A novel zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) is being actively exploited in a large-scale data exfiltration campaign, with CrowdStrike Intelligence attributing primary involvement to the GRACEFUL SPIDER threat group and warning that public proof-of-concept details will spur further attacks. On August 9, 2025, the first suspected exploitation of an unauthenticated remote code execution […]
A sophisticated cyberattack has compromised Red Hat Consulting’s infrastructure, potentially exposing sensitive data from over 5,000 enterprise customers worldwide.
The breach, executed by the extortion group Crimson Collective, has raised serious concerns about the security of critical business documentation and source code belonging to major corporations, including Vodafone, HSBC, American Express, and Walmart.
Red Hat, the enterprise Linux and cloud computing giant, confirmed the security incident after Crimson Collective publicly disclosed the breach on their Telegram channel.
The threat actors claim to have exfiltrated an extensive trove of data containing 32 million files across 370,852 directories, including highly sensitive Consultancy Engagement Reports (CERs), proprietary source code, and private certificates.
LAPSUS$ Connection Emerges
Security researcher Kevin Beaumont have identified crashing similarities between this attack and previous LAPSUS$ operations, particularly through technical artifacts and behavioral patterns.
The breach exhibits characteristic LAPSUS$ signatures, including specific file naming conventions, HTML comment structures containing casual references, and the targeting of organizations previously victimized by the group.
Red Hat Listed on LAPSUS$ Hunters Portal
Most notably, investigators discovered that “Miku,” allegedly the Telegram handle used by Crimson Collective, corresponds to Thalha Jubair, a UK teenager associated with LAPSUS$ who was recently charged by the National Crime Agency for the Transport for London cyberattack.
The timeline indicates the Red Hat compromise occurred on September 13, 2025, prior to Jubair’s arrest, raising questions about operational security within custody arrangements.
Technical analysis of the stolen data reveals concerns about the exposure of critical infrastructure components.
Kevin Beaumont stated that the breach includes .pfx certificate files from major financial institutions and airlines, which contain private keys that should never be publicly accessible.
These certificates, once compromised, can enable man-in-the-middle attacks, domain spoofing, and unauthorized system access across affected organizations.
The scope of compromised organizations spans multiple critical sectors, including financial services, healthcare, telecommunications, and transportation.
Sample data released by the attackers includes documentation from Atos Group (managing NHS Scotland systems), Bank of China, Delta Airlines, and ING Bank, highlighting the breach’s potential impact on essential services and sensitive customer data.
Delta Airlines, and ING Bank Data Released
Red Hat Consulting’s role as a trusted systems integrator for complex enterprise environments amplifies the security implications.
The stolen documentation likely contains network architectures, authentication credentials, API keys, and implementation details that could facilitate secondary attacks against client organizations.
Security experts recommend immediate remediation measures, including certificate rotation, credential updates, and comprehensive security assessments.
Organizations should operate under the assumption that all documented information will eventually become public, as stolen data typically circulates within cybercriminal networks before widespread disclosure.
The incident underscores the growing sophistication of supply chain attacks targeting managed service providers and consulting firms that maintain privileged access to multiple enterprise environments simultaneously.
A critical deserialization flaw in GoAnywhere MFT’s License Servlet, tracked as CVE-2025-10035, has already been weaponized by the Storm-1175 group to execute the Medusa ransomware.
The vulnerability affects GoAnywhere MFT versions up to 7.8.3. It resides in the License Servlet Admin Console, where a threat actor can forge a license response signature and bypass validation checks.
By deserializing an attacker-controlled object, the actor gains the ability to inject arbitrary commands into the Java process, ultimately leading to full remote code execution on internet-exposed instances.
Deserialization Flaw (CVE-2025-10035)
The flaw does not require authentication once a validly signed payload is crafted or intercepted, making exploitation trivially achievable against unpatched systems.
Successful attacks allow system and user enumeration, long-term persistence, and deployment of additional tools to facilitate lateral movement and data exfiltration.
Immediate patching is paramount; administrators must upgrade to the versions specified in Fortra’s advisory to remediate the issue and audit any potentially compromised environments.
Microsoft Threat Intelligence has attributed active exploitation to Storm-1175, a ransomware group notorious for targeting public-facing applications.
Initial access is gained through the newly disclosed deserialization bug in GoAnywhere MFT.
