Svoboda Cybersecurity Brief October 03, 2025

New Oracle E-Business Suite Extortion Campaign Targeting Thousands

Google Threat Intelligence Group (GTIG) and Mandiant report a massive extortion campaign targeting Oracle E-Business Suite (EBS) customers, with emails sent from compromised accounts claiming affiliation with Clop/FIN11. Attackers demand payment, alleging theft of sensitive data, though breaches remain unverified. Contact addresses match Clop’s leak site, but attribution is unclear.
Impact: Potential theft of ERP data, extortion pressure on enterprises.
Mitigation: Verify Oracle EBS logs for unusual access, apply July 2025 patches, disable remote WebUI if unused.
Source: SecurityWeek

Clop Extortion Emails Claim Theft from Oracle EBS Systems

Mandiant confirms a high-volume campaign leveraging hundreds of compromised accounts, some linked to FIN11, to send extortion emails claiming Oracle EBS breaches. Claims align with Clop’s tactics, but evidence is preliminary. Victims include executives across sectors.
Source: BleepingComputer

DrayTek Vigor Routers Vulnerable to RCE via HTTP Requests (CVE-2025-10547)

A memory corruption flaw in DrayTek Vigor routers allows unauthenticated attackers to crash systems or execute code via crafted HTTP/HTTPS requests. Exploit leverages arbitrary free() manipulation confirmed by researcher Pierre-Yves Maes.
Impact: Remote code execution on SMB/prosumer routers.
Mitigation: Update firmware (e.g., Vigor2962 to v4.4.3.6+), disable remote WebUI/SSL-VPN, restrict LAN access via ACLs.
Source: BleepingComputer

Android Spyware Impersonates Signal and ToTok Apps

ESET uncovers ProSpy and ToSpy campaigns distributing malicious APKs via fake sites mimicking Signal Encryption Plugin and ToTok Pro. Spyware steals contacts, SMS, files, and establishes persistence via AlarmManager and scheduled tasks. Targets UAE users exclusively.
Impact: Data exfiltration, persistent device compromise.
Mitigation: Avoid sideloading apps, enforce Play Protect, revoke unused permissions.
Source: TheHackerNews

Red Hat Confirms GitLab Breach, Crimson Collective Leaks Customer Data

Red Hat confirms a breach of its consulting GitLab instance, exposing ~570GB of data including 800 Customer Engagement Reports (CERs) with network/config details. Attackers demand ransom and leak T-Mobile CER proof.
Impact: Downstream client infrastructure exposure via stolen CERs.
Mitigation: Rotate credentials/tokens referenced in CERs, audit GitLab access logs.
Source: BleepingComputer

Malicious PyPI Package “soopsocks” Infects 2,653 Systems

The soopsocks PyPI package masqueraded as a SOCKS5 proxy but deployed a backdoor via _AUTORUN.EXE (Go-based) and VBScripts. Collected system data, set firewall rules, and exfiltrated to Discord.
Impact: Remote code execution, credential theft.
Mitigation: Audit PyPI dependencies, block install.soop[.]space, monitor PowerShell executions.
Source: TheHackerNews

HackerOne Pays $81M in Bug Bounties, AI Vulnerabilities Surge

HackerOne’s annual report shows a 13% YoY increase in payouts, with AI-related vulnerabilities (e.g., prompt injection) up 540%. Top 100 researchers earned $31.8M lifetime.
Source: BleepingComputer

WestJet Discloses Breach Affecting 1.2M Customers

Attackers stole names, addresses, government IDs, and WestJet Rewards data in June 2025. No financial data compromised. Offers 24-month monitoring.
Source: SecurityWeek

Confucius Hackers Target Pakistan with WooperStealer and Anondoor

The APT group Confucius deployed WooperStealer (via .LNK files) and Anondoor (Python backdoor) in phishing campaigns targeting Pakistani gov/military entities since December 2024.
Impact: Data theft, command execution.
Mitigation: Block .LNK files in emails, monitor PowerShell for JuicyPotato exploitation.
Source: TheHackerNews

Qilin Ransomware Hits Israeli Hospital, Demands $700K

Shamir Medical Center’s patient records feared leaked after a Yom Kippur attack. Qilin (linked to London hospital breaches) claimed responsibility. Systems restored but investigation ongoing.
Source: DataBreaches

Radiant Hackers Delete Stolen Children’s Data After Backlash

Radiant ransomware gang deleted data from Kido Schools post-public outrage but had previously threatened parents. Motive likely tied to threat actor doxxing attempts.
Source: DataBreaches

Microsoft Blocks Inline SVG Images in Outlook Due to Abuse

Outlook no longer displays inline SVG images to mitigate XSS/phishing risks (e.g., Tycoon2FA). Rollout completes mid-October, affecting <0.1% of emails.
Impact: Disrupts SVG-based phishing campaigns.
Mitigation: Use attached SVGs if required, enable AMSI for macro blocking.
Source: BleepingComputer

WireTap Attack Breaks Intel SGX Attestation via $1k Interposer

Researchers demonstrated physical memory bus interposition to extract SGX attestation keys in 45 minutes, compromising blockchain systems like Phala and Secret. Intel deems it outside threat model.
Impact: SGX enclave compromise, smart contract key theft.
Mitigation: Avoid deterministic memory encryption, enforce hardware tamper detection.
Source: SecurityWeek

Tile Trackers Expose MAC Addresses, Enable Stalking

Georgia Tech researchers found unencrypted MAC/device IDs in Tile trackers, allowing passive tracking via radio interception. Life360 claims mitigations deployed post-disclosure.
Impact: Location privacy violation.
Mitigation: Disable unused trackers, monitor for anomalous Bluetooth scans.
Source: TheHackerNews

Share this brief: https://svo.bz/y4nQ