CyberWire Daily - Oracle zero-day serves up persistent access.
Episode Date: October 6, 2025A critical zero-day in Oracle E-Business Suite is under active exploitation. ICE plans a major expansion of its social media surveillance operations. Discord confirms a third-party data breach. A cr...itical vulnerability in the Unity game engine could allow arbitrary code execution. New variants of the XWorm remote access trojan spread through phishing campaigns. Researchers uncover a critical command injection flaw in Dell UnityVSA storage appliances. There’s been a sharp surge in reconnaissance scans targeting Palo Alto Networks login portals. A new hacking competition offers $4.5 million in prizes for exploits targeting major cloud and AI software. Monday Business Brief. On our Afternoon Cyber Tea segment with Microsoft’s Ann Johnson, Ann and guest Volker Wagner, Chief Information Security Officer at BASF, share some Lessons from the Frontlines of Industrial Security. Don’t spend that ParkMobile settlement all in one place. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Afternoon Cyber Tea Segment Today we are highlighting Afternoon Cyber Tea with Ann Johnson. Ann and guest Volker Wagner, Chief Information Security Officer at BASF, share some Lessons from the Frontlines of Industrial Security. You can listen to Ann and Volker's full conversation here and catch new episodes of Afternoon Cyber Tea every other Tuesday on your favorite podcast app. Selected Reading PoC Exploit Released for Remotely Exploitable Oracle E-Business Suite 0-Day Vulnerability (Cyber Security News) ICE Wants to Build Out a 24/7 Social Media Surveillance Team (WIRED) Discord blames third-party support outfit for data breach (The Register) Android and Windows gamers worldwide potentially affected by bug in Unity game engine (The Record) XWorm malware resurfaces with ransomware module, over 35 plugins (Bleeping Computer) Patch Now: Dell UnityVSA Flaw Allows Command Execution Without Login (HackRead) Scanning of Palo Alto Portals Surges 500% (Infosecurity Magazine) $4.5 Million Offered in New Cloud Hacking Competition (SecurityWeek) Accenture acquires Japanese AI and DX provider, Aidemy Inc. (N2K Pro Business Briefing) ParkMobile pays... $1 each for 2021 data breach that hit 22 million (Bleeping Computer) Vote for Dave! Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants
for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class interdisciplinary experts
and gain unparalleled educational research and professional experience in information security and assurance.
Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program,
which covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at CS.com.
jh u.edu slash ms.s.i.
A critical zero day in Oracle E business suite is under active exploitation.
ICE plans a major expansion of its social media surveillance
operations. Discord confirms a third-party data breach. A critical vulnerability in the Unity
game engine could allow arbitrary code execution. New variants of the X-worm Remote Access
Trojan spread through fishing campaigns. Researchers uncover a critical command injection flaw
in Dell storage appliances. There's been a sharp surge in reconnaissance scans targeting Palo Alto
network's login portals. A new hacking competition offers $4.5 million in prizes for
exploits targeting major cloud and AI software.
We got our Monday business brief on our afternoon CyberT segment with Microsoft's Ann Johnson,
Anne and guest Volker Wagner, Chief Information Officer at BASF, share some lessons from the front lines of industrial security,
and don't spend that Park Mobile settlement all in one place.
It's Monday, October 6th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Monday.
It is great, as always, to have you with us.
A critical zero-day vulnerability
in Oracle e-business suite is being actively exploited after proof-of-concept code was released.
The flaw, rated 9.8, enables unauthenticated remote code execution over HTTP.
Attackers are using reverse shell commands to gain persistent access.
Forensic evidence links the exploit toolkit to groups such as scattered spider,
Lapsis, and Klop.
