Good Morning Security Gang!
Welcome back to the CyberHub Podcast. It’s a new week, a new quarter, and as we head deeper into budget season, cyber incidents are ramping up everywhere.
Today’s show covers Oracle’s eBusiness Suite extortion scare, ParkMobile’s $32.8M class-action settlement, Red Hat’s GitLab hack, Scattered Spider’s latest Salesforce extortion campaign, a surge in Palo Alto portal scans, Zimbra’s sneaky calendar exploit, Chrome and Firefox emergency patches, Europe’s OT attack warning, and LinkedIn’s new battle over data scraping. Espresso in hand - let’s get right into it.
☠ Oracle Extortion Emails Target eBusiness Suite Customers
Oracle confirmed that multiple eBusiness Suite (EBS) customers have received extortion emails claiming data theft. The attackers—impersonating the Clop ransomware gang—referenced vulnerabilities patched in Oracle’s July 2025 Critical Patch Update. These emails originated from hundreds of compromised legitimate accounts, bypassing most filters and adding credibility.
Oracle says it’s investigating but hasn’t verified any actual breaches. Still, customers are urged to verify patch levels, review logs for data exports, and restrict external exposure.
As I said on the show, “Cybercrime’s decentralized now—loose affiliates mean old threats never really die; they just rebrand and recycle.”
🚗 ParkMobile Settles $32.8M Breach Lawsuit
Atlanta-based ParkMobile, now owned by private equity-backed Arrive Mobility, settled a class-action lawsuit stemming from its 2021 data breach. The attack exposed emails, phone numbers, license plates, and hashed passwords of millions of users. The settlement breaks down as:
$9M in cash payments (up to $25 per claimant)
$21M in app credits (roughly $1 per user)
$2.5M for future security upgrades
As I said this morning, the whole thing feels symbolic: “The lawyers made millions, the users get a dollar they can’t even use all at once.”
💻 Red Hat’s Private GitLab Instance Hacked
Red Hat confirmed that attackers breached its private GitLab instance, stealing source code and data. Details remain sparse, but this breach underscores the risks facing CI/CD and source control infrastructure. Even internal “on-prem” repos aren’t immune—every developer tool is now a prime target. Red Hat is auditing commit histories to verify integrity and prevent backdoor insertions.
🕵 Scattered Spider’s Salesforce Extortion Campaign
The hacker collective Scattered Spider, working with affiliates from Lapsus$ and ShinyHunters, is demanding ransoms from companies allegedly compromised via the Salesforce ecosystem. The group claims to hold 1 billion customer records from firms like FedEx, TransUnion, and Qantas, threatening to publish if payments aren’t made.
Salesforce maintains there’s “no evidence” of a breach, but this campaign stems from a Salesloft/Drift OAuth compromise that allowed lateral movement into Salesforce environments. This attack shows how third-party tokens can become full-blown corporate compromises.
🔍 Surge in Scans Targeting Palo Alto Networks
Researchers are observing a massive spike in scans targeting Palo Alto’s GlobalProtect login portals—a likely prelude to brute-force or vulnerability testing campaigns. Attackers are scanning admin endpoints and APIs at scale. While no new exploit has been confirmed yet.
I warned practitioners: “When scanning spikes, assume recon. Don’t wait for CISA to tell you—it’s your job to close that door now.”
📅 Zimbra Zero-Day Using Calendar Invites
Attackers are actively exploiting a Zimbra zero-day through malicious iCalendar (.ics) attachments, executing code during invite parsing. This is a silent, socially acceptable vector—calendar invites are inherently trusted. Organizations using Zimbra should patch immediately, isolate unverified calendar events, and monitor email gateways for attachments using calendar MIME types.
🌐 Chrome & Firefox Emergency Patches
Both Google Chrome and Mozilla Firefox released urgent updates patching high-severity vulnerabilities:
Chrome: CVE-2025-11205 & CVE-2025-11206 (Heap buffer overflow)
Firefox: CVE-2025-11152 & CVE-2025-11153 (Graphics & JavaScript engine flaws)
Admins—patch browsers across endpoints today. Chrome even issued $25,000 in bug bounties to researchers who reported the flaws.
⚙ EU Warns of OT Cyberattacks
The EU Agency for Cybersecurity (ENISA) released a report warning that pro-Russian threat groups are ramping up attacks on industrial control systems (ICS) and OT infrastructure. The goal: mapping Europe’s critical manufacturing networks for future disruption campaigns. The Jaguar Land Rover ransomware crisis was specifically cited as a case study of how OT and IT convergence creates national economic risk.
🧠 LinkedIn vs ProxyCurl: The Data-Scraping Showdown
LinkedIn (owned by Microsoft) has filed a lawsuit against ProxyCurl, accusing it of operating an “industrial-scale fake account mill” to scrape member data, including posts and reactions, then resell it to clients for up to $15,000 per month. ProxyCurl allegedly accessed both public and private user information behind LinkedIn’s login wall. The case could reshape the future of data ownership on social networks—especially around how APIs are used for commercial data aggregation.
🧠 James Azar’s CISO Take
Today’s stories paint a vivid picture of a cyber ecosystem under constant recycling—old groups like Clop, Lapsus$, and Scattered Spider simply reshuffle, rebrand, and adapt. The Oracle and Salesforce stories remind us that supply-chain trust is still broken, and that third-party tokens, dev tools, and unpatched ERP systems remain the soft underbelly of modern enterprises.
The other key takeaway is the rise of OT and data integrity risk. ENISA’s warnings, the JLR fallout, and LinkedIn’s legal moves all point to one truth: cyber isn’t just about stopping breaches anymore—it’s about defending the backbone of the economy. As CISOs, we can’t treat these as technical stories; they’re business continuity crises waiting to happen. Patch faster, segment smarter, and govern better—because the attackers aren’t waiting.
✅ Action Items
☠ Validate Oracle EBS patch levels; review logs for anomalies.
🚗 If you’re a Salesforce user, audit OAuth tokens and connected apps.
💻 Harden GitLab, GitHub, and CI/CD pipelines—no “on-prem immunity.”
🔍 Monitor Palo Alto GlobalProtect and admin portal access logs.
📅 Patch Zimbra immediately; block untrusted calendar attachments.
🌐 Push Chrome (v129) and Firefox (143.0.1.3) patches org-wide.
⚙ Reassess OT/IT segmentation and backup strategies.
🧠 Track LinkedIn’s lawsuit implications for data compliance policies.
And that’s a wrap for today’s show, Security Gang — stay alert, stay resilient, and as always, stay cyber safe! ☕👊
