Clop, the notorious ransomware group, began targeting Oracle E-Business Suite customers three months ago and started exploiting a zero-day affecting the enterprise platform to steal massive amounts of data from victims as early as Aug. 9, Google Threat Intelligence Group and Mandiant said in a report Thursday. 

“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic Clop data extortion campaigns have had hundreds of victims,” John Hultquist, chief analyst at GTIG, said in a statement. “Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”

The new timeline provided by Google’s incident response firm and security researchers confirms malicious activity against Oracle E-Business Suite customers began almost three months before Clop sent extortion emails to executives of alleged victim organizations demanding payment on Sept. 29. 

Oracle disclosed the critical zero-day vulnerability — CVE-2025-61882 — Saturday, two days after it said its customers had received extortion emails following exploitation of vulnerabilities it previously identified and addressed in a July security update. 

The widespread attack spree actually involved at least five distinct defects, including the zero-day, that were chained together to achieve pre-authenticated remote code execution, watchTowr researchers said earlier this week.

Researchers at watchTowr reproduced the full exploit chain after obtaining a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together. 

“It’s currently unclear which specific vulnerabilities or exploit chains correspond to CVE-2025-61882, however, GTIG assesses that Oracle EBS servers updated through the patch released on Oct. 4 are likely no longer vulnerable to known exploitation chains,” Google said in the report.

Researchers identified suspicious traffic that may point to early attempts at exploitation prior to Oracle’s July security update, but Google has not confirmed the precise nature of that activity. 

Many customers remain exposed and potentially vulnerable to attacks. Shadowserver scans found 576 potentially vulnerable instances of Oracle E-Business Suite on Oct. 6, with the majority of those IPs based in the United States.

Clop’s ransom demands have reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.

Investigations into Clop’s activity underscore the stealthy nature of the threat group’s operations, including the use of multi-stage fileless malware designed to evade file-based detection. Other critical details remain unknown and cybercriminals from other groups have complicated analysis through unsubstantiated claims. 

Mandiant said it observed artifacts on Oct. 3 that overlap with an exploit leaked in a Telegram group dubbed “Scattered LAPSUS$ Hunters.” Yet, Google hasn’t gathered enough evidence to definitively link the malicious July 2025 activity with this exploit. 

“At this time, GTIG does not assess that actors associated with UNC6240 (also known as “Shiny Hunters”) were involved in this exploitation activity,” Google said in the report. 

While multiple pieces of evidence indicate Clop is behind the attacks, Google said it’s possible other threat groups are involved.

Clop has successfully intruded multiple technology vendors’ systems, particularly file-transfer services, allowing it to steal data on many downstream customers. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The post Dozens of Oracle customers impacted by Clop data theft for extortion campaign appeared first on CyberScoop.

Hundreds of internet-exposed Oracle E-Business Suite instances may still be vulnerable to attacks.

The post Exploitation of Oracle EBS Zero-Day Started 2 Months Before Patching appeared first on SecurityWeek.

The Medusa ransomware operators exploited the GoAnywhere MFT vulnerability one week before patches were released.

The post Fortra GoAnywhere MFT Zero-Day Exploited in Ransomware Attacks appeared first on SecurityWeek.

Oracle has informed customers that it has patched a critical remote code execution vulnerability tracked as CVE-2025-61882.

The post Oracle E-Business Suite Zero-Day Exploited in Cl0p Attacks appeared first on SecurityWeek.

Federal cyber authorities and threat hunters are on edge following Oracle’s Saturday disclosure of an actively exploited zero-day vulnerability the Clop ransomware group used to initiate a widespread data theft and extortion campaign researchers initially warned about last week. 

Oracle addressed the critical vulnerability — CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Saturday and advised customers to apply the patch as soon as possible. The tech giant previously said it was aware some customers had received extortion emails and said vulnerabilities it addressed in its July security update were potentially involved. 

Rob Duhart, chief security officer at Oracle Security, updated his blog post Saturday to alert customers to the zero-day. Oracle did not say the zero-day is actively exploited but it provided indicators of compromise, which indirectly confirm the defect has been exploited in the wild. 

The Cybersecurity and Infrastructure Security Agency added CVE-2025-61882 to its known exploited vulnerabilities catalog Monday, noting that it has been used in ransomware campaigns. 

Brett Leatherman, assistant director of the FBI’s Cyber Division, described the zero-day as an emergency putting Oracle E-Business Suite environments at risk of full compromise. 

“Oracle E-Business Suite remains a backbone enterprise resource planning system for major enterprises and public-sector environments, which means attackers have every incentive to weaponize this one fast,” he said in a LinkedIn post.

