Ticker feed

Cybercriminals claiming ties to the notorious Cl0p ransomware group are extorting executives at numerous companies, alleging they've stolen sensitive data from Oracle E-Business Suite systems. The campaign began around September 29, using hundreds of compromised email accounts linked to the FIN11 cybercrime gang.

Google's Threat Intelligence Group and Mandiant are investigating but can't yet verify the hackers' claims. Oracle E-Business Suite is used by thousands of organizations worldwide to manage business operations, making this a potentially massive security incident.

Both Cl0p and FIN11 have history with similar attacks, previously exploiting zero-day vulnerabilities in MOVEit, Cleo, and other file transfer tools to steal data from millions of users across thousands of companies.

Source: SecurityWeek

A Chinese state-sponsored group called 'Phantom Taurus' has been conducting sophisticated espionage operations against government and telecommunications organizations across Africa, the Middle East, and Asia for over two years. What makes this group unique is their use of unconventional tactics that differ from typical Chinese hacking methods, helping them stay under the radar.

The hackers recently deployed Net-Star, a powerful .NET malware suite that targets IIS web servers through three backdoors, including one that operates entirely in computer memory. They're particularly interested in diplomatic communications and defense intelligence, often timing their attacks around major global events. The group has successfully infiltrated email servers and databases at high-value targets like foreign ministries and embassies.

Source: Security Week

A devastating zero-day vulnerability (CVE-2025-20333) is being actively exploited across thousands of Cisco firewalls worldwide. With a CVSS score of 9.9, this buffer overflow flaw lets authenticated attackers execute code with root privileges on Cisco ASA and FTD devices.

Over 48,800 unpatched systems were identified on September 29, with the US most affected. The vulnerability targets VPN web servers that millions of organizations use for remote access. Attackers need valid VPN credentials, then send malicious HTTP requests to gain complete firewall control.

Cisco confirms no workarounds exist and urges immediate patching. A second bug (CVE-2025-20362) allows unauthorized VPN access, making the situation worse.

Source: Cyber Security News

The Department of Homeland Security and CISA have kicked off Cybersecurity Awareness Month 2025 with the theme "Building a Cyber Strong America." The campaign targets state and local governments, small businesses, and supply chain partners to protect essential services like water, power, and communications.

Homeland Security Secretary Kristi Noem emphasized that "bad actors are trying to steal information, sabotage critical infrastructure" daily. Acting CISA Director Madhu Gottumukkala stressed protecting small businesses and local governments that "facilitate the systems and services that sustain us every day."

The launch coincides with CISA's Emergency Directive addressing critical Cisco security flaws and a new advisory highlighting federal agency cybersecurity gaps, including unpatched vulnerabilities and untested incident response plans.

Source: Industrial Cyber

Cybercriminals are targeting Ukrainian government entities with fake emails pretending to be from the National Police of Ukraine. The attacks use malicious SVG files that look like official legal notices, warning recipients of potential legal action if ignored.

When victims open the attachment, they're redirected to download a password-protected file that installs two dangerous programs: Amatera Stealer, which harvests passwords and cryptocurrency wallets from browsers and apps like Telegram, and PureMiner, which secretly mines cryptocurrency using the victim's computer.

Fortiguard Labs researchers discovered this "fileless" attack chain, which avoids detection by loading malware directly into memory rather than saving files to disk. The campaign represents another wave of cyberattacks targeting Ukraine since Russia's 2022 invasion.

Source: Dark Reading

A new report from insurer Hiscox reveals that 80% of companies hit by ransomware attacks pay the ransom, but only 60% successfully recover their data. The study surveyed 5,750 small and medium businesses, finding 27% were targeted in the past year.

Recent high-profile victims include Marks and Spencer, Co-op, and Jaguar Land Rover. JLR received a £1.5bn government loan guarantee after a month-long factory shutdown, with production losses estimated at £200m. M&S faces at least £300m in damages from an April attack.

Nearly a third of companies that paid ransoms faced additional demands for more money. The cyber insurance market, worth £521m last year, is expected to reach £2.4bn by 2033 as businesses seek protection.

Source: Sky News

Luxury London retailer Harrods disclosed that hackers accessed personal information of up to 430,000 online customers through a third-party provider breach. The stolen data includes names and contact details but excludes passwords and payment information.

The company refused to engage with the threat actors who contacted them about the breach. This incident is separate from a May cyberattack that targeted Harrods' systems directly.

The breach highlights ongoing supply chain vulnerabilities plaguing UK retailers. Earlier this year, M&S lost £300 million and Co-op lost £206 million from similar attacks linked to the Scattered Spider group. Recent studies show 97% of FTSE 100 companies experienced third-party breaches in the past year.

Source: Infosecurity Magazine

Chinese state-sponsored hackers have actively exploited CVE-2025-20333, a devastating zero-day vulnerability in Cisco ASA firewalls with a 9.9 severity score. The flaw allows remote code execution with root privileges when chained with another vulnerability that bypasses authentication.

The UAT4356 threat group deployed sophisticated malware called RayInitiator and LINE VIPER on compromised Cisco ASA 5500-X Series devices. RayInitiator persists at the firmware level, surviving reboots and updates, while LINE VIPER provides command and control capabilities through encrypted communications.

CISA issued Emergency Directive ED-25-03 requiring federal agencies to patch within 24 hours or disconnect affected devices. This represents a major evolution of the ArcaneDoor campaign, targeting critical network perimeter defenses worldwide.

Source: Cybersecurity News

BitSight's latest research reveals a troubling reversal in cybersecurity progress: internet exposure of industrial control systems (ICS) and operational technology (OT) jumped 12% in 2024, reaching over 180,000 visible devices monthly. The firm expects this number to approach 200,000 in 2025.

These aren't just forgotten legacy systems. New ICS/OT devices are going online with outdated protocols, minimal authentication, and poor network segmentation. The problem spans all studied protocols, from Modbus to BACnet, affecting energy grids, water treatment facilities, and building automation systems.

Making matters worse, vulnerabilities in these devices continue climbing. Many carry critical security flaws with CVSS scores of 10.0 and trivial exploit paths. The U.S. leads global exposure, particularly in manufacturing and utilities.

Attribution remains a major challenge—most devices trace only to ISPs, making it nearly impossible to notify operators of vulnerabilities.

Source: Industrial Cyber

Cybercriminals are exploiting SonicWall firewalls to deploy Akira ransomware, moving from initial breach to full encryption in as little as 55 minutes. Arctic Wolf Labs detected this ongoing campaign that began in late July 2025, targeting organizations across multiple sectors.

The attackers gain access through stolen SSL VPN credentials linked to CVE-2024-40766, a vulnerability from 2024. Even devices with multi-factor authentication and current patches are being compromised because hackers are using previously harvested credentials.

Once inside, attackers quickly scan networks, create admin accounts, disable security software, steal data, and deploy ransomware. Arctic Wolf urges organizations to immediately reset all SSL VPN credentials and monitor for suspicious logins from hosting providers.

Source: Cybersecurity News