Daily Digest

Salesforce Defies Extortionists After Customer Data Heist; Cl0p Exploits Critical Oracle Zero-Day

Salesforce Defies Extortionists After Customer Data Heist; Cl0p Exploits Critical Oracle Zero-Day

October 8, 2025
9 articles (6 new, 3 updated)
27 min read

Summary

This cybersecurity brief for October 8, 2025, covers several critical incidents. A threat actor alliance named 'Scattered LAPSUS$ Hunters' claims to have stolen data from over 40 Salesforce customers via social engineering, though Salesforce itself was not breached and refuses to pay the ransom. Concurrently, the Cl0p ransomware group is actively exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle's E-Business Suite. Other major events include a significant data breach at a Red Hat consulting GitLab instance exposing sensitive client data, a ransomware attack by the Qilin group on Japanese beverage giant Asahi, and CISA adding a Zimbra XSS flaw to its KEV catalog.

Filter by Category

New Articles (6)

Microsoft Warns of Attackers Abusing Teams for Session Hijacking

MEDIUM

Threat Actor Storm-2372 Abusing Microsoft Teams for Malware Delivery and Session Hijacking, Microsoft Warns

Microsoft has issued a warning about a threat actor group, tracked as Storm-2372, that is abusing legitimate Microsoft Teams features for cyberattacks. In a report on October 7, 2025, Microsoft detailed how the group uses social engineering within Teams chats and file sharing to deliver malware, trick users into fraudulent authentication flows, and ultimately steal access tokens to hijack user sessions. The attacks are effective because they originate from within the trusted Teams environment, making users more likely to fall for the lures.

October 8, 2025
4 min read
Session HijackingToken TheftOAuthSocial EngineeringCloud Security
Microsoft Warns of Attackers Abusing Teams for Session Hijacking
Phishing
Threat Actor
Cloud Security

Red Hat Consulting GitLab Breached; ShinyHunters Leaks Sensitive Client Data

CRITICAL

Red Hat Confirms Data Breach of Consulting GitLab Server; "Crimson Collective" and "ShinyHunters" Claim Theft of 570GB of Sensitive Client Data

Red Hat has confirmed a security breach affecting an internal GitLab server used by its consulting division. A group named 'Crimson Collective,' in collaboration with the notorious extortion group 'ShinyHunters,' claims to have stolen 570GB of data from over 28,000 repositories. The stolen data allegedly includes highly sensitive 'Customer Engagement Reports' containing network diagrams, configurations, and access details for over 800 organizations, including Bank of America, Verizon, and the U.S. National Security Agency. While Red Hat states the breach was contained and did not impact its product supply chain, the incident represents a massive supply chain risk for its clients.

October 8, 2025
5 min read
Supply Chain AttackGitLabSource Code LeakExtortionClient Data
Red Hat Consulting GitLab Breached; ShinyHunters Leaks Sensitive Client Data
Data Breach
Supply Chain Attack
Threat Actor

Methodist Homes Discloses Healthcare Data Breach Affecting Nearly 26,000

HIGH

Methodist Homes of Alabama & Northwest Florida Discloses Data Breach Exposing PHI of Nearly 26,000 Individuals

Methodist Homes of Alabama & Northwest Florida, a senior living and healthcare provider, announced on October 8, 2025, that it suffered a data breach affecting 25,579 individuals. The incident, which occurred over a 12-day period in October 2024, resulted in unauthorized access to sensitive personal and protected health information (PHI). The compromised data includes names, Social Security numbers, driver's license numbers, and detailed clinical information. The organization's disclosure comes nearly a year after the initial detection of the breach.

October 8, 2025
4 min read
PHIHIPAAHealthcareIncident ResponseDelayed Disclosure
Methodist Homes Discloses Healthcare Data Breach Affecting Nearly 26,000
Data Breach
Regulatory

Critical RCE Flaw (CVE-2025-53967) Patched in Figma AI Tool

HIGH

High-Severity Command Injection Vulnerability (CVE-2025-53967) in figma-developer-mcp Allows Remote Code Execution

A high-severity command injection vulnerability, CVE-2025-53967, has been discovered and patched in the 'figma-developer-mcp' Model Context Protocol server, a tool used with the Figma design platform. The flaw, rated with a CVSS score of 7.5, could allow an unauthenticated attacker to achieve remote code execution (RCE) on a server running the tool. The vulnerability, discovered by Imperva, stemmed from the unsanitized use of user input in command-line strings. Users are urged to update to the patched version to mitigate the risk of server compromise.