The zero-day isn’t the only problem confronting Oracle and its customers. Clop exploited multiple vulnerabilities, including the zero-day, in Oracle E-Business Suite to steal large amounts of data from several victims in August, according to Mandiant Consulting CTO Charles Carmakal. 

Researchers at watchTowr reproduced the full exploit chain after a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together. 

“The chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated remote code execution,” watchTowr researchers wrote in a blog post Monday. The cybersecurity firm said there is a high probability more vulnerabilities will be found in Oracle E-Business Suite tied to this campaign. 

The zero-day vulnerability, which has a CVSS rating of 9.8, can be exploited remotely without authentication, resulting in remote code execution. 

The significant lag time between when the attacks occurred and Oracle’s zero-day vulnerability disclosure indicates Clop was breaking into and stealing data from Oracle E-Business Suite customers’ environments for months. Researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails demanding payment. 

CrowdStrike researchers said the first known exploitation occurred Aug. 9, eight weeks before Oracle disclosed and patched the zero-day defect. 

The number of organizations impacted by Clop’s attack spree remains unknown, yet researchers have identified victims across multiple sectors and geographies. Clop’s ransom demands have reached up to $50 million, according to Halcyon.

“We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.

“This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations,” she said.

Clop is a ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. The threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks. 

Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The group is driven by profit, as it operates within a Russia-aligned cybercrime environment, Kaiser said. “Clop’s operations can simultaneously extract financial value and produce outcomes useful to state actors, such as data collection, disruption, or pressure on targeted organizations.”

The post Oracle zero-day defect amplifies panic over Clop’s data theft attack spree appeared first on CyberScoop.

Impacting VMware Aria Operations and VMware Tools, the flaw can be exploited to elevate privileges on the VM.

The post Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability appeared first on SecurityWeek.

Leading to remote code execution and privilege escalation, the flaws were exploited on Cisco ASA 5500-X series devices that lack secure boot.

The post Cisco Firewall Zero-Days Exploited in China-Linked ArcaneDoor Attacks appeared first on SecurityWeek.

The Cybersecurity and Infrastructure Security Agency acknowledged it’s yet to get a complete handle on the scope and impact of attacks involving Cisco zero-day vulnerabilities that prompted it to release an emergency directive Thursday. 

The attack timeline dates back almost a year, according to an investigation Cisco and federal authorities did behind the scenes to identify the root cause and then coordinate the issuance of patches to address software defects under active exploitation. 

“We observed initial activity that we believe was related back in November,” Chris Butera, acting deputy executive assistant director for cybersecurity at CISA, said during a media briefing Thursday. “It started off as reconnaissance activity on these types of devices, and that’s what kicked off back in November.”

That malicious activity — read-only memory modification — “began as early as November 2024, if not earlier,” he said. 

CISA said it’s aware of hundreds of Cisco firewalls in use across the federal government that are potentially susceptible to exploitation. The mandated steps outlined in the emergency directive will help the agency understand the full scope of those devices and the extent of compromise across federal agencies, Butera said.

Critical infrastructure operators are also likely affected, and CISA is asking those organizations to report incidents as they are confirmed, Butera said. 

He also addressed a considerable delay from discovery to disclosure. Cisco said it initiated an incident response investigation into the attacks on multiple federal agencies in May, but four months passed before it disclosed the malicious activity and patched the zero-day vulnerabilities. 

During that time, CISA chose to hold off on releasing the emergency directive, which requires federal agencies to take immediate action by the end of Friday. 

“With any vulnerability coordination, it takes some time to properly understand what that vulnerability is and whether that vulnerability is being exploited, and some time for the vendors to develop a patch to mitigate that,” Butera said. “So the timeline involved both investigation and patch development for that process.”

He added that CISA and Cisco collaborated to implement mitigation steps and remediate the malicious activity. The agency also worked with Cisco through the coordinated vulnerability disclosure process “so we could appropriately address the risk as fully as possible during this time,” Butera said.

Federal officials are concerned attacks may accelerate or shift in the wake of CISA’s effort to prod agencies to thwart the threat. 

“As soon as these vulnerabilities are released to the threat actor, we believe the threat actor will likely try to pivot and change tactics,” Butera said. “We think it’s really important for our organization to try to detect that threat actor activity as quickly as possible, so that is what’s driving the tight timeline.” 

Officials declined to discuss the attackers’ origins or motivations in detail. Butera said CISA is not focused on attribution at this time, and he did not confirm research from outside threat intelligence firms pinning the espionage attacks on a China state-affiliated threat group tracked as UAT4356 and Storm-1849. 