After seizing control, Storm-1175 drops RMM binaries, specifically MeshAgent and SimpleHelp, into the GoAnywhere service directory. Concurrently, malicious JSP web shells are created to facilitate stealthy remote access.
Post-exploitation, the actors run PowerShell commands to enumerate local users, groups, domain trust relationships, and network interfaces.
Command and control channels are established via the RMM tools, often tunneled through Cloudflare to evade detection.
Exfiltration is executed using rclone, with stolen data transferred to attacker-controlled cloud storage. The final stage involves encrypting victim assets with Medusa ransomware, flagged by Microsoft Defender as Ransom Win32/Medusa.
Risk Factors
Details
Affected Products
GoAnywhere MFT License Servlet Admin Console lesser than 7.8.3
Impact
Command injection leading to RCE
Exploit Prerequisites
Validly forged or intercepted license response signature
CVSS 3.1 Score
10.0 (Critical)
Mitigations
Upgrade immediately to the patched GoAnywhere MFT release as per Fortra instructions.
Configure perimeter firewalls and proxies to block outbound connections from GoAnywhere servers unless explicitly approved.
Enable EDR in Block Mode to allow Microsoft Defender for Endpoint to block malicious artifacts even under passive AV conditions.
Deploy Attack Surface Reduction Rules to prevent common ransomware TTPs, such as blocking executable files that do not meet age or prevalence criteria and disabling web shell creation.
Monitor with External Attack Surface Management tools to identify unmanaged or unpatched GoAnywhere instances.
Leverage Automated Investigations and remediation features in Microsoft Defender to reduce dwell time and alert fatigue.
By adopting a defense-in-depth posture combining rapid patching, network segmentation, and advanced endpoint protection, organizations can thwart exploitation attempts and prevent Storm 1175 Medusa ransomware from taking hold.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
In recent years, adversaries have abandoned traditional malware in favor of “living-off-the-land” operations against cloud and SaaS environments. Rather than deploying custom ransomware binaries, many threat actors now exploit misconfigured database services—leveraging only built-in commands to steal, destroy, or encrypt data. Victims often discover their data missing or inaccessible, replaced only by ransom notes stored […]
Elastic has released a security advisory detailing a medium-severity vulnerability in the Kibana CrowdStrike Connector that could allow for the exposure of sensitive credentials.
The flaw, tracked as CVE-2025-37728, affects multiple versions of Kibana and could allow a malicious user to access cached CrowdStrike credentials from other users within the same environment.
The vulnerability underscores the security risks associated with interconnected platforms and the importance of timely updates.
Vulnerability Details and Impact
The security flaw, identified as “Insufficiently Protected Credentials in the Crowdstrike connector,” has a CVSSv3.1 score of 5.4, rating it as a medium-severity issue.
According to Elastic’s security advisory, a malicious user with access to one space in a Kibana instance can create and run a new CrowdStrike connector.
This action allows them to access cached credentials from an existing CrowdStrike connector operating in a different space.
The vulnerability essentially permits unauthorized cross-workspace access to sensitive API credentials used for communication between Kibana and the CrowdStrike Management Console.
Successful exploitation could lead to the leakage of credentials, potentially allowing an attacker to interact with the CrowdStrike platform with the privileges of the compromised account.
The vulnerability impacts a wide range of Kibana versions across multiple release lines. This includes all versions of 7.x up to 7.17.29, versions 8.14.0 through 8.18.7, versions 8.19.0 through 8.19.4, versions 9.0.0 through 9.0.7, and versions 9.1.0 through 9.1.4.
Any Kibana instance that utilizes the CrowdStrike connector within these version ranges is considered vulnerable. Elastic has addressed the issue in versions 8.18.8, 8.19.5, 9.0.8, and 9.1.5. The company strongly advises users to upgrade to one of these patched releases to resolve the security gap.
Notably, Elastic has stated that there are no workarounds available for users who cannot immediately upgrade, making patching the only viable solution.
The Kibana CrowdStrike connector is designed to facilitate the seamless integration of data between the CrowdStrike Falcon platform and Elastic, enabling automated incident correlation and telemetry onboarding.
The credentials leaked by this vulnerability are used to authenticate with the CrowdStrike REST API, making their protection critical for maintaining security posture across both platforms.