October 8, 2025
4 min read
Command InjectionRCEDevSecOpsOpen Source SecurityAI
Critical RCE Flaw (CVE-2025-53967) Patched in Figma AI Tool
Vulnerability
Patch Management

Google Rolls Out October 2025 Security Update for Pixel Devices

MEDIUM

Google Publishes October 2025 Pixel Update Bulletin, Patching Numerous Security Vulnerabilities

Google has released its scheduled October 2025 security update for all supported Pixel devices. The update, detailed in the Pixel Update Bulletin on October 8, 2025, addresses numerous security vulnerabilities. It incorporates all patches from the broader October 2025 Android Security Bulletin, along with additional fixes for flaws specific to Pixel hardware components. Google urges all Pixel users to accept the over-the-air (OTA) update to protect their devices from potential exploitation.

October 8, 2025
3 min read
Patch TuesdayAndroidMobile SecurityFirmwareVulnerability
Google Rolls Out October 2025 Security Update for Pixel Devices
Patch Management
Mobile Security

Atos Partners with Qevlar AI to Deploy "Virtual SOC Analyst"

INFORMATIONAL

Atos Announces Strategic Partnership with Qevlar AI to Integrate Agentic AI into Global SOC Network

On October 7, 2025, the global digital transformation and cybersecurity firm Atos announced a strategic partnership with Qevlar AI. The collaboration will integrate Qevlar's 'Virtual SOC Analyst,' an agentic AI technology, into Atos's global network of 17 Security Operations Centers (SOCs). The goal is to automate routine and intermediate security alert investigations, allowing Atos's human analysts to focus on more complex tasks like proactive threat hunting. The partnership aims to enhance operational efficiency for Atos's 2,000+ managed security customers.

October 8, 2025
3 min read
AIAutomationSOCMSSPThreat Detection +1 more
Atos Partners with Qevlar AI to Deploy "Virtual SOC Analyst"
Security Operations
Policy and Compliance

Updated Articles (3)

New 'Scattered Lapsus$ Hunters' Gang Extorts 39 Salesforce Customers on Leak Site

HIGH

Scattered Lapsus$ Hunters Collective Launches Leak Site, Extorting Salesforce and 39 High-Profile Customers

Update:

Salesforce has officially refused the ransom demand from 'Scattered LAPSUS$ Hunters'. New technical details reveal the attackers employed two primary methods: tricking employees via vishing into authorizing a malicious Salesforce Data Loader application, and abusing compromised OAuth tokens from the third-party Salesloft Drift integration. Salesforce has disabled the problematic Drift integration, and Salesloft has advised customers to refresh access tokens. The group continues to list over 40 high-profile victims, including Adidas and Disney/Hulu, with an October 10 deadline for data release.

October 7, 2025
Updated: October 8, 2025
5 min read
ExtortionData LeakSalesforceScattered SpiderLapsus$ +2 more
New 'Scattered Lapsus$ Hunters' Gang Extorts 39 Salesforce Customers on Leak Site
Threat Actor
Data Breach
Ransomware

CISA Adds Actively Exploited Zimbra XSS Zero-Day (CVE-2025-27915) to KEV Catalog

HIGH

Actively Exploited Zero-Day XSS Vulnerability in Zimbra Collaboration Suite (CVE-2025-27915) Added to CISA KEV

Update:

Further details on CVE-2025-27915 indicate an additional exploitation vector. While previously reported as a stored XSS via malicious iCalendar requiring only viewing, new information suggests attackers can also exploit the flaw by tricking users into clicking a specially crafted link. This interaction allows malicious scripts to execute in the user's authenticated Zimbra session, leading to session hijacking and data theft. Federal agencies are still mandated to remediate the flaw, and all organizations are urged to prioritize patching.

October 7, 2025
Updated: October 8, 2025
4 min read
Zero-DayXSSZimbraCISAKEV +1 more
CISA Adds Actively Exploited Zimbra XSS Zero-Day (CVE-2025-27915) to KEV Catalog
Vulnerability
Phishing

Clop Exploits Critical Oracle Zero-Day; CISA Issues Emergency Patch Directive

CRITICAL

Clop Ransomware Group Actively Exploiting Critical Oracle E-Business Suite Zero-Day (CVE-2025-61882)

Update:

New information confirms that Oracle E-Business Suite versions 12.2.3 through 12.2.14 are specifically affected by CVE-2025-61882. The public availability of exploit code on platforms like Telegram increases the likelihood that other threat actors, such as Scattered Spider and ShinyHunters, will adopt this TTP. Additionally, the update highlights the potential for ransomware deployment as a direct consequence of successful exploitation, leading to widespread operational disruption. New detection observables include monitoring for `cmd.exe`, `powershell.exe`, or `sh` processes spawned by Oracle services, providing more specific guidance for security teams.

October 7, 2025
Updated: October 8, 2025
5 min read
Zero-DayRCEOracleClopRansomware +2 more
Clop Exploits Critical Oracle Zero-Day; CISA Issues Emergency Patch Directive
Vulnerability
Threat Actor
Ransomware

📢 Share This Publication

Help others stay informed about cybersecurity threats