Oracle urges immediate patching, noting only supported systems.
will receive fixes. Organizations can detect exposure using nuclei templates or
Shodan queries. Continuous monitoring and patch validation are essential to mitigate this active
threat. U.S. Immigration and Customs Enforcement, you know them as ICE, is planning a major
expansion of its social media surveillance operations, seeking to hire nearly 30 private
contractors to monitor platforms such as Facebook, TikTok, and YouTube for intelligence that could
inform deportation raids and arrests. According to federal contracting records reviewed by Wired,
the program would operate from ICE's targeting centers in Vermont and Southern California,
running 24-7 and processing cases within hours. Contractors will use open-source intelligence
and commercial databases like LexisNexis and Clear to establishes.
assemble digital dossiers. Planning documents also invite proposals incorporating artificial intelligence
and automated data collection. Privacy groups, including the ACLU and the Electronic Privacy
Information Center, warned that ICE's growing use of surveillance technologies and data brokers
threaten civil liberties and may blur the line between immigration enforcement and political
monitoring. ICE has not yet commented on the proposal, which remains in early planning,
stages. Discord has confirmed a data breach affecting users who contacted its support or
trust and safety teams after a third-party customer service vendor was compromised. Exposed data
includes names, emails, billing details, and in some cases government ID images.
Attackers also accessed IP addresses, messages, and attachments allegedly seeking ransom.
Discord emphasized its own systems were not done.
breached, cut-off vendor access, and alerted law enforcement. The company calls the impact
limited, though it hasn't disclosed how many users were affected. A critical vulnerability in the
Unity game engine could allow attackers to execute arbitrary code through compromised Unity
built apps, affecting Android, Windows, Linux, and MacOS users. The flaw lets malicious files exploit app
permissions to access confidential data, though Unity says any code execution remains limited
to the app's privilege level. No active exploitation has been detected, and patches are now available.
Microsoft urged users to keep games updated and ensure defender protection is enabled,
while Steam is blocking risky launch parameters. The bug, discovered by researcher Ryotak of
GMO flat security, underscores the vast risk.
tied to Unity's global footprint,
powering major titles like Pokemon Go and the mobile version of Call of Duty.
New variants of the X-Worm Remote Access Trojan are spreading through fishing campaigns,
months after its creator X-Coder abandoned the product.
The latest versions are being adopted by multiple threat actors
and now include over 35 modular plug-ins for data theft, remote control, file encryption,
and ransomware. Researchers at Trellix report new infection chains combining social engineering
and technical exploits, including malicious JavaScript, Excel macros, and fake executables.
The ransomware module encrypts user files and demands payment via Bitcoin.
Xworm's architecture supports extensive surveillance and credential theft across browsers,
email clients, and crypto wallets. Despite its origins, as a cracked underground
tool, it remains a growing multi-purpose threat across global campaigns, emphasizing the need
for layered defenses, EDR monitoring, and strict email filtering.
Researchers at Watchtower uncovered a critical command injection flaw in Dell Unity VSA storage
appliances. The bug allows unauthenticated attackers to execute arbitrary commands by
exploiting a flaw in the system's login redirection logic, where unsanitized URIs are
passed into a pearl command string. The latest version fixes the issue. Del rates it with a high
severity of 7.3, although others call it critical with a 9.8. Organizations should upgrade
immediately. Security researchers at Gray Noise report a sharp 500% surge in reconnaissance scans,
targeting Palo Alto Network's login portals,
with activity peaking at 1,300 IPs on October 3rd
compared to a typical volume below 200.
Most scanning originated in the U.S.,
and 93% of IPs were flagged as suspicious.
Gray noise noted that similar surges
have sometimes preceded new vulnerability disclosures,
though no direct link has been established here.
The activity mirrors recent spikes in Cisco,
ASA and other remote access product scans, showing overlapping tooling and TLS fingerprints.
The increase underscores continued attacker interest in security appliances, which often serve
as high-value network entry points.
Gray Noise is continuing to monitor whether this surge signals emerging vulnerabilities
or coordinated reconnaissance efforts.
Cloud Security firm Wiz has launched Zero Day Cloud.
A new hacking competition offering $4.5 million in prizes for exploits targeting major cloud and AI software.
Backed by AWS, Google Cloud, and Microsoft, the contest runs live at Black Hat Europe with entries due December 1st.
Categories include AI, Kubernetes, containers, web servers, databases, and DevOps tools,
with top rewards reaching $300,000.
