Daily Digest

Massive Supply Chain Attack Hits Salesforce Ecosystem; Critical Flaws in Oracle, Azure, and Grafana Emerge

Massive Supply Chain Attack Hits Salesforce Ecosystem; Critical Flaws in Oracle, Azure, and Grafana Emerge

November 22, 2025
6 articles (6 new)
18 min read

Summary

This cybersecurity brief for November 22, 2025, covers a series of high-impact events. A major supply chain attack attributed to 'Scattered Lapsus$ Hunters' compromised over 200 companies by abusing OAuth tokens in a Salesforce-integrated app. Concurrently, CISA issued warnings for a critical, actively exploited RCE in Oracle Identity Manager. Critical 10.0 CVSS vulnerabilities were also disclosed in Microsoft Azure Bastion and Grafana Enterprise. Other significant threats include a new Android trojan stealing encrypted messages, a sophisticated Chinese APT campaign targeting Russia, and a botnet using the Ethereum blockchain for C2.

Filter by Category

New Articles (6)

CISA KEV Alert: Actively Exploited Oracle RCE Flaw Allows Full System Takeover

CRITICAL

CISA Adds Critical Oracle Identity Manager RCE Vulnerability (CVE-2025-61757) to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in Oracle Identity Manager, CVE-2025-61757, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, with a CVSS score of 9.8, allows an unauthenticated attacker to achieve RCE by chaining an authentication bypass with a code injection flaw in a Groovy script endpoint. Evidence of in-the-wild exploitation, including scans detected weeks before a patch was available, has prompted CISA to issue a patching deadline of December 12, 2025, for federal agencies.

November 22, 2025
5 min read
CVE-2025-61757OracleRCEZero-DayCISA +3 more
CISA KEV Alert: Actively Exploited Oracle RCE Flaw Allows Full System Takeover
Vulnerability
Patch Management
Threat Intelligence

Chinese APT24 Group Uses 'BadAudio' Malware in Years-Long Espionage Campaign Targeting Taiwan

HIGH

APT24 (Pitty Tiger) Deploys Custom 'BadAudio' Malware in Sophisticated Cyberespionage Campaign

The Chinese-nexus threat group APT24, also known as Pitty Tiger, is behind a nearly three-year cyberespionage campaign utilizing a new custom malware called 'BadAudio'. According to Google's Threat Intelligence Group, the campaign, active since November 2022, has targeted organizations primarily in Taiwan. The group has evolved its tactics from broad web compromises to sophisticated supply chain attacks and spear-phishing. BadAudio is a C++ downloader that uses DLL search-order hijacking and control flow flattening to evade detection before deploying second-stage payloads like Cobalt Strike.

November 22, 2025
6 min read
APT24Pitty TigerBadAudioCyber EspionageMalware +3 more
Chinese APT24 Group Uses 'BadAudio' Malware in Years-Long Espionage Campaign Targeting Taiwan
Threat Actor
Malware
Supply Chain Attack

Major Wall Street Banks Exposed After Breach at Mortgage Vendor SitusAMC

HIGH

Mortgage Tech Vendor SitusAMC Discloses Data Breach, Impacting Clients Like JPMorgan Chase and Citi

SitusAMC, a critical technology and services provider for the real estate finance industry, has disclosed a significant data breach discovered on November 12, 2025. The cyberattack compromised corporate information and, more critically, data belonging to its clients' customers, which could include sensitive personal information from mortgage applications. Major financial institutions, including JPMorgan Chase, Citigroup, and Morgan Stanley, have reportedly been notified of their potential exposure. The FBI is investigating the incident, which highlights the systemic risk posed by third-party vendors in the financial sector.

November 22, 2025
5 min read
SitusAMCData BreachSupply Chain AttackJPMorgan ChaseCitigroup +3 more
Major Wall Street Banks Exposed After Breach at Mortgage Vendor SitusAMC
Data Breach
Supply Chain Attack
Incident Response

Grafana Enterprise Hit by Critical 10.0 CVSS Flaw Allowing Admin Impersonation

CRITICAL

Grafana Patches Critical CVSS 10.0 Vulnerability (CVE-2025-41115) Enabling Admin Impersonation

Grafana Labs has patched a critical vulnerability, CVE-2025-41115, in Grafana Enterprise that carries the maximum CVSS score of 10.0. The flaw resides in the SCIM provisioning feature and allows a malicious SCIM client to escalate privileges and impersonate any user, including the default administrator, by manipulating the 'externalId' attribute. The vulnerability affects Grafana Enterprise versions 12.0.0 through 12.2.1 and requires specific feature flags to be enabled. Grafana has released patches and confirmed its own cloud instances were not exploited.

November 22, 2025
5 min read
CVE-2025-41115GrafanaVulnerabilityPrivilege EscalationCVSS 10 +2 more
Grafana Enterprise Hit by Critical 10.0 CVSS Flaw Allowing Admin Impersonation
Vulnerability
Patch Management
Cloud Security

CrowdStrike Fires Insider for Leaking Screenshots to 'Scattered Lapsus$ Hunters' Hacking Group

MEDIUM

CrowdStrike Confirms Termination of Employee for Leaking Internal Information to Cybercrime Group

Cybersecurity giant CrowdStrike has confirmed it fired an employee last month for acting as a malicious insider. The employee leaked screenshots of internal systems, including an Okta dashboard, to the 'Scattered Lapsus$ Hunters' hacking group, who then posted them on Telegram. CrowdStrike stated that it detected and terminated the insider, that its corporate systems were not breached, and that no customer data was compromised. The hackers claimed to have offered the employee $25,000 for access, highlighting the persistent threat of malicious insiders even at top security firms.

November 22, 2025
5 min read
Insider ThreatCrowdStrikeScattered Lapsus$ HuntersOktaData Leak +1 more
CrowdStrike Fires Insider for Leaking Screenshots to 'Scattered Lapsus$ Hunters' Hacking Group
Incident Response
Threat Actor
Security Operations

Critical 10.0 CVSS Flaw in Azure Bastion Allows Full Cloud Takeover

CRITICAL

Microsoft Patches Critical Authentication Bypass Vulnerability (CVE-2025-49752) in Azure Bastion

Microsoft has patched a critical authentication bypass vulnerability, CVE-2025-49752, in its Azure Bastion service. The flaw, which scores a perfect 10.0 on the CVSS scale, could allow a remote, unauthenticated attacker to gain administrative control over all virtual machines connected via a vulnerable Bastion host. The vulnerability is a capture-replay flaw, where an attacker can intercept and reuse authentication tokens. All Azure Bastion deployments created before the patch on November 20, 2025, are considered vulnerable, and customers are urged to ensure their instances are updated.

November 22, 2025
5 min read
CVE-2025-49752AzureMicrosoftAzure BastionVulnerability +3 more
Critical 10.0 CVSS Flaw in Azure Bastion Allows Full Cloud Takeover
Vulnerability
Cloud Security
Patch Management

📢 Share This Publication

Help others stay informed about cybersecurity threats