The advisory (ESA-2025-19) was part of a larger security update from Elastic that addressed several other vulnerabilities in Kibana and Elasticsearch.
Given that no alternative mitigation exists, administrators of affected Kibana deployments are urged to prioritize the update to prevent potential credential theft and subsequent misuse.
Elastic emphasizes the importance of timely updates and configuration reviews to reduce exposure to such threats.
Security researchers have uncovered a critical flaw in OpenSSH’s ProxyCommand feature that can be leveraged to achieve remote code execution on client systems. Tracked as CVE-2025-61984, the vulnerability arises from inadequate filtering of control characters in usernames when expanding the ProxyCommand string. A proof-of-concept exploit demonstrating the flaw in Bash and other shells has now […]
Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances.
The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0.
“An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free,
Microsoft on Monday attributed a threat actor it tracks as Storm-1175 to the exploitation of a critical security flaw in Fortra GoAnywhere software to facilitate the deployment of Medusa ransomware.
The vulnerability is CVE-2025-10035 (CVSS score: 10.0), a critical deserialization bug that could result in command injection without authentication. It was addressed in version 7.8.4, or the Sustain
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a critical privilege escalation vulnerability in Microsoft Windows. Known as CVE-2021-43226, this flaw resides in the Common Log File System (CLFS) driver. Attackers who gain local access can bypass security controls and elevate their privileges, potentially leading to full system compromise. Background […]
CISA has issued an urgent security advisory, adding Microsoft Windows privilege escalation vulnerability CVE-2021-43226 to its Known Exploited Vulnerabilities (KEV) catalog on October 6, 2025.
The vulnerability affects the Microsoft Windows Common Log File System (CLFS) Driver and poses significant security risks to enterprise environments.
The CVE-2021-43226 vulnerability resides within Microsoft’s Common Log File System Driver, a core Windows component responsible for managing transaction logging operations.
Microsoft Windows Privilege Escalation Flaw (CVE-2021-43226)
This privilege escalation flaw allows local, authenticated attackers with existing system access to bypass critical security mechanisms and elevate their privileges to SYSTEM level access.
According to Microsoft’s Security Response Center, the vulnerability stems from improper validation of user-supplied data within the CLFS driver’s memory management routines.
Attackers can exploit this weakness by crafting malicious CLFS log files that trigger buffer overflow conditions, leading to arbitrary code execution with elevated privileges.
The exploit requires local access and standard user privileges as prerequisites, making it particularly dangerous in enterprise environments where attackers have already gained an initial foothold through phishing or social engineering attacks.
The vulnerability affects multiple Windows versions, including Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022.
Security researchers have identified proof-of-concept exploit code circulating in underground forums, increasing the likelihood of active exploitation campaigns.
Risk Factors
Details
Affected Products
Microsoft Windows 10 (all versions)Microsoft Windows 11 (all versions)Windows Server 2016Windows Server 2019Windows Server 2022Windows Server 2008 R2 SP1Windows 7 SP1
Impact
Privilege Escalation
Exploit Prerequisites
Local access to target system, Authenticated user account, Ability to execute code locally, Standard user privileges minimum
CVSS 3.1 Score
7.8 (High)
Mitigations
CISA has established a mandatory remediation deadline of October 27, 2025, requiring federal agencies and critical infrastructure organizations to implement security patches immediately.
The directive follows Binding Operational Directive (BOD) 22-01 guidelines, which mandate swift action against vulnerabilities with evidence of active exploitation.
Organizations must apply Microsoft’s security updates through the standard Windows Update mechanism or Windows Server Update Services (WSUS) for enterprise deployments.
System administrators should prioritize patching domain controllers, file servers, and other critical infrastructure components first.
For systems unable to receive immediate updates, Microsoft recommends implementing Application Control policies and Windows Defender Exploit Guard as temporary mitigations.
The vulnerability’s addition to CISA’s KEV catalog indicates confirmed exploitation in real-world attack scenarios, though specific ransomware campaign attribution remains unknown.
Security teams should monitor for suspicious Event ID 4656 and 4658 logs indicating unauthorized file system access attempts, particularly involving CLFS-related processes like clfs.sys and clfsw32.dll.
Organizations should conduct immediate vulnerability assessments using tools like Microsoft Baseline Security Analyzer or third-party scanners to identify vulnerable systems across their infrastructure.
