Connect with us

Security

Lightning Round: Cyber Threats Galore – WhatsApp Worm, Oracle 0-Day, Ransomware Cartel, and More

Published

9 hours ago

on


Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done.

This week’s edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons. From major software bugs to AI abuse and new phishing tricks, each story shows how fast the threat landscape is shifting and why security needs to move just as quickly.

⚡ Threat of the Week

Dozens of Orgs Impacted by Exploitation of Oracle EBS Flaw — Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle’s E-Business Suite (EBS) software since August 9, 2025, according to Google Threat Intelligence Group (GTIG) and Mandiant. The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data. The attack chains have been found to trigger two different payload chains, dropping malware families like GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. Oracle has also released updates to EBS to address another vulnerability in the same product (CVE-2025-61884) that could lead to unauthorized access to sensitive data. The company did not mention if it was being exploited in the wild.

🔔 Top News

  • Storm-1175 Linked to Exploitation of GoAnywhere MFT Flaw — A cybercriminal group Microsoft tracks as Storm-1175 exploited a maximum-severity vulnerability in GoAnywhere MFT (CVE-2025-10035) to initiate multi-stage attacks, including Medusa ransomware. Storm-1175’s attacks are opportunistic, and have affected organizations in the transportation, education, retail, insurance, and manufacturing sectors. The activity blends legitimate tools with stealthy techniques to stay under the radar and monetize access through extortion and data theft, using the access to install remote monitoring tools such as SimpleHelp and MeshAgent, drop web shells, and move laterally across networks using built-in Windows utilities. Fortra has since disclosed that it began its investigation on September 11 following a “potential vulnerability” reported by a customer, uncovering “potentially suspicious activity” related to the flaw.

  • OpenAI Disrupted Three Clusters from China, North Korea, and Russia — OpenAI said it disrupted three activity clusters for misusing its ChatGPT artificial intelligence (AI) tool to facilitate malware development. This includes a Russian‑language threat actor, who is said to have used the chatbot to help develop and refine a remote access trojan (RAT), a credential stealer with an aim to evade detection. The second cluster of activity originated from North Korea, which used ChatGPT for malware and command-and-control (C2) development, focusing on developing macOS Finder extensions, configuring Windows Server VPNs, or converting Chrome extensions to their Safari equivalents. The third set of banned accounts shared overlaps with a cluster tracked as UNK_DropPitch (aka UTA0388), a Chinese hacking group which employed the AI chatbot to generate content for phishing campaigns in English, Chinese, and Japanese; assist with tooling to accelerate routine tasks such as remote execution and traffic protection using HTTPS; and search for information related to installing open-source tools like nuclei and fscan.

  • Over 175 npm Packages Used for Phishing Campaign — In an unusual twist, threat actors have been observed to push throwaway npm packages that, once installed, are designed to create and publish an npm package of its own with the pattern “redirect-xxxxxx” or “mad-xxxxxx,” which, in turn, auto-redirects victims to credential-harvesting sites when opened from crafted HTML business documents. “Unlike the more familiar tactic of simply uploading malicious packages to compromise developers during package installation, this campaign takes a different path,” Snyk said. “Instead of infecting users via npm install, the attackers leverage the browser delivery path through UNPKG, turning legitimate open source hosting infrastructure into a phishing mechanism.” It’s believed that the HTML files generated through the npm packages are distributed to victims, who are then redirected to the credential phishing sites when they attempt to open them. In the packages analyzed by Snyk, the pages masquerade as Cloudflare security checks before leading victims to an attacker-controlled URL fetched from a remote GitHub-hosted file.

  • LockBit, Qilin, and DragonForce Join Forces — Three of the most notorious ransomware-as-a-service operations, LockBit, Qilin, and DragonForce, have formed a criminal cartel aimed at coordinating attacks and sharing resources. The partnership was announced early last month, shortly following the emergence of LockBit 5.0. “Create equal competition conditions, no conflicts and no public insults,” DragonForce wrote in a post on a dark web forum. “This way, we can all increase our income and dictate market conditions. Call it whatever you like – coalition, cartel, etc. The main thing is to stay in touch, be friendly to each other, and be strong allies, not enemies.” The teaming up of the three groups comes amid mounting pressure from law enforcement disruptions, prompting them to attack sectors previously considered off-limits, such as nuclear power plants, thermal power plants, and hydroelectric power plants. It also follows a similar consolidation pattern among primarily English-speaking cybercrime collectives like Scattered Spider, ShinyHunters, and LAPSUS$, which began collaborating under the name Scattered LAPSUS$ Hunters. That said, the cartelization of ransomware also comes at a time of record fragmentation in the broader ecosystem, with the number of active data leak sites reaching an all-time high of 81 in the third quarter of 2025.

  • China-Nexus Hackers Weaponize Open-Source Nezha Tool in Attacks — Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called Nezha into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets. The campaign is said to have likely compromised more than 100 victim machines since August 2025, with a majority of the infections reported in Taiwan, Japan, South Korea, and Hong Kong. The activity is yet another indication of how threat actors continue to twist legitimate tools for malicious purposes and blend in with normal network traffic. In one instance observed by Huntress, the attackers targeted an exposed phpMyAdmin panel to deploy a web shell by means of a log poisoning attack.

Investment group has acquired the company. The acquisition comes amidst ongoing controversy surrounding NSO Group’s surveillance technology being used for malicious purposes by various governments around the world. The acquisition raises concerns about the potential impact on global security and privacy.

  • Investment Group Acquires Controversial Company — An American investment group has acquired controlling ownership of the controversial company, investing tens of millions of dollars in the process. The company’s spokesperson confirmed the acquisition to TechCrunch, marking a significant development for the company.

    • Enhancing Code Analysis with Advanced Tools

    Utilizing this approach facilitates the reconstruction of logical code patterns like loops, conditions, and control flow regions. This makes it a valuable tool for reverse engineering, program analysis, and security research.

    Note: These software tools are intended for educational and research purposes exclusively. They have not undergone thorough security testing and may carry risks if mishandled. Always review the code, test in secure environments, and adhere to ethical, legal, and organizational guidelines.

    🔒 Safeguarding Your Data Backups

    Prevent Data Breaches: Securing your backups is crucial as they serve as your safety net. Unencrypted backups can expose sensitive information such as passwords, emails, and financial data to unauthorized access.

    Simple Encryption Solution: Prioritize encrypting your backups before storing or transmitting them, whether on USB drives, cloud services, or servers. Encryption ensures that only authorized individuals can access your data.

    🔐 Recommended Open-Source Backup Tools:

    • Restic: A fast and user-friendly tool that automatically encrypts data and supports various cloud services.

    • BorgBackup: Ideal for long-term storage, this tool compresses, deduplicates, and encrypts backups efficiently.

    • Duplicity: Utilizes GPG encryption and enables encrypted backups to local or remote storage locations.

    • rclone: Safely sync files to cloud storage with built-in encryption features for enhanced data security.

    Pro Tip: Regularly test your backups to ensure successful decryption and restoration. A malfunctioning or inaccessible backup is as detrimental as not having one at all.

    Key Takeaways

    The recent narratives highlight the dual aspects of cybersecurity: the ingenuity of threat actors and the resilience of defenders. Strengthening our defenses through awareness, cooperation, and proactive measures is essential. Let’s leverage each learning opportunity to shape a less concerning cybersecurity landscape in the future.

    See also  Oracle Takes Swift Action with Emergency Patch for Critical E-Business Suite Vulnerability
    Related Topics:
    Continue Reading
    Click to comment

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Trending