Daily Digest

Cl0p Exploits Oracle Zero-Day; Threat Actors Weaponize Legitimate Security Tools in Widespread Attacks

Cl0p Exploits Oracle Zero-Day; Threat Actors Weaponize Legitimate Security Tools in Widespread Attacks

October 9, 2025
8 articles (5 new, 3 updated)
24 min read

Summary

This cybersecurity brief for October 9, 2025, covers a surge in critical threats, led by the Cl0p ransomware gang's exploitation of a zero-day vulnerability (CVE-2025-61882) in Oracle's E-Business Suite. A significant trend this period is the abuse of legitimate tools, with threat actors weaponizing the Velociraptor DFIR tool and exploiting a critical flaw (CVE-2025-10035) in Fortra's GoAnywhere MFT. Other major events include the Qilin ransomware attack on Japanese beverage giant Asahi, a sophisticated phishing campaign targeting marketing professionals, and new guidance from the G7 and UK's NCSC on managing AI risks and a sharp rise in national-level cyberattacks.

Filter by Category

New Articles (5)

Living Off the Land: Hackers Abuse Velociraptor DFIR Tool to Deploy Ransomware

HIGH

China-Linked Group Storm-2603 Abuses Velociraptor DFIR Tool to Deploy LockBit, Babuk Ransomware

A suspected China-based threat group, Storm-2603, is weaponizing the legitimate open-source digital forensics and incident response (DFIR) tool, Velociraptor. According to Cisco Talos, the attackers are using an outdated and vulnerable version of the tool (exploiting CVE-2025-6264) to gain persistence, escalate privileges, and deploy multiple ransomware families, including Warlock, LockBit, and Babuk. The campaign highlights the growing trend of attackers abusing trusted security tools to evade detection while compromising VMware ESXi and Windows environments.

October 9, 2025
5 min read
Living off the LandDFIRVelociraptorStorm-2603LockBit +2 more
Living Off the Land: Hackers Abuse Velociraptor DFIR Tool to Deploy Ransomware
Threat Actor
Ransomware
Malware

Perfect 10.0 CVSS Flaw in GoAnywhere MFT Exploited by Medusa Ransomware Group

CRITICAL

Microsoft Attributes GoAnywhere MFT Zero-Day Exploitation (CVE-2025-10035) to Medusa Ransomware Operator Storm-1175

Microsoft has linked the cybercrime group Storm-1175, known for deploying Medusa ransomware, to the active exploitation of a critical vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) solution. The flaw, CVE-2025-10035, is an unauthenticated remote code execution vulnerability with a perfect 10.0 CVSS score. Storm-1175 has been exploiting this zero-day since at least September 11, 2025, to compromise organizations in finance, healthcare, and technology, deploying backdoors and RMM tools before exfiltrating data and deploying ransomware.

October 9, 2025
5 min read
DeserializationRCEMFTGoAnywhereStorm-1175 +1 more
Perfect 10.0 CVSS Flaw in GoAnywhere MFT Exploited by Medusa Ransomware Group
Vulnerability
Ransomware
Threat Actor

Phishing Campaign Lures Marketing Professionals with Fake Jobs at Tesla, Google

MEDIUM

Cofense Uncovers Phishing Campaign Targeting Marketers with Fake Job Offers from Major Brands

Security firm Cofense has detailed a sophisticated phishing campaign that targets marketing and social media professionals with fake job opportunities from high-profile brands like Tesla, Google, Ferrari, and Red Bull. The campaign uses realistic emails and multi-step credential harvesting portals to trick victims. Unlike typical phishing attacks, the primary goal is to collect detailed resumes and other personally identifiable information (PII). This data can then be used by threat actors to craft more convincing social engineering attacks, bypass security questions, or commit identity theft.

October 9, 2025
4 min read
PhishingSocial EngineeringCredential HarvestingPIICofense
Phishing Campaign Lures Marketing Professionals with Fake Jobs at Tesla, Google
Phishing
Data Breach

Financial Firms Tie CEO Pay to Cyber Performance Amid Budget Hikes, Moody's Finds

INFORMATIONAL

Moody's Report: Financial and Insurance Firms Increase Cyber Budgets and Board-Level Governance

A new report from Moody's indicates a significant shift in how financial and insurance firms are managing cyber risk. Companies are increasing cybersecurity spending, with nearly half dedicating 8% or more of their IT budget to cyber. Governance is also strengthening, as 40% of firms now link CEO compensation directly to cybersecurity performance, up from 24% in 2023. Furthermore, CISO briefings to the board are becoming more frequent, and firms are maturing their operational readiness with annual incident response tests and daily data backups.

