Svoboda Cybersecurity Brief October 07, 2025

Oracle EBS Zero-Day Exploited by Cl0p in Mass Data Theft Campaign

Cl0p ransomware group exploited CVE-2025-61882 (CVSS 9.8), a zero-day RCE flaw in Oracle E-Business Suite (EBS), to steal terabytes of data in August 2025. Attackers used a Python exploit (exp.py, server.py) to gain unauthenticated remote code execution via the BI Publisher Integration component. Over 500,000 records were exfiltrated, with extortion emails sent from compromised accounts.
Impact: Mass data theft affecting EBS versions 12.2.3–12.2.14.
Mitigation: Apply Oracle’s emergency patch; search logs for IOCs (e.g., IPs 200.107.207.26, 185.181.60.11).
Source: The Hacker News

Redis Critical Lua Sandbox Escape Vulnerability (CVE-2025-49844)

A 13-year-old use-after-free flaw in Redis allows authenticated attackers to escape the Lua sandbox via crafted scripts, leading to RCE. Wiz researchers found 60,000+ exposed Redis instances, with PoCs demonstrated at Pwn2Own Berlin.
Impact: Full host compromise (CVSS 10.0) via Lua scripting (enabled by default).
Mitigation: Update to Redis 7.2.4-138+/8.2.2+; disable Lua if unused, enforce authentication.
Source: BleepingComputer

XWorm Malware Resurfaces with Ransomware Module and 35+ Plugins

XWorm 6.x variants now include Ransomware.dll, capable of encrypting files (.ENC extension) and stealing data from browsers (35+ targets). Delivered via phishing (LNK files, fake Discord installers) and abuses RMM tools like SimpleHelp for persistence.
Impact: Multi-stage attacks combining data theft, ransomware, and lateral movement.
Mitigation: Block execution of RMM binaries; monitor for PowerShell scripts spawning cmd.exe.
Source: BleepingComputer

GoAnywhere MFT Zero-Day Exploited by Medusa Ransomware (CVE-2025-10035)

Storm-1175 (Medusa affiliate) exploited a deserialization flaw in GoAnywhere MFT since September 10, 2025, using Rclone for data exfiltration. Fortra patched the flaw on September 18.
Impact: RCE in unpatched instances (500+ exposed online).
Mitigation: Patch immediately; inspect logs for SignedObject.getObject stack traces.
Source: BleepingComputer

Unity Game Engine Flaw Endangers Millions of Gamers (CVE-2025-59489)

A command-line injection flaw in Unity (2017.1+) lets attackers load malicious libraries on Android/Windows. Steam and Microsoft blocked vulnerable games; titles like Hearthstone and Forza Customs are affected.
Impact: Local/remote code execution (CVSS 8.4) via -xrsdk-pre-init-library argument.
Mitigation: Rebuild games with patched Unity versions (e.g., 2022.3.67f2) or replace UnityPlayer.dll.
Source: BleepingComputer

Scattered LAPSUS$ Hunters Leak 1B Records from Salesforce Customers

The group (allegedly merging LAPSUS$, Scattered Spider, and ShinyHunters) breached 39 organizations via Salesforce instances, extorting victims and threatening litigation. Data includes records from Coca-Cola, Toyota, and Disney.
Source: SecurityWeek

American Income Life Insurance Exposes 150K Policyholders’ Data

A misconfigured database leaked policy details (names, DOBs, SSNs) of 150,000 customers, with evidence of active exploitation attempts via account takeovers. Parent company Globe Life had a prior breach in 2024.
Source: DataBreaches

Asahi Beer Confirms Ransomware Attack, Production Halts

Japan’s Asahi Group suffered a ransomware attack disrupting domestic operations, with data exfiltration confirmed. Production resumed manually, but email systems remain offline.
Source: SecurityWeek

Zeroday.Cloud Offers $4.5M for Cloud Exploits

Wiz’s hacking contest (Dec 2025) will reward 0-click RCEs in Kubernetes, Docker, and web servers (e.g., $300K for Nginx). Criticized for copying Pwn2Own rules verbatim.
Source: SecurityWeek

Chinese BIETA Firm Linked to MSS Cyber Operations

Beijing Institute of Electronics Technology (BIETA) developed steganography tools and surveillance tech for China’s Ministry of State Security, per Recorded Future.
Source: The Hacker News

Share this brief: https://svo.bz/KVD1