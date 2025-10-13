Every week, the cyber world reminds us that silence doesn't mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done.

This week's edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons. From major software bugs to AI abuse and new phishing tricks, each story shows how fast the threat landscape is shifting and why security needs to move just as quickly.

⚡ Threat of the Week

Dozens of Orgs Impacted by Exploitation of Oracle EBS Flaw — Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, according to Google Threat Intelligence Group (GTIG) and Mandiant. The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data. The attack chains have been found to trigger two different payload chains, dropping malware families like GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. Oracle has also released updates to EBS to address another vulnerability in the same product (CVE-2025-61884) that could lead to unauthorized access to sensitive data. The company did not mention if it was being exploited in the wild.

🔔 Top News

Storm-1175 Linked to Exploitation of GoAnywhere MFT Flaw — A cybercriminal group Microsoft tracks as Storm-1175 exploited a maximum-severity vulnerability in GoAnywhere MFT (CVE-2025-10035) to initiate multi-stage attacks, including Medusa ransomware. Storm-1175's attacks are opportunistic, and have affected organizations in the transportation, education, retail, insurance, and manufacturing sectors. The activity blends legitimate tools with stealthy techniques to stay under the radar and monetize access through extortion and data theft, using the access to install remote monitoring tools such as SimpleHelp and MeshAgent, drop web shells, and move laterally across networks using built-in Windows utilities. Fortra has since disclosed that it began its investigation on September 11 following a "potential vulnerability" reported by a customer, uncovering "potentially suspicious activity" related to the flaw.

‎️‍🔥 Trending CVEs

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week's most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.

This week's list includes — CVE-2025-61884 (Oracle E-Business Suite), CVE-2025-11371 (Gladinet CentreStack and TrioFox), CVE-2025-5947 (Service Finder theme), CVE-2025-53967 (Framelink Figma MCP server), CVE-2025-49844 (Redis), CVE-2025-27237 (Zabbix Agent), CVE-2025-59489 (Unity for Android and Windows), CVE-2025-36604 (Dell UnityVSA), CVE-2025-37728 (Elastic Kibana Connector), CVE-2025-56383 (Notepad++), CVE-2025-11462 (AWS Client VPN for macOS), CVE-2025-42701, CVE-2025-42706 (CrowdStrike Falcon), CVE-2025-11001, CVE-2025-11002 (7-Zip), CVE-2025-59978 (Juniper Networks Junos Space), CVE-2025-11188, CVE-2025-11189, CVE-2025-11190 (SynchroWeb Kiwire Captive Portal), CVE-2025-3600 (Progress Telerik UI for ASP.NET AJAX), a cross-site scripting (XSS) vulnerability in REDCap, and unpatched security vulnerabilities in Ivanti Endpoint Manager (from ZDI-25-935 through ZDI-25-947).

📰 Around the Cyber World

TwoNet Targets Forescout Honeypot — An ICS/OT honeypot run by Forescout, designed to mimic a water treatment facility, was targeted last month by a Russia-linked group named TwoNet. The financially motivated hacktivist group subsequently attempted to deface the associated human machine interface (HMI), disrupt processes, and manipulate other ICS. Forescout's honeypots also saw attack attempts that have been linked to Russia and Iran. TwoNet first emerged in January, primarily focused on DDoS attacks using the MegaMedusa Machine malware, per Intel471. Through an affiliated group, CyberTroops, TwoNet announced it was ceasing operations on September 30, 2025. "This underscores the ephemeral nature of the ecosystem where channels and groups are short-lived, while operators typically persist by rebranding, shifting alliances, joining other groups, learning new techniques, or targeting other organizations," Forescout said. "Groups moving from DDoS/defacement to OT/ICS often misread targets, trip over honeypots, or overclaim. That doesn't make them harmless; it shows where they are headed."