October 9, 2025
3 min read
Cybersecurity BudgetGovernanceBoard of DirectorsFinancial ServicesInsurance +1 more
Financial Firms Tie CEO Pay to Cyber Performance Amid Budget Hikes, Moody's Finds
Policy and Compliance
Security Operations

Expert Advice on Securing Critical Infrastructure with Limited Budgets

INFORMATIONAL

Security Leaders Advised on Protecting Critical Infrastructure Amid Budget Constraints

In a recent podcast, cybersecurity expert Chetrice Romero from Ice Miller provided guidance for leaders responsible for protecting critical infrastructure, particularly those facing limited budgets. The discussion covered common cyber and physical threats to utilities, the need for scalable and resilient strategies, and practical advice for maximizing security investments. Key recommendations included embracing cloud-native platforms for efficiency and designing future-proof command centers, offering actionable insights for securing essential systems in a challenging economic environment.

October 9, 2025
3 min read
Critical InfrastructureBudgetCybersecurity StrategyResilienceICS Security +1 more
Expert Advice on Securing Critical Infrastructure with Limited Budgets
Security Operations
Industrial Control Systems
Policy and Compliance

Updated Articles (3)

UK's NCSC Warns of 'Alarming' Rise in Cyberattacks, Doubling in Past Year

INFORMATIONAL

UK's National Cyber Security Centre Reports "Nationally Significant" Cyberattacks More Than Doubled

Update:

The NCSC's 2025 Annual Review, released on October 9, confirms a 129% surge in 'nationally significant' cyber incidents, rising to 204. In response to the escalating threat, the NCSC has launched a new 'Cyber Action Toolkit' specifically designed for small businesses and sole traders to bolster their defenses. NCSC Chief Executive Dr. Richard Horne emphasized that cybersecurity is now a fundamental component of business survival and national resilience. The report also details increased scrutiny, higher cyber insurance premiums, and heightened supply chain risk as key impacts for UK organizations.

October 6, 2025
Updated: October 9, 2025
4 min read
NCSCUKThreat ReportState-Sponsored HackingRansomware +1 more
UK's NCSC Warns of 'Alarming' Rise in Cyberattacks, Doubling in Past Year
Policy and Compliance
Regulatory
Threat Intelligence

Clop Exploits Critical Oracle Zero-Day; CISA Issues Emergency Patch Directive

CRITICAL

Clop Ransomware Group Actively Exploiting Critical Oracle E-Business Suite Zero-Day (CVE-2025-61882)

Update:

Further analysis of the CVE-2025-61882 Oracle EBS zero-day reveals it is reportedly an SSRF issue escalating to RCE, affecting versions 12.2.3 through 12.2.14. The Clop group is also combining this zero-day with other previously patched vulnerabilities to maximize access. Oracle released an emergency patch on October 4, 2025, with the October 2023 Critical Patch Update as a prerequisite. New MITRE ATT&CK techniques identified include T1595.002 (Vulnerability Scanning), T1212 (Exploitation for Credential Access), T1041 (Exfiltration Over C2 Channel), and T1486 (Data Encrypted for Impact). A new observable */xmlpserver/* has also been identified for the BI Publisher component.

October 7, 2025
Updated: October 9, 2025
5 min read
Zero-DayRCEOracleClopRansomware +2 more
Clop Exploits Critical Oracle Zero-Day; CISA Issues Emergency Patch Directive
Vulnerability
Threat Actor
Ransomware

Qilin Ransomware Claims Disruptive Attack on Japanese Beverage Giant Asahi

HIGH

Qilin Ransomware Gang Takes Responsibility for Cyberattack on Asahi Group, Claims Theft of 27GB of Data

Update:

The Qilin ransomware group has escalated pressure on Asahi by posting samples of the stolen 27GB of data on their leak site, confirming the double extortion tactic. New technical details include specific cyber observables such as `powershell.exe -enc <base64_blob>` commands, `bitsadmin.exe` and `curl.exe` usage, and the `*.qilin` file extension. Enhanced detection strategies involve monitoring for data staging, analyzing PowerShell logs, and strict network egress monitoring. Mitigation advice now emphasizes offline backups, hardening public-facing services, and user training against phishing.

October 8, 2025
Updated: October 9, 2025
4 min read
Double ExtortionRaaSManufacturingSupply ChainJapan
Qilin Ransomware Claims Disruptive Attack on Japanese Beverage Giant Asahi
Ransomware
Cyberattack
Industrial Control Systems

📢 Share This Publication

Help others stay informed about cybersecurity threats