieved in lab environments. Here, we focus on how it operates within Kaspersky SIEM, the preparation steps taken before its release, and some real-world incidents it has already helped us uncover."
https://securelist.com/detecting-dll-hijacking-with-machine-learning-in-kaspersky-siem/117567/ - Investigating Active Exploitation Of CVE-2025-10035 GoAnywhere Managed File Transfer Vulnerability
"On September 18, 2025, Fortra published a security advisory regarding a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet, which is tracked as CVE-2025-10035 and has a CVSS score of 10.0. The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE). A cybercriminal group tracked by Microsoft Threat Intelligence as Storm-1175, known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the vulnerability."
https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
https://www.bleepingcomputer.com/news/security/microsoft-critical-goanywhere-bug-exploited-in-ransomware-attacks/
https://therecord.media/medusa-ransomware-exploited-file-transfer - Phishers Target 1Password Users With Convincing Fake Breach Alert
"In a very recent and well-targeted phishing attempt, scammers tried to get hold of the 1Password credentials belonging to a Malwarebytes’ employee. Stealing someone’s 1Password login would be like hitting the jackpot for cybercriminals, because they potentially export all the saved logins the target stored in the password manager. The phishing email looked like this:"
https://www.malwarebytes.com/blog/news/2025/10/phishers-target-1password-users-with-convincing-fake-breach-alert - BIETA: A Technology Enablement Front For China's MSS
"The Beijing Institute of Electronics Technology and Application (BIETA), a communications technology and information security research organization previously unexplored in public reporting, is almost certainly affiliated with China’s principal civilian intelligence service, the Ministry of State Security (MSS). Based on publicly available sources, it is very likely led by the MSS and likely a public front for the MSS First Research Institute. BIETA and its subsidiary, Beijing Sanxin Times Technology Co., Ltd. (CIII), research, develop, import, and sell technologies that almost certainly support intelligence, counterintelligence, military, and other missions relevant to China’s national development and security. Their activities include researching methods of steganography that can likely support covert communications (COVCOM) and malware deployment; developing and selling forensic investigation and counterintelligence equipment; and acquiring foreign technologies for steganography, network penetration testing, and military communications and planning."
https://www.recordedfuture.com/research/bieta-technology-enablement-front-for-chinas-mss
https://thehackernews.com/2025/10/new-report-links-research-firms-bieta.html
https://www.darkreading.com/threat-intelligence/chinese-govt-fronts-cyber-tech - CN APT Targets Serbian Government
"Last week, a targeted spearphish was sent to a governmental department in Serbia related to aviation. Upon further pivoting, we found similar activity at other European nations from the same threat actor. A core infosec truth, often overlooked, is that only CN threat actors leverage the sogu/plugx/korplug toolset for live intrusions, with rare exceptions of red teams/researchers playing around with builders on VT. Occasionally, an outlier motivation is financial, but the vast majority of the time it is espionage. These linkages have been reliable for over a decade."
https://strikeready.com/blog/cn-apt-targets-serbian-government/
https://therecord.media/suspected-chinese-spies-serbia - Scattered Lapsus$ Hunters Offering $10 In Bitcoin To 'endlessly Harass' Execs
"Scattered Lapsus$ Hunters has launched an unusual crowdsourced extortion scheme, offering $10 in Bitcoin to anyone willing to help pressure their alleged victims into paying ransoms. The cybercrime collective is encouraging followers to email senior executives at organizations it claims to have breached, urging them to pay up and avoid publicity about the group's new data leak site. Those who contact executives through personal email accounts will receive higher rewards, and participants who perform "an exceptionally well job" [sic] may be considered for "a much larger sum," according to the group's announcement."
https://www.theregister.com/2025/10/06/scattered_lapsus_bitcoin_reward/ - FlipSwitch: a Novel Syscall Hooking Technique
"Syscall hooking, particularly by overwriting pointers to syscall handlers, has been a cornerstone of Linux rootkits like Diamorphine and PUMAKIT, enabling them to hide their presence and control the flow of information. While other hooking mechanisms exist, such as ftrace and eBPF, each has its own pros and cons, and most have some form of limitation. Function pointer overwrites remain the most effective and simple way of hooking syscalls in the kernel."
https://www.elastic.co/security-labs/flipswitch-linux-rootkit - TamperedChef: Malvertising To Credential Theft
"TamperedChef is a sophisticated malware campaign that leveraged a convincing advertising campaign strategy and a fully functional decoy application to target European organizations. Disguised as a legitimate application such as a PDF editor, the malware operated with expected functionality for nearly two months before activating its payload to harvest browser credentials, impacting a significant number of systems. This campaign demonstrates how even well-defined organizations can be compromised by convincing, legitimate-looking software. The consequences are severe: credential theft, potential backdoor access, and the need for full remediation. Organizations must act quickly to identify and remove this threat."
https://labs.withsecure.com/publications/tamperedchef - The Exploitation Of Legitimate Remote Access Tools In Modern Ransomware Campaigns
"Ransomware is one of the most disruptive cyber threats, encrypting critical organizational data and demanding ransom payments for restoration. While early campaigns relied on mass phishing or opportunistic malware distribution, modern ransomware operations have evolved into highly sophisticated, targeted attacks. Today’s adversaries not only infect machines but also move laterally across networks, harvest credentials, neutralize defences, and maintain persistent control—all while remaining stealthy and evading detection."
