Read Time: 8 minutes

Brought to you by:

Howdy friends!

Some of my family is coming to town for an extended period of time and they need their car. They were going to drive themselves but I decided that was dumb and am flying out to get them. So as I hit schedule on this, I’m going to be driving across country for the next few days.

Accepting distractions and entertainment. If you hear about a hacker up to no good in the desert, no you didn’t.

ICYMI

🖊️ Something I wrote: This BBC reporter was offered 25% of a ransom payout if he gave hackers access to the corporate network.

🎧️ Something I heard: cisco situation keeps getting worse

🎤 Something I said: Did the Secret Service just take down a massive cyber threat?

🔖 Something I read: Disrupting malicious uses of AI: an update (OpenAI Threat Intel)

Vulnerable News

Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

CL0P's back with another zero-day mass exploitation campaign, this time hitting Oracle E-Business Suite customers hard. Google's threat intel team tracked the group exploiting what became CVE-2024-61882 as early as August (possibly July), weeks before Oracle even knew about it. The attack pattern's familiar - exploit a widely-used enterprise app, steal data quietly for months, then launch mass extortion emails to executives claiming they've been breached. Oracle finally pushed emergency patches on October 4th, but by then the damage was done.

They're using multi-stage Java implants with names like GOLDVEIN, SAGEGIFT, and SAGEWAVE that live entirely in memory and communicate back to C2 servers disguised as TLS handshakes. The attackers store their payloads directly in the EBS database and use compromised third-party email accounts (likely from infostealers) to send extortion demands. It’s giving MOVEit, and not in a good way. I expect this isn’t the last we hear about it. (read more)

CVSS Says Critical. EPSS Says Context.*

Security teams can’t fix every issue - research shows most only remediate 10-15% of vulns each month. The challenge is knowing what’s truly urgent. That’s why more teams are adopting EPSS, which predicts which vulns are most likely to be exploited in the next 30 days. Paired with CVSS, CISA KEV, and expert context in the Intruder platform, it’s proving the smarter way to prioritize - helping lean teams spend less time debating what to fix, and more time reducing risk.

Read the explainer.

*Sponsored

SonicWall: Firewall configs stolen for all cloud backup customers

SonicWall just delivered some not-so-great news about that cloud backup breach from last month. Remember when they said it only affected "certain MySonicWall accounts"? Well, turns out that was PR speak for "literally every single customer who used our cloud backup service." Their investigation with Mandiant confirmed that all firewall configuration backup files stored in their cloud got accessed by unauthorized parties. These .EXP files contain AES-256 encrypted credentials and firewall config data.

The remediation checklist they've provided is pretty extensive - password resets, API key updates, TOTP resets, LDAP/RADIUS updates, IPSec shared secrets, basically if it is sensitive it needs to be bounced. There was also a comment connecting this to recent Akira ransomware attacks, suggesting the stolen backups might explain how attackers bypassed MFA (since TOTP seeds would be in those config files). (read more)

Investigating targeted “payroll pirate” attacks affecting US universities

Microsoft's threat intel team has been tracking a financially motivated group called Storm-2657 that's been pulling off "payroll pirate" attacks against US universities. These guys are phishing employees to get into their email accounts, then pivoting to HR systems like Workday to literally steal their salaries by redirecting direct deposits to attacker-controlled bank accounts. They're using phishing themes like fake illness outbreaks on campus or bogus misconduct reports to trick people into clicking malicious links.

Once they're in they create inbox rules to automatically delete any notification emails from Workday so victims don't realize their payroll info has been changed. They also add their own phone numbers as MFA devices for persistence. The good news is Microsoft's provided a ton of hunting queries and detection rules to help orgs spot this activity, but the real take away for us here is that phishing-resistant MFA would shut this whole attack chain down. (read more)

Discord says 70,000 users had government IDs exposed in third-party breach

(read more)

Stop human risk before it stops you*

The all-new Human Risk Command Center from Mimecast empowers your team to catch, control, and contain threats the second they surface.

LEARN MORE

*Sponsored

RediShell: Critical Remote Code Execution Vulnerability (CVE-2025-49844) in Redis, 10 CVSS score

Wiz with a perfect 10. RediShell (CVE-2025-49844), a 10.0 CVSS vulnerability in Redis that's been lurking for 13 years. It’s a Use-After-Free bug that lets attackers escape the Lua sandbox and get full RCE on the host by sending malicious Lua scripts. Some stats about Redis's deployment footprint are nuts. It’s looking like 330,000 internet-exposed instances with about 60,000 running completely unauthenticated.

It gets worse. Redis powers 75% of cloud environments, and 57% deploy it as container images that often skip proper hardening. The attack chain is straightforward: malicious Lua script → sandbox escape → reverse shell → credential theft → lateral movement. Redis patched this on October 3rd, so if you're running Redis anywhere (especially internet-facing), drop everything and update. Pro tip: while you're at it, enable authentication and disable Lua scripting if you're not using it. (read more)

California enacts law giving consumers ability to universally opt out of data sharing

California just dropped some solid privacy legislation that actually has teeth. Governor Newsom signed a bill requiring web browsers to give Californians a simple, universal opt-out button for data sharing instead of making them play whack-a-mole on every website they visit. Until now, if you wanted universal opt-out, you had to hunt down third-party extensions or switch to privacy-focused browsers entirely.