Butera said the espionage attacks linked to the Cisco zero-day vulnerabilities are separate and not connected to the widespread and ongoing China state-sponsored attack spree Mandiant and Google Threat Intelligence Group researchers warned about Wednesday. Those attacks also involve exploitation of network edge devices.

The post CISA says it observed nearly year-old activity tied to Cisco zero-day attacks appeared first on CyberScoop.

Federal cyber authorities sounded a rare alarm Thursday, issuing an emergency directive about an ongoing and widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls. 

Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” 

Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances  — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.” 

The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action. 

Federal agencies are required to hunt for evidence of compromise, report findings and disconnect compromised devices by the end of Friday. Agencies running Cisco ASA firewalls are also required to apply Cisco’s patches or permanently disconnect end-of-life devices by the end of Friday.

“CISA is directing federal agencies to take immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network,” CISA Acting Director Madhu Gottumukkala said in a statement.

Cisco did not fully explain why it waited four months from its initial response to the attacks on federal agencies to disclose the malicious activity and patch the zero-day vulnerabilities. 

The attackers “employed advanced evasion techniques such as disabling logging, intercepting command-line interface commands, and intentionally crashing devices to prevent diagnostic analysis. The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams,” the company said. 

CISA did not immediately respond to questions about why it waited four months to issue an emergency directive.

The agency described the campaign as widespread, resulting in remote-code execution and manipulation of read-only memory that persists through reboots and system upgrades. While CISA’s emergency directive only applies to federal agencies, the private sector often follows these urgent warnings closely.

“The same risks apply to any organizations using these devices. We strongly urge all entities to adopt the actions outlined in this emergency directive,” Gottumukkala said.

Cisco and CISA did not attribute the espionage attacks to a specific nation state, but Censys researchers previously said it found compelling evidence indicating a threat group based in China was behind the ArcaneDoor campaign last year. Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.

The latest attacks initiated by the espionage group, tracked as UAT4356 by Cisco Talos and Storm-1849 by Microsoft Threat Intelligence, are a continuation or resurgence of that previous campaign involving new zero-days. 

Cisco said remote attackers can “gain full control of an affected device” by chaining together the vulnerabilities, two of which are designated as critical. 

When Storm-1849 was first identified in early 2024, the espionage group was targeting international entities, according to Sam Rubin, senior vice president of Palo Alto Networks’ Unit 42. Unit 42 also considers Storm-1849 to be affiliated with China.

“Over the past year, Unit 42 has observed them evolve their toolkit and in recent months their focus has shifted towards entities in the United States,” he said. “As we have seen before, now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities.”

The post CISA alerts federal agencies of widespread attacks using Cisco zero-days appeared first on CyberScoop.

Cisco Systems has issued security updates to address a critical vulnerability in its widely deployed IOS and IOS XE network operating systems, after confirming the flaw is being exploited in active attacks.

Designated CVE-2025-20352, the vulnerability resides in the Simple Network Management Protocol (SNMP) subsystem of Cisco’s core network software. According to Cisco, the weakness stems from a stack-based buffer overflow and affects any device with SNMP enabled. The flaw allows authenticated, remote attackers with low privileges to force targeted systems to reload, causing denial of service. Higher-privileged attackers could execute arbitrary code with root-level permissions on affected Cisco IOS XE devices, effectively gaining complete control.

Cisco disclosed that the vulnerability has been exploited in the wild. The company became aware of active attacks after the compromise of local administrator credentials. Attackers have leveraged the flaw by sending crafted SNMP packets over either IPv4 or IPv6 networks.

“All devices that have SNMP enabled and have not explicitly excluded the affected object ID (OID) should be considered vulnerable,” Cisco wrote in a published advisory. The company noted the problem affects all versions of SNMP, including v1, v2c, and v3. Models such as the Meraki MS390 and Catalyst 9300 running Meraki CS 17 or earlier are impacted, with a fix arriving in a further IOS XE software release.

No known workarounds exist beyond software updates. While organizations unable to immediately upgrade can mitigate some risk by limiting SNMP access to trusted users and network segments, Cisco advises that these are only temporary measures. 

The company’s security bulletin further instructs administrators on verifying the presence of SNMP and potentially affected configurations through command-line tools. Devices running IOS XR and NX-OS are confirmed as unaffected.

The same update that addressed the SNMP flaw also included patches for 13 other vulnerabilities. Two of these are considered significant: a reflected cross-site scripting weakness (CVE-2025-20240) permitting attackers to potentially steal session cookies, and a denial-of-service flaw (CVE-2025-20149) that can be triggered by authenticated local users. Both have proof-of-concept exploit code available publicly.