https://www.seqrite.com/blog/exploiting-legitimate-remote-access-tools-in-ransomware-campaigns/ - Beware Of Threats Lurking In Booby-Trapped PDF Files
"PDF files have become a staple of our daily digital lives, both at work and at home. They work seamlessly across operating systems and devices, and they couldn’t be easier to create and share. Every day, countless PDF (Portable Document Format) files are exchanged across inboxes and messaging platforms, and chances are, you’ve opened one today without a second thought. However, this all is also partly what makes PDFs the perfect disguise for all manner of threats. At first glance, PDF files seem about as benign as digital files get. To the naked eye, a malware-laced PDF or, indeed, another file type spreading under the guise of a PDF doesn’t necessarily look much different from an ordinary invoice, resume or government form."
https://www.welivesecurity.com/en/malware/threats-lurking-pdf-files/
Breaches/Hacks/Leaks
- Data Breach At Doctors Imaging Group Impacts 171,000 People
"Doctors Imaging Group, a radiology practice with locations in Palatka and Gainesville, Florida, is informing customers about a data breach that occurred nearly one year ago. According to a data breach notice posted on its website, hackers had access to Doctors Imaging Group’s network between November 5 and November 11, 2024. The attackers copied some files from compromised systems and the organization has been working on determining what type of information was stolen and who is impacted."
https://www.securityweek.com/data-breach-at-doctors-imaging-group-impacts-171000-people/ - Red Hat Data Breach Escalates As ShinyHunters Joins Extortion
"Enterprise software giant Red Hat is now being extorted by the ShinyHunters gang, with samples of stolen customer engagement reports (CERs) leaked on their data leak site. News of the Red Hat data breach broke last week when a hacking group known as the Crimson Collective claimed to have stolen nearly 570GB of compressed data across 28,000 internal development repositories. This data allegedly includes approximately 800 Customer Engagement Reports (CERs), which can contain sensitive information about a customer's network, infrastructure, and platforms."
https://www.bleepingcomputer.com/news/security/red-hat-data-breach-escalates-as-shinyhunters-joins-extortion/ - I Called American Income Life Insurance To Alert Them To a Data Breach Involving 150,000 Customers. Here’s Why They Didn’t Find Out.
"Paging the Federal Trade Commission to Aisle 5…. The Federal Trade Commission has repeatedly emphasized the importance of having a mechanism in place to receive data security alerts or concerns. American Income Life Insurance (“AILife”), headquartered in Waco, Texas, does not provide such information on its home page or anywhere else on the site that I could find. So I called their 800-number."
https://databreaches.net/2025/10/06/i-called-american-income-life-insurance-to-alert-them-to-a-data-breach-involving-150000-customers-heres-why-they-didnt-find-out/ - Pet Insurance Provider Exposed PII Of Humans And Pets In Data Breach
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about an unencrypted and non-password-protected database that contained 158 GB of data. The data included pet insurance claims, veterinary bills, and customer communications that detailed names, physical and email addresses, phone numbers, and partial credit card numbers."
https://www.websiteplanet.com/news/rainwalk-pet-insurance-breach-report/
https://hackread.com/rainwalk-pet-insurance-158-gb-customer-pet-data/
General News
- Old Authentication Habits Die Hard
"Many organizations still rely on weak authentication methods while workers’ personal habits create additional risks, according to Yubico. 40% of employees said they have never received cybersecurity training. Even among those who have, the guidance is often outdated because many organizations wait months before updating their security policies. This delay leaves people unprepared. Employees who do not understand current risks are more likely to fall back on familiar habits, which attackers can exploit."
https://www.helpnetsecurity.com/2025/10/06/weak-authentication-risks-in-organizations/ - Phishing Is Old, But AI Just Gave It New Life
"The volume of cyberattacks has reached staggering levels, with new tactics that blur the line between legitimate and malicious activity. A new threat report from Comcast, based on 34.6 billion cybersecurity events analyzed over the past year, shows what adversaries are doing and what this means for enterprise leaders. Attackers are no longer choosing between quick, noisy campaigns and careful, targeted ones. They are doing both at once. Automated scans and phishing runs create constant background pressure, while more skilled operators test defenses and move laterally inside networks."
https://www.helpnetsecurity.com/2025/10/06/phishing-ai-enterprise-resilience-security/ - Security Leaders At Okta And Zscaler Share Lessons From Salesloft Drift Attacks
"When security researchers issued warnings about the Salesloft Drift issues last month, two prominent cybersecurity companies found themselves facing the same threat — but their stories ended up unfolding in different ways. Okta and Zscaler, among the larger players in the identity management space, were among the more than 700 Drift customers targeted in what has become one of the most significant supply chain attacks of the year. Within a week of Google security researchers’ warning about the incident, which targeted the widespread theft of Salesforce customer data, both companies went to work in figuring out how bad the damage would be."
https://cyberscoop.com/okta-zscaler-security-leaders-salesloft-drift-attacks/ - What To Look For In a Fractional CISO
"Demand for fractional CISOs is growing, which is directly driven by the everyday security challenges businesses of all sizes and industries face. Organizations are finally becoming aware that threats are not only increasing but also growing in sophistication. Small and mid-sized businesses in particular are learning - sometimes the hard way - that opportunistic attackers will target them whenever they spot vulnerabilities in their defenses."
https://www.bankinfosecurity.com/blogs/what-to-look-for-in-fractional-ciso-p-3947
อ้างอิง
Electronic Transactions Development Agency(ETDA) 
Research is currently investigating an aggressive malware campaign that leverages online instant messaging platform WhatsApp as its primary infection vector. Unlike traditional attacks focused on theft or ransomware, this campaign is engineered for speed and propagation, abusing social trust and automation to spread among Windows users. Trend Research analysis identifies the campaign as Water Saci, with the WhatsApp malware identified as SORVEPOTEL. Currently, it is most active in Brazil."
