Happy Friday Security Gang,

Welcome to your weekend cybersecurity digest! Here’s everything you need to know from this week’s CyberHub shows, organized by category for easy scanning.

🚨 MAJOR BREACHES & RANSOMWARE ATTACKS

Red Hat GitLab Breach & Extortion – Red Hat confirmed attackers breached its private GitLab instance, stealing source code and data. The situation escalated when threat actors calling themselves “Crimson Collective,” working with ShinyHunters, claimed 570GB of stolen data across 28,000 repositories and 800 customer engagement reports. They launched an “extortion-as-a-service” operation with a public leak deadline of October 10th.

Discord’s 55 Million User Exposure – A third-party BPO vendor’s compromised Zendesk account led to the exfiltration of 1.6TB of support ticket data, impacting roughly 55 million Discord users. The breach exposed government ID uploads, contact details, and conversation logs. As James noted, “Okta, Uber, Discord — these breaches all start the same way: an outsourced help desk with too much access and not enough security.”

Prestigious D.C. Law Firm Breached – China-linked hackers exploited a zero-day to breach Williams & Connolly, one of Washington D.C.’s most powerful law firms representing Barack Obama, the Clinton family, and Fortune 100 clients including Intel, Google, Disney, and Samsung. The attackers accessed attorney email accounts in a targeted espionage operation focused on political and corporate intelligence.

Asahi Beer Under Attack Again – Qilin ransomware claimed responsibility for the Asahi Group Holdings attack, posting the company to its leak site and alleging theft of 27GB including financial records and employee IDs. Production has resumed under manual operations. James quipped: “Stop attacking my favorite beer — it’s personal now.”

“You can tell when a company has a mature program — they’re back up in a week while others stay down for months.”

Jaguar Land Rover Recovery Begins – JLR has started a phased restart of production facilities after being down since September 1st. The UK’s £1.5B loan guarantee is keeping suppliers afloat while operations resume, marking a potential shift in how governments treat industrial cyber incidents as economic security events.

Avnet Breach of 1.3TB – Global electronics distributor Avnet confirmed a breach of its EMEA sales database, with attackers claiming to have exfiltrated 1.3TB compressed (7-12TB raw). Avnet insists the data is “unreadable without internal tooling,” though early samples show some plain-text PII. As James warned: “Unreadable doesn’t mean harmless — attackers can find value in any dataset.”

ParkMobile $32.8M Settlement – The Atlanta-based parking app settled a class-action lawsuit from its 2021 breach. Users get up to $25 in cash or $1 in app credits, while lawyers made millions. James called it symbolic: “The lawyers made millions, the users get a dollar they can’t even use all at once.”

DraftKings Credential Stuffing – The sports betting platform faced a credential-stuffing attack on September 2nd using stolen credentials from non-DraftKings sources. The company immediately enforced MFA on all accounts due to the direct fund access risk.

💰 EXTORTION & RANSOM CAMPAIGNS

Scattered Spider’s Salesforce Extortion – The hacker collective, working with Lapsus$ and ShinyHunters affiliates, is demanding ransoms from companies allegedly compromised via the Salesforce ecosystem. They claim 1 billion customer records from firms like FedEx, TransUnion, and Qantas. The campaign stems from a Salesloft/Drift OAuth compromise enabling lateral movement.

Salesforce Takes a Stand – Salesforce publicly declared: “We will not pay” to extortion groups threatening to leak stolen customer data from 39 global brands. James applauded the move: “Good on Salesforce. Let the data go. They’ll take a short-term hit but set a long-term precedent: no more ransom economics.”

Oracle Extortion Emails – Multiple Oracle eBusiness Suite customers received extortion emails from attackers impersonating the Clop ransomware gang, claiming data theft via vulnerabilities patched in July 2025. The emails came from hundreds of compromised legitimate accounts, bypassing filters. As James noted: “Cybercrime’s decentralized now—loose affiliates mean old threats never really die; they just rebrand and recycle.”

