Good Morning Security Gang!
I was chatting with a colleague last night and we both agreed: threat actors are moving away from traditional ransomware encryption toward pure extortion. They’re stealing data, skipping the encryption part, and demanding payment anyway — because governments and companies are refusing to pay “ransoms.” So, we’re seeing cybercrime rebrand itself in real time.
On that note, let’s dig into the day’s biggest stories — Avnet’s breach, Oracle’s exploited zero-day, Salesforce’s standoff with extortionists, DraftKings’ credential-stuffing attack, and North Korea’s $2 billion crypto heist.
Espresso in hand — let’s go! ☕
🖥 Avnet Confirms Breach but Says Stolen Data Is “Unreadable”
Global electronics distributor Avnet confirmed a breach of an externally hosted sales database affecting its EMEA region. The attackers claim to have exfiltrated 1.3TB of compressed data — 7–12TB raw — and are preparing a leak site to extort the company. Avnet insists the data is “unreadable without internal tooling,” saying it’s stored in a proprietary format. Still, early samples show some plain-text PII, though Avnet maintains nothing qualifies as “sensitive” under GDPR.
“Unreadable doesn’t mean harmless — attackers can find value in any dataset.” James Azar
The company has already rotated Azure and Databricks credentials and claims operations remain unaffected. For context, Avnet operates in 125 countries, with 15,000 employees and $22 billion in annual revenue. My take: “Unreadable” doesn’t mean harmless — attackers can find value in any dataset if it touches customer workflows or designs.
⚙ Oracle Zero-Day Exploited Two Months Before Patch
A newly analyzed Oracle E-Business Suite (EBS) zero-day was exploited two months before Oracle released a fix, according to new reporting. The bug (now patched) impacts BI Publisher integration and allows unauthenticated remote code execution (RCE). First exploitation traces back to August 9th, with the Clop ransomware gang claiming credit.
However, competing groups have also fought over who discovered it first — proving how decentralized cybercrime is creating overlapping attacks. Hundreds of vulnerable EBS instances remain online, despite available patches. I warned: “If you’re running Oracle EBS, patch it yesterday — these zero-days don’t wait for your CAB meetings.”
🧾 Salesforce Refuses to Pay Ransom
Salesforce confirmed that data theft groups are extorting dozens of its customers but has publicly declared: “We will not pay.” Threat actors — calling themselves “Scattered Lapsus Hunters” — claim to have stolen 1 billion customer records across 39 global brands, including retail, tech, and media firms. They’re threatening to leak what they stole unless Salesforce or its clients pay up.
Salesforce’s stance is firm: no negotiation, no ransom. This is the right move — paying would only encourage the next wave. As I said: “Good on Salesforce. Let the data go. They’ll take a short-term hit but set a long-term precedent: no more ransom economics.”
🏈 DraftKings Faces Credential Stuffing Surge
DraftKings, one of the largest sports betting platforms in the U.S., revealed a credential-stuffing attack targeting users’ accounts on September 2nd. The stolen credentials came from non-DraftKings sources, but attackers still accessed data like names, last four digits of cards, contact info, and password change timestamps.
DraftKings immediately enforced multi-factor authentication (MFA) on all accounts. Because the site deals with direct funds and stored balances, these credentials can lead to immediate theft — making sports betting platforms a high-value target for cybercriminals.
💰 North Korea Steals $2 Billion in Cryptocurrency
Blockchain intelligence firms Elliptic and Chainalysis report that North Korea has stolen $2 billion worth of crypto so far in 2025 — already a record high, surpassing 2024’s totals. Most of the funds came from DeFi exchanges and wallet providers, attributed to the Lazarus Group and affiliates. Analysts warn that cross-chain laundering and mixers make recovery almost impossible.
I had a strong message for the crypto community: “If crypto wants to be mainstream, it has to clean its own house — you can’t build financial trust on infrastructure that’s funding rogue states.”
🧠 OpenAI Disrupts State-Linked Clusters Using ChatGPT
OpenAI announced it disrupted three state-linked threat groups that were abusing ChatGPT for malware development and phishing scaffolding. The clusters — linked to Russia, China, and North Korea — used the AI tool to refine credential stealers and automate fake lure creation. While the output quality was low, it marks a new phase of AI-assisted cyber operations. This is why AI governance isn’t optional; it’s national security.
📵 Russia Blocks Foreign SIM Cards
Russia imposed a new policy blocking mobile internet access for foreign SIM cards upon entry, citing “security concerns.” Travelers and journalists reported losing data and SMS service for hours upon connecting to Russian networks. Analysts believe it’s an effort to disrupt drone communication systems using multi-SIM routing during Ukraine’s counteroffensives — a move that blends wartime strategy with domestic control.
🏢 Microsoft Teams Exploited for Phishing and C2
Microsoft warned that threat actors are abusing Teams’ trusted status to conduct phishing and exfiltration campaigns. Attackers are using Teams chats, calls, and screen sharing to trick users into downloading payloads like DarkGate, and even leveraging device code authentication for lateral movement.
They’re also using Teams protocols for command-and-control operations — making detection harder. My message to CISOs: “Treat Teams like email — not like a safe zone. If attackers can spoof a chat invite, they can own your users.”
🧠 James Azar’s CISO Take
The shift in attacker strategy is undeniable — ransomware is evolving into pure data extortion. Attackers have learned that encryption draws too much heat, while plain data theft is stealthier, simpler, and just as profitable. This means CISOs must rethink incident response priorities: data governance and containment are now as critical as system recovery.
The other theme today is trust erosion. Whether it’s Oracle’s zero-day, Salesforce’s stand against ransom, or Microsoft Teams being used as a threat vector, the message is clear: our most “trusted” systems are now the biggest risk surfaces. As practitioners, we can’t wait for regulatory clarity or executive alignment. We need to operationalize resilience — patch faster, test failovers, and assume breach. Cyber resilience isn’t a checkbox; it’s a mindset.
✅ Action Items
🖥 Audit external databases — don’t assume third-party-hosted data is “safe.”
⚙ Patch Oracle EBS immediately; scan for BI Publisher exposure.
🧾 Review Salesforce integrations; monitor OAuth connections.
🏈 Enforce MFA and monitor for credential stuffing patterns.
💰 Strengthen crypto exchange resilience against laundering pipelines.
🧠 Audit Teams and collaboration tools for abuse vectors.
📵 Prepare contingency plans for comms restrictions in conflict zones.
🤖 Implement AI governance frameworks to detect misuse.
And that’s a wrap for today’s show, Security Gang — stay alert, stay resilient, and as always, stay cyber safe! ☕👊
