Sign up for this weekly newsletter
SubscribeOracle criticized for a massive OCI breach affecting 140K tenants...
The breach in Oracle’s OCI, reported last week, seems to have a widespread effect, as were allegedly exfiltrated six million records and were impacted 140K tenants including high-profile companies such as FedEx, Chase, Paypal, Cloudflare, Fortinet and the New York Times. The attacker, a hacker nicknamed rose87168, breached into OCI through an unpatched Oracle Fusion Middleware flaw (CVE-2021-35587) allowing unauthenticated network access to endpoints through crafted HTTP requests. The stolen data includes JKS files, JPS keys, SSO and LDAP passwords - and rose87168 is now offering incentives for decrypting SSO and LDAP credentials. Oracle executives, who are still denying a breach occurred in Oracle Cloud, are under significant criticism from the cybersecurity community for avoiding taking responsibility.
Mitigate it
Set in Block mode the IDS rules in Palo Alto (92336), Fortigate (51328), Cisco (1:61004) and Checkpoint (CVE-2021-35587)
... and for another breach in Oracle Health
Besides the OCI breach, it has also been revealed that a hacker nicknamed “Andrew” has successfully compromised Oracle Health. Last February, the attacker used compromised customer credentials to access legacy data migration servers and exfiltrate sensitive data including patient information. In this case too, Oracle is under wide criticism, as the firm refused to directly contact affected patients and requires customers to communicate with its CISO by phone only. Oracle Health, formerly Cerner, is a leading SaaS platform managing Electronic Health Records (EHR) for hospitals.
When the attacker is attacked through a LFI vulnerability
Cybersecurity researchers exploited a vulnerability in the data leak website of BlackLock (aka El Dorado) to expose its infrastructure. The local file inclusion (LFI) flaw is a website misconfiguration allowing to access sensitive information through a path traversal attack. Among others, the history of BlackLock’s commands has leaked. BlackLock is the fastest emerging group for 2025 with 46 victims from various sectors so far. It recently targeted hybrid environments through the synchronization between Active Directory and EntraID to gain initial access toon prem users.
CrushFTP accused cybersecurity firms for releasing POC exploits
A surge in exploitation attempts of a critical CrushFTP vulnerability (CVE-2025-2825) has been observed. The vulnerability, residing in a component aimed at making Amazon S3 the backend file system, enables unauthenticated HTTP(S) port access. Around 1.5K vulnerable CrushFTP instances remain Internet exposed. CrushFTP accused the cybersecurity firms which released a POC exploit of being responsible for the current attacks. Moreover, the vendor delayed for over a month the assignment of a CVE ID and currently requires adopting CVE-2025-31161 rather than CVE-2025-2825, which was assigned by a threat intelligence company against CrushFTP’s will.
Mitigate it
Set up the DMZ proxy instance of CrushFTP
A coordinated wide campaign targeting GlobalProtect portals
A wide scale campaign is targeting Palo Alto PAN-OS GlobalProtect portals, as 24K malicious IP addresses have been spotted scanning these systems, apparently in a coordinated operation aimed at exploiting old vulnerabilities. The activities share patterns with the 2024 ArcaneDoor campaign which focused on targeting perimeter network devices worldwide.
An EDR killer is proliferating among ransomware groups
A new research shows that ransomware groups are growingly using EDRKillShifter, an “EDR killer” tool used by admin-privileged attackers to corrupt, blind or terminate EDR protections. RansomHub, currently the most prominent ransomware group worldwide, developed EDRKillShifter and recently started to offer it to its affiliates. However, for an unknown reason,the tool has seemingly proliferated to rival groups, and it has been leveraged by infamous ransomware actors such as Play, Medusa, and BianLian.
KL Airport suffered a devastative ransomware attack
A devastative ransomware attack caused days of disruptions in Malaysia’s Kuala Lumpur international airport. Flight Information Display Systems (FIDS) were taken offline, check-in counters were forced to switch to manual operations and platforms allowing international communications and security protocols ceased. The Malaysian government refused to pay a $10M ransom demand. It is not clear who is the group behind the attack and under which modus operandi it operated.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