🔥 CRITICAL VULNERABILITIES & ZERO-DAYS

Oracle EBS Zero-Day Exploited Early – A newly analyzed Oracle E-Business Suite zero-day was exploited two months before Oracle released a fix, with first exploitation traced to August 9th. The bug allows unauthenticated remote code execution via BI Publisher integration. James warned: “If you’re running Oracle EBS, patch it yesterday — these zero-days don’t wait for your CAB meetings.”

Zimbra Calendar Invite Zero-Day – Attackers are actively exploiting a Zimbra zero-day through malicious iCalendar attachments, executing code during invite parsing. Calendar invites are inherently trusted, making this a silent, socially acceptable attack vector.

Medusa Exploits GoAnywhere – Microsoft confirmed Medusa ransomware has been exploiting a Fortra GoAnywhere MFT vulnerability (CVE-2025-10035) for nearly a month, allowing unauthenticated RCE. Over 500 vulnerable systems remain exposed despite September patches.

Redis 13-Year-Old RCE – Redis patched a vulnerability (CVE-2025-49844) in its Lua scripting subsystem allowing authenticated attackers to escape the sandbox. Over 330,000 Redis instances are exposed online, with 60,000 unsecured and unauthenticated.

SonicWall Configuration Leak – All cloud-backup firewall configuration files on MySonicWall were accessed in a breach, exposing encrypted credentials, device configurations, and policies. The company released remediation tools and mandatory resets.

Chrome & Firefox Emergency Patches – Both browsers released urgent updates for high-severity vulnerabilities including heap buffer overflows and graphics engine flaws.

GitHub Copilot Code Leak – Researchers discovered a flaw where hidden code comments and proxy bypasses enabled prompt injections that leaked secrets and zero-days from private repositories.

Palo Alto Scanning Surge – Massive spike in scans targeting GlobalProtect login portals suggests recon for brute-force or vulnerability campaigns. James warned: “When scanning spikes, assume recon. Don’t wait for CISA to tell you—it’s your job to close that door now.”

👥 THREAT ACTOR ACTIVITY & ALLIANCES

Ransomware Gang Coalition – LockBit, Qilin, and DragonForce are forming an operational coalition, sharing infrastructure, affiliates, and data leak sites. James put it bluntly: “Threat actors are consolidating faster than security vendors — that should scare everyone.”

North Korea’s $2 Billion Crypto Heist – Lazarus Group and affiliates stole $2 billion in cryptocurrency in 2025 so far—a record high. Most came from DeFi exchanges with cross-chain laundering making recovery nearly impossible. James’s message: “If crypto wants to be mainstream, it has to clean its own house — you can’t build financial trust on infrastructure that’s funding rogue states.”

State Actors Abuse ChatGPT – OpenAI disrupted three state-linked threat groups (Russia, China, North Korea) using ChatGPT for malware development and phishing scaffolding, marking a new phase of AI-assisted cyber operations.

Russian Hackers Target Decoy Water Facility – Pro-Russian group TwoNet infiltrated a decoy water treatment plant within 26 hours, creating new users and launching attacks through stored XSS vulnerabilities, demonstrating how critical infrastructure remains a soft target.

Microsoft Teams Becomes Attack Vector – Threat actors are abusing Teams for phishing, exfiltration, and C2 operations using chats, calls, and screen sharing to deliver payloads like DarkGate. James warned: “Treat Teams like email — not like a safe zone. If attackers can spoof a chat invite, they can own your users.”

🌐 REGULATORY & GEOPOLITICAL DEVELOPMENTS

EU OT Attack Warning – ENISA warned that pro-Russian groups are ramping up attacks on industrial control systems to map Europe’s critical manufacturing networks for future disruption, citing the JLR crisis as a case study.

Signal vs. EU Chat Control – Signal president Meredith Whittaker announced the company will exit the EU if forced to comply with the Chat Control bill requiring client-side scanning of encrypted messages, calling it “mass surveillance infrastructure.”

Russia Blocks Foreign SIMs – Russia imposed a policy blocking mobile internet for foreign SIM cards upon entry, likely to disrupt drone communication systems using multi-SIM routing during Ukraine’s counteroffensives.

California Browser Opt-Out Law – Governor Newsom signed legislation requiring browsers to include one-click opt-out for third-party data sales, enforcing the CCPA’s Global Privacy Control standard.

LinkedIn Sues ProxyCurl – LinkedIn filed suit accusing ProxyCurl of operating an “industrial-scale fake account mill” to scrape member data and resell it for up to $15,000/month, potentially reshaping data ownership rules for social networks.

California Fines Tractor Supply – The Privacy Protection Agency issued a $1.4M fine for failing to honor opt-outs and sharing personal data without consent—the largest CCPA fine to date.

💻 SECURITY COMPETITIONS & INITIATIVES

$4.5M Zero-Day Bounty Event – Cloud security firm Wiz announced “ZeroDay.Cloud,” inviting live exploit attempts on AWS, Azure, Google Cloud, NVIDIA toolkits, Kubernetes, and AI frameworks this December, with prizes up to $300K for hypervisor or AI model breaches.

✅ YOUR ACTION LIST

• ☠️ Validate Oracle EBS patches – Review logs for BI Publisher anomalies

• 💻 Harden GitLab/GitHub/CI/CD – No “on-prem immunity” exists

• 💬 Restrict vendor access – Enforce static IPs and MFA on help desks

• 🧾 Audit Salesforce OAuth – Monitor connected apps and token usage

• 🔍 Monitor Palo Alto logs – Watch GlobalProtect admin portal access

• 📅 Patch Zimbra immediately – Block untrusted calendar attachments

• 🌐 Push browser updates – Chrome v129 and Firefox 143.0.1.3

• 💾 Patch GoAnywhere & Redis – Hunt for RCE activity

• 🧱 Reset SonicWall configs – Rotate all encrypted credentials

• 🏈 Enforce MFA org-wide – Monitor credential stuffing patterns

• 🤖 Implement AI governance – Detect misuse in development tools

• 🍺 Test manual continuity – Paper processes still matter in OT

• 💻 Audit AI dev tools – Check for prompt injection risks

• 💦 Segment ICS/SCADA – Prioritize access controls

• 🕷️ Track ransomware alliances – Monitor LockBit, Qilin, DragonForce

• 🌐 Prepare for CCPA enforcement – Browser compliance is coming

🧠 JAMES AZAR’S CISO TAKE

This week reveals an undeniable shift: ransomware is evolving from encryption-based attacks into pure data extortion. Attackers have learned that encryption draws too much heat and attention, while stealthy data theft is simpler, quieter, and just as profitable. From Oracle to Salesforce to Discord, the pattern is clear—exfiltration without disruption is the new playbook. This means CISOs must fundamentally rethink incident response priorities: data governance, containment strategies, and identity protection are now as critical as system recovery. The other critical theme is consolidation—not just in business, but in cybercrime itself. LockBit’s alliances, the Crimson Collective’s extortion-as-a-service model, and Scattered Spider’s multi-gang coordination show that ransomware is becoming a networked, multi-actor economy where syndicates share infrastructure, data, and victims.

The second major takeaway is the catastrophic failure of third-party trust models. Discord, SonicWall, Red Hat, and Williams & Connolly all demonstrate that your vendors, support desks, cloud integrators, and even law firms are part of your attack surface—whether you actively manage them or not. Asahi’s rapid recovery versus JLR’s month-long paralysis proves that cyber resilience is the real differentiator. The difference isn’t luck or budget—it’s preparation, segmentation, tested continuity plans, and manual fallback procedures. As CISOs, we can’t wait for regulatory clarity or executive alignment. We must operationalize resilience now: patch faster, enforce least privilege ruthlessly, demand transparency from every vendor, constantly audit external integrations, and assume breach at every layer. Cyber resilience isn’t a compliance checkbox; it’s a survival mindset.

Leave a comment

Stay Cyber Safe, Security Gang!

Thanks for tuning in. We’ll be back Monday at 9 AM Eastern Live!