Hello and welcome to the Monday, October 6, 2025
edition of the SANS Internet Storm Centers Stormcast. My
name is Johannes Ullrich, recording today from Denver,
Colorado. And this episode is brought to you by the SANS.edu
Graduate Certificate Program in Cloud Security. Well, to
start out with, we have some bad news for users of Oracle's
e-business suite. Last week, I think it was Wednesday,
Thursday, there was news coming up that many companies
using Oracle's e-business suite did receive letters,
emails from the Cl0p ransomware gang stating that
their Oracle e-business suite had been compromised and,
well, that data had been stolen. Oracle shortly after,
via their chief security officer, did publish a blog
post stating that they assume that the vulnerability being
exploited here is a vulnerability patched as part
of Oracle's critical patch update in June. So as long as
you had that applied, well, you should be good and safe
from any exploitation, pretty much should disregard this
ransom note. Well, on Saturday, Oracle changed its
stance on this. Oracle did publish an additional patch
for its e-business suite, dispatch fixes a vulnerability
with a CVSS score of 9.8. According to Oracle, the
vulnerability does allow the execution of arbitrary code
across the network without any authentication. So certainly
one of the sort of kind of worst case scenarios. And that
apparently is what's behind these letters, emails from the
Cl0p ransomware gang. So if you received one of those
emails stating that your data may have been compromised,
first of all, take it serious, assume it's real, and, well,
switch to instant response mode. This should be your
highest priority on Monday. If you didn't receive one of
those letters, well, hope that it didn't just end up in your
spam folder, definitely still check and make sure that you
haven't been compromised and apply the patch that Oracle
has released this weekend. In order to apply the patch, you
must have at least applied the June 2023 update for Oracle e
-business suite. So make sure that this is applied first,
but hopefully you have applied patches within the last two
years, and then you're ready to apply this new update to
your Oracle e-business suite. Overall, this is not a pretty
situation, of course. Applying these patches isn't easy. This
is definitely a patch that you do want to rush out. So
there's definitely nothing else that you really should do
on Monday if you do run Oracle's e-business suite
other than working out how to, first of all, apply the patch
and what other mitigation controls you may want to apply
to the system, and also, well, a double, triple, quadruple
check that you are not already compromised. Oracle, as part
of the advisory, did release some indicators of compromise.
There are two IP addresses that apparently affected
systems that connect to. There are a couple hashes of malware
being used, and then, well, a fairly generic backdoor,
basically just sort of piping to a dev TCP. This is
something good to look for anyway. It's not very
specific, I think, to the Cl0p ransomware gang, but if
you have something like this running, you are compromised.
Maybe back Cl0p, maybe by someone else. Of course,
there's always a chance that others have known about this
vulnerability before, or at the same time, the Cl0p
ransomware gang learned about it, so there is a possibility
that other attacks have been launched against these systems
as well. And security company StrikeReady did publish a blog
post with details regarding early exploitation attempts
against Simbra abusing a vulnerability that was patched
in January. These attempts happened before a patch became
available and now reveals some of the details of how
attackers are abusing this vulnerability. It's relatively
straightforward in hindsight. The attack uses calendar
files, so .ics files, that are being sent from, well, what
looks like valid government email addresses. Simbra, the
open source webmail suite, is particularly popular by non-US
governments that don't necessarily trust into US
cloud providers and as a result are not using sort of
your standard cloud-based webmail systems, but rather
set up their own. And we have seen this pattern sort of play
out repeatedly in the past, where vulnerabilities in these
open source webmail systems are being exploited against
governments.
And Unity released a critical patch for its game editor. The
interesting part here is that it's not just the editor being
vulnerable here, but also games developed with the
editor are vulnerable and may require a re-release. The
vulnerability in particular for the games is more of a
privileged escalation vulnerability, but definitely
if you're using this editor take a quick look and make
sure that you're up to date. The patch was released late
last week. The advisory is labeled September 2025, so
don't discard it as being old. The patch actually was
released in October. The vulnerability was originally
reported to Unity in June. And this is it for today. So
thanks for listening, thanks for subscribing, liking and
recommending this podcast, and talk to you again tomorrow.
Bye.
