Cyber OSINT Overview, Oct 6 - Oct 12, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Multiple vulnerabilities in the Linux Kernel were a dominant topic, with numerous advisories detailing risks across various distributions, including Red Hat Enterprise Linux and Ubuntu. These flaws frequently allow local or remote attackers to cause a Denial of Service (DoS), escalate privileges, or perform other unspecified attacks. The high frequency of these updates underscores the continuous effort required to maintain kernel security and the broad impact these vulnerabilities can have across the IT ecosystem. Organizations are advised to follow their distribution’s patching schedule closely to mitigate these recurring risks.

• Vulnerabilities in Oracle products, particularly the actively exploited zero-day in Oracle E-Business Suite (CVE-2025-61882), received significant attention. This critical flaw allows for unauthenticated remote code execution and has been linked to a large-scale extortion campaign by the Cl0p ransomware group. Government agencies and security firms issued multiple alerts urging immediate patching. The incident highlights the high risk associated with complex enterprise applications and the necessity of applying out-of-band security updates promptly.

• The use of Artificial Intelligence in both offensive and defensive cybersecurity operations was a frequent subject. Reports detailed how threat actors are weaponizing AI and large language models (LLMs) to generate sophisticated malware, create convincing phishing campaigns, and automate attack stages. Conversely, defenders and vendors are increasingly adopting AI for threat detection, vulnerability management, and security operations automation. This dual-use trend highlights a significant evolution in the threat landscape, where AI is becoming a central tool for both attackers and security teams, raising the stakes for developing robust, AI-aware defenses.

Critical Vulnerabilities #

• A critical, actively exploited zero-day vulnerability (CVE-2025-61882) was discovered in Oracle E-Business Suite versions 12.2.3 to 12.2.14. The flaw, rated CVSS 9.8, allows unauthenticated remote code execution within the BI Publisher component. Threat actors, identified as part of the Cl0p ransomware group, began exploiting this vulnerability as early as August 2025 to exfiltrate data for a large-scale extortion campaign. Oracle released an emergency out-of-band patch and CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate remediation.

• Multiple critical vulnerabilities (CVE-2025-49844) were patched in Redis Software, affecting versions with Lua scripting enabled. These flaws could allow an authenticated attacker to achieve remote code execution, access out-of-bounds data, or cause a server crash. The risk is elevated as many Redis deployments operate without pre-authentication or ACL-based authorization, potentially allowing unauthenticated exploitation. Proof-of-concept code demonstrating the vulnerability has been publicly released, increasing the urgency for administrators to apply the necessary updates.

• A critical SQL injection vulnerability was discovered in ESRI ArcGIS Server versions 11.3, 11.4, and 11.5. The vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands by exploiting the Feature Services component. Successful exploitation could lead to data exfiltration, manipulation, or complete database compromise. ESRI has released security patches to address this high-severity flaw and strongly encourages all affected users to apply them immediately to prevent potential attacks.

• CISA added a Grafana Path Traversal vulnerability (CVE-2021-43798) to its Known Exploited Vulnerabilities (KEV) catalog, confirming it is under active exploitation. This vulnerability allows an unauthenticated attacker to read arbitrary local files on the Grafana server, including sensitive configuration files containing credentials. Although the flaw is from 2021, its addition to the KEV catalog indicates new or ongoing attacks, making it a high-priority patching target for all organizations using affected Grafana versions. Federal agencies are required to remediate this vulnerability by the specified due date.

• A local file inclusion vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products is being actively exploited in the wild. The flaw allows an unauthenticated attacker to retrieve sensitive files, such as the machine key from the Web.config file. Attackers can then use this key to achieve remote code execution via a separate ViewState deserialization vulnerability (CVE-2025-30406). A patch is not yet available, but a mitigation that involves disabling the ’temp’ handler in the Web.config file is strongly recommended for all users.

Major Incidents #

• SonicWall confirmed a major security incident where an unauthorized party accessed firewall configuration backup files for all customers using the MySonicWall cloud backup service. This expands the scope significantly from an initial estimate of under 5% of customers. The exposed files contain sensitive data, including encrypted credentials and network configurations, which could facilitate targeted attacks. SonicWall has urged all affected customers to reset credentials and implement other mitigation measures outlined in their advisory.