— Israeli spyware maker NSO Group has disclosed that a U.S. investment group has acquired the controversial company. A company's spokesperson told TechCrunch that "an American investment group has invested tens of millions of dollars in the company and has acquired controlling ownership." Apple Revises its Bug Bounty Program — Apple announced significant updates to its bug bounty program, with the company now offering up to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks. It's also rewarding one-click WebKit sandbox escapes with up to $300,000, and up to $1 million for wireless proximity exploits over any radio, broad unauthorized iCloud access, and WebKit exploit chains leading to unsigned arbitrary code execution. "Since we launched the public Apple Security Bounty program in 2020, we're proud to have awarded over $35 million to more than 800 security researchers, with multiple individual reports earning $500,000 rewards," the company said. The new payouts will go into effect in November 2025.

🎥 Cybersecurity Webinars

Drowning in Vulnerability Alerts? Here's How to Finally Regain Control - Most security teams face the same problem — too many vulnerabilities and not enough time. Dynamic Attack Surface Reduction (DASR) helps fix this by finding and closing risks automatically, before attackers can use them. Instead of chasing endless alerts, teams can focus on what really matters: keeping systems safe and running smoothly. It's a smarter, faster way to stay one step ahead.

How Leading Teams Are Using AI to Simplify Compliance and Reduce Risk - AI is changing how organizations handle Governance, Risk, and Compliance (GRC). It can make compliance faster and smarter—but it also brings new risks and rules to follow. This session will show you how to use AI safely and effectively, with real examples, lessons from early adopters, and practical tips to prepare your team for the future of compliance.

From Firefighting to Secure-by-Design: A Practical Playbook - AI is changing fast, but security can't lag behind. The smartest teams now treat security controls as launchpads, not roadblocks — enabling AI agents to move quickly and safely. By shifting from reactive firefighting to a secure-by-design mindset, organizations gain both speed and confidence. With the right framework, you can control AI risks while accelerating innovation instead of slowing it down.

🔧 Cybersecurity Tools

P0LR Espresso - A new open-source tool from Permiso that helps security teams quickly analyze multi-cloud logs during live response. It normalizes data from platforms like AWS, Azure, and GCP to deliver clear timelines, behavioral insights, and IOC analysis—making it easier to spot compromised identities and understand what really happened.

Ouroboros - A new open-source decompiler built in Rust that uses symbolic execution to recover high-level code structure from compiled binaries. Unlike traditional decompilers that rely on static assignment models, Ouroboros tracks constraints and data flow to understand how registers and memory change during execution. This approach helps it reconstruct logical code patterns such as loops, conditions, and control flow regions, making it a practical tool for reverse engineering, program analysis, and security research.

Disclaimer: These tools are for educational and research use only. They haven't been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.

🔒 Tip of the Week

Don't Leave Your Backups Unlocked — Backups are your safety net — but if they're not encrypted, they can become your biggest risk. Anyone who gets access to an unencrypted backup can read everything inside: passwords, emails, financial data, customer info — all of it.

The Simple Fix: Always encrypt your backups before saving or sending them anywhere (USB, cloud, or server). Encryption locks your data so only you can open it.

🔐 Easy, Trusted Open-Source Tools:

Restic : Fast, simple, and encrypts everything automatically. Works with many cloud services.

: Fast, simple, and encrypts everything automatically. Works with many cloud services. BorgBackup : Compresses, deduplicates, and encrypts your backups — perfect for long-term storage.

: Compresses, deduplicates, and encrypts your backups — perfect for long-term storage. Duplicity : Uses GPG encryption and supports encrypted backups to local or remote storage.

: Uses GPG encryption and supports encrypted backups to local or remote storage. rclone: Syncs files securely to cloud storage with built-in encryption options.

Pro Tip: Test your backup regularly — make sure you can decrypt and restore it. A locked or broken backup is as bad as no backup at all.

Conclusion

The week's stories show both sides of cybersecurity — the creativity of attackers and the resilience of defenders. Our strength lies in awareness, collaboration, and action. Let's use every lesson learned to make next week's news a little less alarming.