Top stories.
- Law enforcement seizes BreachForums domains.
- Discord says third-party breach affected 70,000 users' photo IDs.
- Oracle E-Business Suite zero-day vulnerability under active exploitation.
- Russian hacktivist group targets critical infrastructure.
- Critical GoAnywhere bug exploited in ransomware campaign.
- Redis warns of a critical flaw allowing remote code execution.
- Chinese hackers infiltrated a major law firm.
Law enforcement seizes BreachForums domains.
US and French law enforcement seized all domains for the latest version of BreachForums, which was set up by the ShinyHunters gang (now part of the Scattered Lapsus$ Hunters criminal collective) as a portal for leaking data stolen in extortion attacks. ShinyHunters confirmed the takedown and said they would not be launching another BreachForums, BleepingComputer reports.
Scattered Lapsus$ Hunters had been using the site to extort companies breached in the ongoing wave of Salesforce attacks. The data were stolen via social engineering attacks targeting dozens of major companies, including FedEx, Disney/Hulu, HBO Max, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, and Adidas. The crooks set a deadline to leak one billion records last night, and said the takedown will not disrupt their plans. The Register notes that this latest threat looks "more like a desperate scramble to monetize old stolen data before law enforcement closes in."
Discord says third-party breach affected 70,000 users' photo IDs.
Discord has provided additional details on a third-party breach involving a vendor used for age verification. The company says the incident affected "approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals." The breach also involved personal and account details, limited billing information, and messages with customer service agents. Discord disputed claims that the breach exposed more than two million photo IDs, saying the extortionists have exaggerated the scope of the incident.
A Discord spokesperson told the BBC that the company will not pay a ransom, stating, "We will not reward those responsible for their illegal actions."
Oracle E-Business Suite zero-day vulnerability under active exploitation.
A new critical zero-day vulnerability, tracked as CVE-2025-61882, targeting the Oracle E-Business Suite is being actively exploited. The flaw, rated CVSS 9.8 (critical), enables attackers to perform unauthenticated remote code execution over HTTP across versions 12.2.3 through 12.2.14 within the Concurrent Processing BI Publisher Integration.
With this vulnerability, attackers are using reverse shell commands to gain persistent access, with observed malicious activity from IPs 200[.]107[.]207[.]26 and 185[.]181[.]60[.]11.
Oracle strongly recommends applying the updates provided by the security alert as soon as possible. Additionally, organizations can detect exposure using Nuclei templates or Shodan queries for "OA_HTML."
Russian hacktivist group targets critical infrastructure.
BleepingComputer reports that the Russia-aligned hacktivist group "TwoNet" has shifted from launching DDoS attacks to targeting critical infrastructure. Researchers at Forescout say the threat actor breached a honeypot system designed to mimic a water treatment plant. The attackers gained access to the human-machine interface (HMI) via default administrative credentials, then created a user account to establish persistence. The hackers then disabled PLCs, logs, and alarms. Forescout notes, "The attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI."
Notably, the group believed it was inside a real water treatment facility, and claimed responsibility for the attack on its Telegram channel.
Critical GoAnywhere bug exploited in ransomware campaign.
Microsoft has discovered a vulnerability, tracked as CVE-2025-10035, in Fortra's GoAnywhere Managed File Transfer (MFT) software. The vulnerability, rated a maximum CVSS score of 10.0, lets attackers bypass license signature verification and achieve remote code execution on vulnerable systems. This exploitation requires no authentication if the attacker can forge or intercept a valid license response, creating significant risk to internet-facing instances.
Microsoft linked this zero-day vulnerability to Storm-1175, which has previously used legitimate remote monitoring tools, network scanners, and Cloudflare tunnels for command-and-control before deploying Medusa ransomware. Forta previously patched the flow on September 18; however, hundreds of GoAnywhere servers remain exposed.
Microsoft has urged immediate patching, network perimeter reviews, and running endpoint defenses in block mode.
Redis warns of a critical flaw allowing remote code execution.
A Redis vulnerability, tracked as CVE-2025-49844, allows attackers to gain remote code execution on affected systems. The flaw, rated CVSS 10.0, stems from a bug in Redis' Lua scripting feature, which is enabled by default. Authenticated attackers can exploit the flaw to escape the Lua sandbox, trigger memory corruption, and establish a reverse shell for persistent access.
Researchers at Wiz have dubbed the vulnerability "RediShell" and warned that over 330,000 Redis instances are exposed online, with at least 60,000 requiring no authentication. Exploited systems risk data theft, ransomware, or cryptomining. Redis has issued patches for all supported versions and urges immediate updates.
Chinese hackers infiltrated a major law firm.
Williams & Connolly informed its clients that their computer systems had been infiltrated and that the attackers may have been able to access client emails. Sources believe that the attack may involve more than a dozen victims. The FBI's Washington field office is assisting in investigating the incident, and the law firm has engaged CrowdStrike and outside counsel Norton Rose Fulbright to assist with the response. Additionally, the firm stated that the intrusion has been contained. In a statement, the firm wrote, "Importantly, there is no evidence that confidential client data was extracted from any part of our IT system, including from databases where client files are stored. We have taken steps to block the threat actor, and there is now no evidence of any unauthorized traffic on our networks."
The attackers reportedly accessed email accounts through a zero-day vulnerability. According to Mandiant, the campaign aligns with a larger Chinese espionage effort seeking intelligence on US national security and trade issues.