Despite strong industry support, Trend Micro has accused WIS of copying Pone to Own rules verbatim.
This week's Monday Business Brief highlights a surge of mergers, acquisitions, and investments
shaping the global AI and cloud landscape.
Accenture announced plans to acquire Japan's Itemi Inc. to strengthen its Learn Vantage service,
while HoneyBook bought Fine.combeau to expand its AI device.
development capabilities. Harness acquired Quiet AI to enhance application security, and Taoping
finalized a $21.3 million deal for Skylatter Group. Meanwhile, Liatrio purchased Superorbital's IP
to merge consulting with advanced training. On the investment front, Cerebrus Systems raised
$1.1 billion to expand AI chip innovation, while Versel secured $300 million.
to scale its AI cloud platform.
Other notable rounds include Descope at $88 million,
Zania at $18 million, Mondo with $17.5 million,
Gelt with $13 million, Long Eye at $5 million,
and Hupside at $1.7 million.
Clearwater and In-Orbit AI also received undisclosed strategic
and Series A funding, respectively.
Ethan Cook is the editor of our Cyberwire ProB
business brief newsletter. You can learn more and subscribe at thecyberwire.com.
Coming up after the break, what does it really take to defend one of the world's largest
chemical companies? guest Volker Wagner joins N2K Cyberwire's afternoon CyberT podcast
with Microsoft's Ann Johnson. And don't spend that park
mobile settlement all in one place.
Stick around.
At TALIS, they know cybersecurity can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect
critical applications, data and identities, anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and health care companies in
the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at TALIS Group.com slash cyber.
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual work,
so you can stop sweating over spreadsheets,
chasing audit evidence,
and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection, flag risks,
and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently,
and finally get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
Microsoft's Ann Johnson is host of the afternoon CyberT podcast, which you can find right here on the N2K Cyberwire Network,
Anne recently got together with her guest Volker Wagner, Chief Information Security Officer at BASF,
to share some lessons from the front lines of industrial.
security. Today I'm excited to be joined by Volker Wagner, Chief Information Security Officer at
BASF. I'm absolutely thrilled that you joined us today. What first drew you to cyber security
and how is your leadership philosophy evolved over time? Like for many of us, it was an incident
which brought me into the cyber arena. More than 20 years back, I worked with a German telecommunications
company in internal audit. I wanted to go to the front seat and have more the steering wheel in the
And so it's a bit coming from the reactive to the proactive side
and a bit more from the, I would say,
from the control perspective to a security by design perspective.
And I think it reflects a bit what we all have achieved
as cyber security experts and leaders in the past couple of years
that more and more we developed ourselves,
that we are more in the front row.
And so here I am now and looking very much forward to our talk today.
So if it comes to the threat situation for us, I would say it's lots is related to the numbers we have in our group.
So we have more than 110,000 employees, spread over 150 countries in the world, the large digital footprint, including some high value targets.
If you ask me about what are the most concerning threats, the most serious risks which I'm concerned about,
for sure, number one is espionage or APD attacks on our business secrets, on our ground jewels.
And secondly, more and more we see destructive attacks, ransomware attacks on our systems,
on our plans, and our supply chains, but on the basic infrastructure of IT as well.
I'm curious how you think about resilience, because as you know, you and I've talked about this,
it is a strategic imperative.
But when you think about cyber resilience across all of your businesses, what are
the key pillars of your strategy and how are you trying to achieve it?
So we decided to change our paradigm and we introduced our so-called zero trust strategy.
We deploy the three basic principles, assume the breach.
So you have to accept and I told it to my board of directors that we never, ever can go for
100% prevention.
We have to assume that already some elements of our networks might be compromised.
Never trust, always verify, have your controls in place, and provide least privilege access.
Try to reduce the damage potential.
We try to introduce this very, very practical.
And I want to elaborate it maybe in four domains.
If devices are not patched on the latest operating system version, we don't grant access from remote anymore.
We believe with these three elements, we prepare ourselves and make us,
more mature in the future.
The business you're in, though, is very innovative, right?