Cisco’s IOS and IOS XE platforms are foundational to global networking infrastructure, making vulnerabilities with the potential for remote code execution and denial of service particularly significant for enterprise operations and internet service providers. SNMP’s pervasive use for network monitoring and management, coupled with default or weak credential usage in some environments, continues to place heightened importance on timely security response.

The post Cisco uncovers new SNMP vulnerability used in attacks on IOS devices appeared first on CyberScoop.

Google’s Threat Intelligence Group and Mandiant link the BrickStorm campaign to UNC5221, warning that hackers are analyzing stolen code to weaponize zero-day vulnerabilities.

The post Chinese Hackers Lurked Nearly 400 Days in Networks With Stealthy BrickStorm Malware appeared first on SecurityWeek.

The security defect allows remote attackers with administrative privileges to execute arbitrary code as the root user.

The post Cisco Patches Zero-Day Flaw Affecting Routers and Switches appeared first on SecurityWeek.

An exploited type confusion in the V8 JavaScript engine tracked as CVE-2025-10585 was found by Google Threat Analysis Group this week.

The post Chrome 140 Update Patches Sixth Zero-Day of 2025 appeared first on SecurityWeek.

Reported by Meta and WhatsApp, the vulnerability leads to remote code execution and was likely exploited by a spyware vendor.

The post Samsung Patches Zero-Day Exploited Against Android Users appeared first on SecurityWeek.

An attacker exploited a zero-day vulnerability in Sitecore stemming from a misconfiguration of public ASP.NET machine keys that customers implemented based on the vendor’s documentation, according to researchers.

The critical zero-day defect — CVE-2025-53690 — was exploited by the attacker using exposed keys to achieve remote code execution, Mandiant Threat Defense said in a report Wednesday. The sample machine keys were included in Sitecore’s deployment guides dating back to at least 2017.

The configuration vulnerability impacts customers who used the sample key provided with deployment instructions for Sitecore Experience Platform 9.0 and earlier, Sitecore said in a security bulletin Wednesday. The vendor warned that all versions of Experience Manager, Experience Platform and Experience Commerce may be impacted if deployed in a multi-instance mode with customer-managed static machine keys.

“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones — a move we don’t recommend,” said Ryan Dewhurst, head of proactive threat intelligence at watchTowr. “Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to remote code execution.”

Mandiant said it disrupted the attack after engaging with Sitecore, but said that effort prevented it from observing the full attack lifecycle. The incident response firm warns that many Sitecore customers used the commonly known ASP.NET machine key. 

Upon gaining access to the affected internet-exposed Sitecore instance, the attacker deployed a ViewState payload containing malware designed for internal reconnaissance, according to Mandiant. Researchers explained that ViewStates, an ASP.NET feature, are vulnerable to deserialization attacks when validation keys are absent or compromised. 

Mandiant said the unidentified attacker, whose motivations are unknown, demonstrated a deep understanding of Sitecore’s product as it progressed from initial compromise to escalate privileges and achieve lateral movement. 

Sitecore and researchers advised customers to rotate the machine key if a commonly known one was used, and hunt for evidence of ViewState deserialization attacks. Rotating keys won’t protect organizations using systems the attacker may have already intruded. 

Mandiant researchers said the attacker established footholds, deployed malware and tools to maintain persistence, conducted reconnaissance, achieved lateral movement and stole sensitive data.

“It is quite common for documentation to contain placeholder keys, such as ‘PUT_YOUR_KEY_HERE,’ or other randomly generated examples,” Dewhurst said. “It is ultimately both a failure on the user’s and Sitecore’s side. The user should know not to copy and paste public machine keys, and Sitecore should adequately warn users not to.”

The number of organizations compromised or potentially exposed to attacks remains unknown. Sitecore did not immediately respond to a request for comment.

Caitlin Condon, VP of security research at VulnCheck, said the zero-day vulnerability is an insecure configuration at its core, exacerbated by the public exposure of the sample machine key. 

“It’s entirely possible that the software supplier hadn’t meant for a sample machine key to be used indefinitely for production deployments but, as we know, software is deployed and configured in unintended ways all the time,” she said. “If there’s one takeaway from this, it’s that adversaries definitely read product docs, and they’re good at finding quirks and forgotten tricks in those docs that can be used opportunistically against popular software.”

The post Sitecore zero-day vulnerability springs up from exposed machine key appeared first on CyberScoop.