This builds on the 2018 California Consumer Privacy Act, which gave people the right to opt out but didn't force browsers to make it user-friendly. Newsom had vetoed a broader version last year that would've included mobile operating systems too. He also signed a couple other privacy wins - one forcing social media companies to make account deletion actually delete your data (revolutionary concept), and another giving people more transparency about what data brokers are collecting and selling. Privacy advocates are pretty stoked since this is the first law of its kind in the US. (read more)

Salesforce says it won’t pay extortion demand in 1 billion records breach

Salesforce just told some cybercriminals to pound sand after they demanded ransom for allegedly stealing nearly 1 billion customer records. The group calling itself "Scattered LAPSUS$ Hunters" has been running a social engineering campaign since May - they'd call Salesforce customers and convince them to connect malicious apps to their portals. Shockingly, it worked on a bunch of people.

The attackers set up a leak site naming Toyota, FedEx, and 37 other victims, giving Salesforce until this week to pay up or they'd dump everything. Salesforce's response was blunt: they won't engage, negotiate, or pay any extortion demand. This stance is getting more attention as security experts push back against the whole "just pay the ransom" mentality that's been fueling the $813 million ransomware industry. (read more)

Qilin ransomware claims Asahi brewery attack, leaks data

Qilin ransomware just added Asahi brewery to their wall of shame after the Japanese beer giant got hit hard. They're claiming to have snatched over 9,300 files totaling 27GB of data, and posted samples showing financial docs, employee IDs, and internal contracts as proof. Asahi had to shut down six facilities back on September 29th, and now we know why.

Their flagship Super Dry production is back online using manual systems, but they're still scrambling to get full operations restored by October 15th. Qilin's claiming this whole mess will cost Asahi around $335 million in losses, and they've already had to postpone new product launches. This group's been busy lately - they've also hit Nissan, major London NHS hospitals, and others since emerging in 2023. (read more)

Google DeepMind’s New AI Agent Finds and Fixes Vulnerabilities

This feels a whole lot like the DEFCON AIxCC challenge getting people to put out tools that can use AI to find and fix vulns. Google entering the ring is interesting here too.

CodeMender is an AI agent that automatically finds and fixes code vulnerabilities. This ain’t your grand pappy’s (me) SAST. It's using their Gemini Deep Think models to actually understand code, identify root causes of bugs, and write proper patches. One cool part is it's both reactive (fixing new vulns as they're found) and proactive (rewriting existing code to use safer APIs and data structures). They've already gotten 72 security fixes upstreamed to various open source projects over the past six months.

A lot of these agents aren’t just a better scanner. The secret sauce is in their validation chains. If you’ve been in AppSec, you know the false positive problem. So having parts of the agent chain validate it’s own findings is the real trick.

This DeepMind agent uses debuggers, static analysis, fuzzing, and even SMT solvers to make sure its patches actually work and don't break anything. They're being smart about the rollout too - everything still gets human review before submission. The libwebp example they show is pretty compelling, where they're adding -fbounds-safety annotations that would've prevented that CVE-2023-4863 heap overflow that got weaponized in iOS attacks. If this scales well, it could be a game-changer for maintaining security in large codebases. Color me cautiously optimistic. (read more)

DraftKings Warns Users of Credential Stuffing Attacks

DraftKings got hit with another credential stuffing attack, discovered on September 2nd. This follows their 2022 incident where 68,000 accounts were compromised (and led to some arrests). The attackers managed to access user profiles including names, addresses, transaction info, and partial payment card details - though no government IDs or full financial data were exposed. (read more)

Scattered Lapsus$ Hunters offering $10 in Bitcoin to 'endlessly harass' execs

Scattered Lapsus$ Hunters is trying something new in the ransomware game - crowdsourced extortion at bargain basement prices. They're offering $10 in Bitcoin to anyone willing to spam executives of their alleged victims, with "bonuses" for using personal email accounts. (read more)

Massive surge in scans targeting Palo Alto Networks login portals

GreyNoise just reported a massive 500% spike in reconnaissance scans targeting Palo Alto Networks portals, with over 1,285 unique IPs (mostly from the US) probing GlobalProtect and PAN-OS login pages. While this could signal preparation for exploiting a zero-day (like we saw with those Cisco ASA scans that preceded an actual vulnerability), GreyNoise thinks the correlation isn't as strong this time.

In the same report, they caught 110 malicious IPs (primarily from Bangladesh) trying to exploit an old Grafana path traversal bug (CVE-2021-43798) from 2021. The attack patterns suggest automation, targeting mainly US, Slovak, and Taiwanese systems. If you're running Grafana, double-check those patches and look for any suspicious path traversal attempts in your logs. (read more)

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Unit 42 stumbled across something pretty wild - a whole phishing kit factory called "IUAM ClickFix Generator" that's been cranking out fake browser verification pages since July. This thing's got all the bells and whistles: OS detection, clipboard hijacking, customizable messaging, the works. Basically, it lets any script kiddie whip up convincing fake Cloudflare-style "verify you're human" pages that trick users into copy-pasting malicious PowerShell or terminal commands. They found it sitting wide open on an HTTP server, which is either sloppy opsec or a bold business model.

They've spotted campaigns using these generated pages to drop DeerStealer on Windows boxes and Odyssey infostealer on Macs. Some pages even had leftover Russian comments from the developers, which tells you something about the supply chain here. What's concerning is how effective this social engineering vector is - people are conditioned to trust those browser verification challenges, so when one tells them to paste a command to "prove they're human," many just do it. It's like weaponizing our collective muscle memory around web browsing. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay