10 Oct 2025
Week in review
Greetings,
The hacking collective Scattered Lapsus$ Hunters has continued its campaign of cyber extortion this week, targeting major Australian organisations including Telstra and Qantas. The group, which has claimed responsibility for a string of recent Salesforce-based attacks, alleged it had stolen millions of customer records from both companies and threatened to release the data unless “a resolution” was reached.
Telstra was listed on the group’s darknet leak site overnight, with hackers claiming to hold 19 million sets of personal data including names, mobile numbers, and addresses. However, Telstra has denied the breach, confirming that the data was scraped from publicly available sources and did not come from its systems. Cyber Daily’s analysis suggests the information instead matches data from Reverse Australia, a public reverse phone lookup service.
Meanwhile, Qantas has also reappeared on Scattered Lapsus$ Hunters’ leak site following an earlier breach in June. The group claims to possess over five million records of personally identifiable information, including customer names, contact details, and Frequent Flyer numbers, with a data release deadline set for 10 October. Qantas said its systems remain secure and that the incident stemmed from a third-party contact centre platform. The airline continues to strengthen its cyber defences and support affected customers.
Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It in Data Theft Attacks
Date: 2025-10-06
Author: The Hacker News
[AUSCERT has published a MISP event with IOCs. Also see bulletin https://portal.auscert.org.au/bulletins/ASB-2025.0163]
Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks.
The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component.
ShinyHunters Wage Broad Corporate Extortion Spree
Date: 2025-10-07
Author: Krebs on Security
A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.
Salesforce refuses to pay a ransom in recent wave of attacks
Date: 2025-10-08
Author: SC Media
News that Salesforce has refused to negotiate or pay a ransom in the recent wave of cyberattacks experienced by at least 39 of its customers was viewed as a double-edged sword by some security professionals.
“Salesforce's public refusal to pay the ransom sets a precedent that discourages future extortion attempts,” MacKenzie Brown, vice president, Adversary Pursuit Group at Blackpoint Cyber. “However, this strategy shifts the risk to their customers, who must now prepare for a potential data leak.”
Redis warns of critical flaw impacting thousands of instances
Date: 2025-10-06
Author: Bleeping Computer
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.7128]
The Redis security team has released a patch for a vulnerability CVE-2025-49844 which could allow threat actors to gain remote code execution on thousands of vulnerable instances. An authenticated threat actor can exploit a 13-year-old use-after-free vulnerability to escape the Lua sandbox to establish a reverse shell for persistent access and achieve remote code execution on the targeted Redis host.
SonicWall Concludes Investigation Into Incident Affecting MySonicWall Configuration Backup Files
Date: 2025-10-08
Author: Arctic Wolf
Recommendations
On September 17, 2025, SonicWall released a knowledge base article detailing the exposure of firewall configuration backup files stored in certain MySonicWall accounts. As of October 8, 2025, the investigation has concluded and SonicWall has updated their advisory accordingly.
While the original SonicWall advisory stated that under 5% of customers using the MySonicWall configuration file backup feature were affected by the incident, the finalized verbiage now specifies that all customers who have used SonicWall’s cloud backup service were affected.
ASB-2025.0163 – Oracle E-Business Suite: CVSS (Max): 9.8
Oracle released an emergency patch to fix CVE-2025-61882, a critical remote-code-execution flaw in its E-Business Suite that has already been exploited by the Cl0p group in data theft campaigns.
ESB-2025.7127 – Tenable Security Center: CVSS (Max): 10.0
Tenable fixed a medium-severity access control flaw (CVE-2025-36636) in Security Center ≤ 6.6.0, with the issue resolved in version 6.7.0.
ESB-2025.7128 – redis: CVSS (Max): 9.9
Redis has disclosed a maximum-severity use-after-free flaw (CVE-2025-49844) in its Lua scripting engine that enables remote code execution when exploited.
ESB-2025.7165 – IBM Db2 Data Management Console: CVSS (Max): 8.3
IBM warned of critical flaws in Db2 Data Management Console 3.1.12, including RCE via SnakeYAML, now added to CISA’s KEV catalog. Upgrading to version 3.1.13+ is strongly advised.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