• The Cl0p ransomware group conducted a large-scale extortion campaign targeting dozens of organizations by exploiting a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882). Exploitation began as early as August 2025, with attackers exfiltrating significant amounts of data before sending extortion emails in late September. The campaign continues Cl0p’s pattern of using zero-day flaws in widely used enterprise software for mass data theft. Google’s Mandiant and other security firms have provided detailed analyses and IOCs to help organizations respond.

• A cybercriminal syndicate calling itself Scattered Lapsus$ Hunters, a likely coalition of actors from Scattered Spider, ShinyHunters, and LAPSUS$, is conducting a widespread extortion campaign against Salesforce customers. The group claims to have stolen over a billion records from 39 major companies, including Qantas, Toyota, and Disney, by compromising Salesforce tenants. The actors revived the BreachForums platform as a data leak site to pressure victims, though the site was recently seized by law enforcement. Salesforce has stated it will not pay any ransom and linked the activity to a breach at a third-party integrator, Salesloft.

• The social platform Discord disclosed a data breach originating from a compromised third-party customer support provider, reportedly Zendesk. The incident exposed personal data of users who had interacted with support teams, including names, email addresses, and messages. For approximately 70,000 users, highly sensitive government-issued ID photos submitted for age verification were also exposed. Attackers, claiming affiliation with the Scattered Lapsus$ Hunters group, attempted to extort Discord, but the company has refused to pay and is working with law enforcement.

Emerging Threats #

• A massive, coordinated botnet involving over 100,000 unique IP addresses from more than 100 countries has been observed targeting Remote Desktop Protocol (RDP) services in the United States since October 8, 2025. The operation uses timing attacks against RD Web Access and login enumeration against the RDP web client to identify and compromise vulnerable infrastructure. A similar TCP fingerprint across most participating IPs indicates a centralized command-and-control structure. Organizations are advised to monitor RDP logs for unusual probing and consider blocking IPs associated with this campaign.

• A rapidly evolving Android spyware named ClayRat is spreading widely in Russia, masquerading as popular apps like TikTok, YouTube, and WhatsApp. The malware abuses Android’s default SMS handler role to bypass permissions and send malicious texts to the victim’s contacts, facilitating its worm-like propagation. Once installed, ClayRat can steal sensitive data including text messages and call logs, and remotely control the device to take pictures or make calls. The campaign uses Telegram channels and phishing websites for initial distribution, with researchers observing over 600 unique samples in three months.

• A new malware campaign is leveraging an experimental Node.js feature, Single Executable Application (SEA), to distribute the Stealit information stealer. By packaging the malware into a single executable, attackers can run it on Windows systems without requiring a pre-installed Node.js runtime, helping it evade detection. The malware is distributed through fake installers for games and VPNs on file-sharing sites. Once active, Stealit can exfiltrate a wide range of data, including credentials and cryptocurrency wallets, and provides attackers with remote access capabilities.

• A new China-nexus threat actor is utilizing an open-source operations and monitoring tool named Nezha to facilitate web server intrusions. Researchers observed the actor gaining initial access via log poisoning to plant a web shell, which was then used to deploy Nezha for command execution. This tool was subsequently used to deploy the Ghost RAT implant for persistent access. This activity highlights a trend of attackers abusing legitimate or dual-use tools to lower development costs, evade detection, and maintain plausible deniability during operations.

• A new variant of the Chaos ransomware, rewritten in C++, is targeting Windows systems with a focus on speed and destruction. Dubbed Chaos-C++, this version skips encrypting files between 50MB and 1.3GB, but deletes any files larger than 1.3GB, making them unrecoverable. The malware also introduces a clipboard hijacking feature to steal cryptocurrency by replacing wallet addresses copied by the user with an attacker-controlled address. This evolution marks a shift from pure extortion to a more destructive model, amplifying potential damage for victims.

Regulatory and Policy Updates #

• The Cybersecurity Information Sharing Act of 2015 (CISA 2015), which provided liability protections for organizations sharing cyber threat data, expired on September 30 due to a lapse in U.S. government funding and political disagreements. In response, a bipartisan bill named the ‘Protecting America from Cyber Threats (PACT) Act’ has been introduced to restore these protections, extend them for ten years, and make them retroactive to cover the gap. The expiration has raised concerns among security professionals about a potential chilling effect on vital, voluntary information sharing between the private sector and the government.

• California has enacted 14 new privacy and AI-related bills, strengthening consumer data rights. One key law, AB 656, mandates that social media companies provide a straightforward account cancellation process that also ensures the full deletion of the user’s personal data. Another significant bill, SB 361, enhances the state’s data broker law by requiring more detailed disclosures about data collection practices, including whether they share information with foreign entities or AI developers. These laws signal a continued push by California to give individuals more control over their digital footprint.