You have to be innovative.
And innovation, resilience, cyber can often seem to be friction, right?
People talk about how the cyber team can also create friction in that innovation.
How do you see the promise and the risk of balancing innovation across your cyber organization
when you're thinking about security and trying to support the business?
I think innovation is key for every business function.
We are heavily working on this to explore for sure AI tools
and enabling our cybersecurity workforce.
Maybe I can give you some of the examples
what we are striving for.
It's a journey.
We embarked with some of the elements,
we are a bit more ahead with others.
We are in the early phase.
Let's take, for example,
that the use case that we use AI for data,
labeling and classification.
Incident playbooks, augmented by AI solution,
AI-supported pen tests, awareness and fishing simulations,
third-party risk assessment in our SOC.
The Tier 1 level is usually flooded with alerts.
An AI tool is never tired, is never less concentrated,
and we can eliminate the human bias as well.
I love that.
I think that there will continue to be innovation in cyber,
as you know, and particularly with artificial intelligence,
in automation and as leaders, we have to be prudent where we deploy it, but also leverage it
for the best capabilities and also to help our staff. So can you talk about from your point
of view, what does meaningful industry collaboration look like and how can organizations
better support each other? Yeah, I would say firstly, it starts with our heads, with our own
mindsets. So as security professionals, we have been educated over years that we have to
keep everything strict confidential
and we have to
hatch our own carthels
within the companies. We have to open
up. If we strive for collective
defense, we have to go into
partnerships. We have to
share not only threats and
risks, what we
really have to do. We have to collaborate
real time in
incidents. And my learning
is that you cannot say
from tomorrow on, we will trust
each other. Trust,
will increase by shared experiences and close interaction.
And therefore, once again,
I'm very, very super happy that you initiated this collective defense approach
and that we can partner with you here in Germany and Europe
to join our forces.
That's Microsoft's Anne Johnson speaking with Volker Wagner from BASF.
Be sure to check out the complete afternoon CyberT podcast,
wherever you get your favorite podcasts.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot track side.
So being a fan for life turns into the trip of a lifetime.
That's the powerful backing of Amex.
Presale tickets for future events subject to availability and varied by race.
Terms and conditions apply.
at mx.ca slash yNX.
This episode is brought to you by Peloton.
A new era of fitness is here.
Introducing the new Peloton Cross Training Tread Plus,
powered by Peloton IQ.
Built for breakthroughs with personalized workout plans,
real-time insights, and endless ways to move.
Lift with confidence, while Peloton IQ counts reps,
corrects form, and tracks your progress.
Let yourself run, lift, flow, and go.
Explore the new Peloton Cross Training Tread Plus
at one Peloton.
and finally after nearly four years and a 32.8 million dollar class action settlement park mobile has
finally compensated victims of its 2021 data breach to the tune of one whole dollar yes affected users are
receiving a dollar in-app credit dispensed as four dazzling 25 cent discount
expiring in 2026, unless here in California, where small mercies never expire.
The breach exposed data from 22 million accounts, including names, emails, license plates, and hashed
passwords.
Park Mobile denied wrongdoing, of course, while urging users to manually claim their reward via
a code, because convenience apparently wasn't part of the settlement.
Adding insult to micro-injury, Park Mobile also.
warned of fresh fishing scams targeting its customers. So if you get a text asking for payment,
ignore it, unless it's your dollar credit, which, let's face it, you've already earned the hard way.
And that's The CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
One quick note before we wrap up, I've been nominated for the Sands Difference Maker Award in the Media Creator of the Year category.
I'm honored to be recognized and would appreciate your support.
You'll find a link to vote in our show notes,
and voting is open until Wednesday, October 8th.
Thanks for listening and for being part of the N2K Cyberwire community.
N2K's senior producer is Alice Caruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Cyber Innovation Day is the premier event for cyber innovation day is the premier event for cyber startups, researchers, and top VC firms,
building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the 8th annual Data Tribe Challenge takes center stage
as elite startups pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders, investors, and researchers
around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid. datatrib.com.