Daily Security Briefing #081

November 22, 2025 | Read Online

Salesforce data breach impacts 200+ companies, Oracle Identity Manager flaw actively exploited, CrowdStrike terminates employee for insider leak

Executive Summary

Cybersecurity risks continue to escalate with significant incidents reported across multiple fronts. A large-scale breach exploiting Salesforce’s Gainsight integration has exposed sensitive data from over 200 organizations, underscoring the vulnerabilities introduced by third-party platforms. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent warnings about an actively exploited critical remote code execution flaw in Oracle Identity Manager, stressing the importance of immediate patching. Insider threats remain a concern as CrowdStrike confirmed firing an employee for leaking internal system information to hackers. Additionally, sophisticated threat actors like APT31 are conducting stealthy attacks on international IT sectors using cloud services. These developments highlight the enduring challenges in defending against both external and internal threats.

Top Articles

Hackers Use Salesforce Gainsight Breach to Access Data from More Than 200 Companies
Salesforce disclosed a major security incident involving unauthorized access through compromised applications published by Gainsight, a Salesforce partner. Threat actors, linked to the ShinyHunters group, exploited OAuth tokens to gain access to customer data affecting more than 200 companies using the platform. The breach, discovered in mid-November, raises concerns about third-party dependencies and token security.
BleepingComputer

CISA Issues Warning as Hackers Target Oracle Identity Manager RCE Flaw
CISA added a critical remote code execution vulnerability (CVE-2025-61757) in Oracle Identity Manager to its Known Exploited Vulnerabilities catalog after reports of active exploitation. This flaw allows unauthenticated attackers to fully control vulnerable systems. The vulnerability impacts Oracle Fusion Middleware components and requires immediate patching to prevent takeover attempts.
GBHackers | CyberPress

CrowdStrike Terminates Staff Over Alleged Collaboration with Hackers
CrowdStrike confirmed firing an employee for sharing sensitive internal details with a hacking group called “Scattered Lapsus$ Hunters.” Screen captures of internal dashboards appeared publicly on Telegram channels run by the threat actors. This incident illustrates ongoing insider threat risks even in major cybersecurity firms.
CyberPress | GBHackers

Piecing Together the Puzzle: A Qilin Ransomware Investigation
Huntress security analysts examined a targeted Qilin ransomware attack by reconstructing the incident from limited endpoint logs. They identified unauthorized ScreenConnect access, unsuccessful info-stealing attempts, and ultimately ransomware deployment. This case study highlights the value of correlating multiple data points under restricted visibility to uncover sophisticated ransomware activity.
BleepingComputer

China-Linked APT31 Launches Stealthy Cyberattacks on Russian IT Using Cloud Services
APT31, an advanced persistent threat group connected to China, has been conducting covert cyberattacks on Russia’s IT sector since 2024. The attacks targeted contractors and integrators providing solutions to government agencies, employing cloud infrastructure to maintain stealth and persistence over extended periods.
TheHackerNews

WhatsApp API Flaw Let Researchers Scrape 3.5 Billion Accounts
A critical vulnerability in WhatsApp’s contact-discovery API, which lacked rate limiting, allowed researchers to compile an extensive database of 3.5 billion mobile phone numbers with associated personal data. The flaw underscores risks in insufficient API security controls on popular messaging platforms.
BleepingComputer

Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks
Malicious actors have developed Matrix Push C2, a fileless command-and-control framework exploiting browser notifications to deliver phishing attacks. Using fake alerts and link redirects, it targets victims on multiple operating systems without traditional malware deployment, complicating detection and remediation efforts.
TheHackerNews

Metasploit Releases New Exploit for Fresh FortiWeb 0-Day Vulnerabilities
Rapid7’s Metasploit team has released an exploit module for critical zero-day vulnerabilities affecting Fortinet’s FortiWeb WAF. The combined flaws enable unauthenticated remote code execution with root-level privileges, allowing adversaries to bypass authentication and execute arbitrary commands.
GBHackers

Judge AI Based on Output, Not Mechanism
A conceptual discussion on evaluating artificial intelligence by assessing its output rather than the underlying mechanisms. This approach emphasizes practical results over theoretical design in determining whether technology demonstrates understanding or intelligence.
Omny.fm

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.