Daily Security Briefing 035

October 9, 2025 | Read Online

Oracle zero-day extortion, GenAI ransomware surge, AI browser OAuth flaws…

Executive Summary

Today’s cybersecurity landscape is marked by high-profile extortion campaigns exploiting Oracle E-Business Suite zero-day vulnerabilities, highlighting the continuing risks faced by enterprise applications. While overall cyberattack volumes slightly decreased in September, ransomware activity surged by 46%, fueled in part by rising risks from generative AI technologies. Meanwhile, emerging threats target AI-powered tools, including new OAuth vulnerabilities in AI browsers and sophisticated spyware campaigns on Android platforms. Supply chain and cloud security remain concerns as SonicWall confirms a breach exposing customer firewall configurations. The evolving tactics demonstrate the increasing sophistication and diversity of cyber threats facing organizations worldwide.

Top Articles

Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign
Since late September, a threat actor linked to the CL0P extortion group has leveraged an Oracle E-Business Suite zero-day vulnerability in extensive data theft and extortion attempts. The group sent a spike of phishing emails targeting executives across multiple organizations, alleging data compromise to coerce ransom payments. This large-scale campaign underscores the critical need for timely patching and monitoring of enterprise systems.
GoogleCloud

Global Cyber Threats September 2025: Attack Volumes Ease Slightly, but GenAI Risks Intensify as Ransomware Surges 46%
Despite a slight 4% drop in total weekly cyberattacks per organization last month, ransomware attacks increased dramatically by 46%, driven partly by the misuse of generative AI tools to enhance attack sophistication. Organizations averaged 1,900 attacks weekly, indicating persistent threat activity. The report highlights that, although volume metrics may stabilize temporarily, the nature and impact of attacks continue to evolve rapidly.
Checkpoint

SquareX Shows AI Browsers Fall Prey to OAuth Attacks, Malware Downloads and Malicious Link Distribution
Security research published by SquareX reveals severe vulnerabilities in AI browsers, which are increasingly integrated into enterprise workflows. Attackers can exploit OAuth protocols to bypass access controls, exfiltrate sensitive data, distribute malware, and launch malicious link campaigns through these AI-powered platforms. The findings highlight emerging weaknesses in new AI technologies demanding urgent security attention.
GBHackers

Lightship Security and the OpenSSL Corporation Submit OpenSSL 3.5.4 for FIPS 140-3 Validation
OpenSSL version 3.5.4 has been submitted for FIPS 140-3 validation, demonstrating commitment to high-assurance cryptographic standards. This move by Lightship Security and OpenSSL Corporation aims to enable broader governmental and regulated sector adoption by ensuring the library meets strict validation and compliance requirements.
GBHackers

Weaponized QR Code Powers New Quishing Attack Targeting Microsoft Users
Researchers have uncovered a sophisticated quishing campaign leveraging manipulated QR codes to evade detection and target Microsoft users. The attack uses advanced evasion techniques to trick victims into scanning malicious codes, directing them towards phishing sites that compromise credentials. This evolution in QR code-based phishing requires renewed focus on mobile and physical security hygiene.
CyberPress

Ransomware Attacks Involve Exploitation of DFIR Tool Velociraptor by Threat Actors
Cisco Talos has observed ransomware groups exploiting the Velociraptor open-source digital forensics and incident response (DFIR) tool. Likely operated by the China-based Storm-2603 threat actor, this tactic allows adversaries to manipulate forensic tools for malicious ends during attacks, complicating incident response efforts.
CyberPress

From HealthKick to GOVERSHELL: The Evolution of UTA0388’s Espionage Malware
The China-aligned threat group UTA0388 continues to deploy sophisticated spear-phishing campaigns across multiple regions. Their malware, GOVERSHELL, a Go-based implant, exemplifies the threat actor’s adaptability and targeted espionage capabilities against government and research entities.
TheHackerNews

New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps
The ClayRat spyware campaign is spreading rapidly among Android users in Russia, using phishing sites and Telegram channels to impersonate popular apps including WhatsApp, TikTok, YouTube, and Google Photos. Once installed, the spyware extracts sensitive data such as SMS messages, call logs, and device info and can activate the camera covertly.
TheHackerNews | BleepingComputer

From infostealer to full RAT: dissecting the PureRAT attack chain
Huntress Labs provides detailed analysis of the PureRAT campaign, which escalates from a lightweight Python infostealer to a fully featured remote access Trojan. The attack chain includes sophisticated loaders, evasion techniques, and TLS-pinned command-and-control channels, demonstrating an advanced tiered malware deployment.
BleepingComputer

SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal
SonicWall confirmed unauthorized access to all customer firewall configurations stored on its cloud portal, exploiting a brute-force vulnerability. This exposure has compounded ongoing concerns as the vendor’s products have suffered multiple exploitable defects in recent years, highlighting persistent cloud security challenges.
CyberScoop

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.