• The German government announced its opposition to the controversial EU ‘Chat Control’ proposal, which would require mass scanning of private, encrypted communications for child sexual abuse material (CSAM). Officials from the ruling party stated that such indiscriminate surveillance of private messages should be ’taboo in a constitutional state.’ Germany’s opposition is significant, as it represents a key vote against the measure, which privacy advocates and tech companies like Signal have warned would fundamentally undermine end-to-end encryption and user privacy across Europe.

• Austria’s data protection authority ruled that Microsoft’s 365 Education software illegally tracked students by using cookies without consent and failing to provide adequate access to their data. The decision stemmed from a 2024 complaint filed by the privacy advocacy group noyb on behalf of a minor. The regulator ordered Microsoft to grant the complainant access to their data and improve transparency regarding its data collection practices. This ruling highlights the increasing scrutiny on how educational technology platforms handle student data under GDPR.

Security Operations #

• CISA is actively updating its Known Exploited Vulnerabilities (KEV) catalog, adding several high-profile flaws based on evidence of in-the-wild exploitation. Recent additions include CVE-2025-61882 (Oracle E-Business Suite), CVE-2021-43798 (Grafana Path Traversal), and CVE-2025-27915 (Synacor Zimbra XSS). These updates serve as a critical, actionable resource for federal agencies, which are bound by Binding Operational Directive 22-01 to remediate KEVs by specified deadlines. For all organizations, prioritizing the patching of KEV catalog vulnerabilities is a recommended best practice for reducing exposure to active threats.

• Estonia’s national ID-card infrastructure is undergoing a major transition in November 2025, with Thales replacing IDEMIA as the card manufacturer and Zetes being introduced as a new trust service provider. This change requires all e-service providers to update their systems to support the new cards, which feature a different chip platform and software. Simultaneously, systems must handle cards from three different generations and two different trust providers. The Estonian Information System Authority (RIA) is urging service providers to begin testing and implementing necessary changes to ensure a smooth transition and avoid service disruptions for users.

• VirusTotal has simplified its platform access model with a revised set of tiers designed for different user groups, including a free community tier and a new ‘Contributor Tier’ for engine partners. This change aims to reinforce the platform’s collaborative nature by rewarding partners who contribute detections with benefits like free access to data feeds on their blind spots. The new structure clarifies options for individual researchers, small teams, and large organizations while reaffirming a 2016 policy that prioritizes contributing partners over non-contributing security vendors for advanced access. The move aligns VirusTotal’s community focus with the broader enterprise offerings of Google Threat Intelligence.

• A new technique allows attackers to inject malicious code into trusted antivirus processes, bypassing standard security defenses. The method involves cloning protected services and hijacking cryptographic providers to create a backdoor within the antivirus software’s own installation directory. Because antivirus processes run with high privileges and are designed to be ‘unkillable,’ this technique provides attackers with a stealthy and persistent foothold. This research highlights the risk of attackers abusing the very tools designed for protection and the need for layered defenses that monitor the integrity of security software itself.

Wins #

• International law enforcement has successfully seized the BreachForums domain used by the Scattered Lapsus$ Hunters cybercrime group. The FBI, U.S. Department of Justice, and French authorities replaced the site with a takedown notice just before the group’s deadline to leak data stolen from Salesforce customers. Although the group confirmed the seizure, they claimed no arrests were made and that their data leak threats via other channels remain active. This action represents a significant disruption to a major cybercrime platform used for extortion and data trading.

• Two 17-year-old boys have been arrested in the UK in connection with a major cyberattack on the Kido nursery chain. The attackers, who identified as the ‘Radiant’ group, stole and exposed sensitive data belonging to approximately 8,000 children and attempted to extort the company for £600,000 in Bitcoin. The arrests, on suspicion of computer misuse and blackmail, represent a significant breakthrough in the investigation led by the Metropolitan Police, providing some measure of justice for the families affected by this distressing breach.

• Italy’s team has won the 2025 European Cybersecurity Challenge (ECSC) held in Warsaw, Poland. The annual competition, organized by ENISA, brings together young cybersecurity talent from across Europe to solve complex security challenges in areas like web security, cryptography, and incident response. The event aims to foster talent, promote cybersecurity skills, and encourage collaboration among future European security professionals. Denmark and Germany secured second and third place, respectively, in a competition that featured 39 teams.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.