Critical GoAnywhere bug fuels ransomware wave.

Microsoft tags a critical vulnerability in Fortra’s GoAnywhere software. A critical Redis vulnerability could allow remote code execution. Researchers tie BIETA to China’s MSS technology enablement. Competing narratives cloud the Oracle E-Business Suite breach. An Ohio-based vision care firm will pay $5 million to settle phishing-related data breach claims. “Trinity of Chaos” claims to be a new ransomware collective. LinkedIn files a lawsuit against an alleged data scraper. This year’s Nobel Prize in Physics recognizes pioneering research into quantum mechanical tunneling. On today’s Industry Voices segment, we are joined by Alastair Paterson from Harmonic Security, discussing shadow AI and the new era of work. Australia’s AI-authored report gets a human rewrite.

Today is Tuesday October 7th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Microsoft tags a critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software. 

A critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) software, CVE-2025-10035, is being exploited in ransomware attacks, Microsoft has warned. The flaw, rated a maximum CVSS score of 10.0, allows attackers to bypass license signature verification and achieve remote code execution on vulnerable systems. Exploitation requires no authentication if attackers can forge or intercept valid license responses, posing significant risk to internet-facing instances. Microsoft linked the zero-day activity to threat group Storm-1175, which used legitimate remote monitoring tools, network scanners, and Cloudflare tunnels for command-and-control before deploying Medusa ransomware. Though Fortra patched the flaw on September 18, hundreds of exposed GoAnywhere servers remain. Microsoft urged immediate patching, network perimeter reviews, and running endpoint defenses in block mode.

A critical Redis vulnerability could allow remote code execution. 

A critical vulnerability in Redis, tracked as CVE-2025-49844, could allow attackers to gain remote code execution on affected systems. Redis, short for Remote Dictionary Server, is an open-source, in-memory data structure store that’s widely used as a database, cache, and message broker. The flaw, rated CVSS 10.0, stems from a 13-year-old use-after-free bug in Redis’s Lua scripting feature, which is enabled by default. Authenticated attackers can exploit it to escape the Lua sandbox, trigger memory corruption, and establish a reverse shell for persistent access. Researchers at Wiz, who discovered the issue and dubbed it “RediShell,” warned that over 330,000 Redis instances are exposed online, with at least 60,000 requiring no authentication. Exploited systems risk data theft, ransomware, or cryptomining. Redis has issued patches for all supported versions and urges immediate updates, especially for internet-facing servers.

Researchers tie BIETA to China’s MSS technology enablement. 

A new report from Recorded Future’s Insikt Group says the Beijing Institute of Electronics Technology and Application, or BIETA, is almost certainly affiliated with China’s Ministry of State Security. Researchers assess BIETA is very likely MSS-led and likely a public front for the MSS First Research Institute.

Public sources indicate BIETA researches steganography, communications, and forensics, and collaborates with the MSS-run University of International Relations. Personnel histories, including links to CNITSEC, reinforce the assessment. CIII markets forensic gear, mobile jamming systems, and foreign simulation and testing tools, and claims state and military customers. Activities likely aid intelligence, counterintelligence, and military missions.

This matters because BIETA and CIII almost certainly form part of a broader MSS enablement network. Engagement with them risks technology transfer, covert communications support, and strengthened cyber-espionage tradecraft. Export controls, academia, and vendors should review ties and conduct strict due diligence.

Competing narratives cloud the Oracle E-Business Suite breach. 

Reports of active exploitation targeting Oracle E-Business Suite have sparked widespread confusion and competing narratives across the cybersecurity community. Over the past week, vendors and researchers have offered conflicting explanations—ranging from password issues to credential reuse to an alleged zero-day—each claiming to have identified the “true” root cause.

Analysis by watchTowr Labs claims that the attacks involve CVE-2025-61882, a remotely exploitable flaw that allows unauthenticated code execution across multiple Oracle EBS versions. The report calls for restraint, criticizing speculation that fueled panic and misinformation before Oracle’s official advisory.

The incident highlights how rumor and premature attribution can undermine coordinated response during active exploitation. Clear communication and evidence-based reporting remain vital as security teams assess exposure and await further clarification from Oracle and trusted researchers.

An Ohio-based vision care firm will pay $5 million to settle phishing-related data breach claims. 

Ohio-based EyeMed Vision Care will pay $5 million to settle a class action lawsuit over a 2020 phishing-related data breach affecting its email system. The settlement provides compensation for affected members, including up to $10,000 for documented losses and smaller payments for time and inconvenience. EyeMed will also implement new security controls, such as enhanced multifactor authentication, stricter password policies, employee training, and third-party HIPAA risk assessments. The company denies wrongdoing but agreed to improve its cybersecurity posture as part of the resolution.

“Trinity of Chaos” claims to be a new ransomware collective. 

A new TOR-hosted leak site run by the “Trinity of Chaos” ransomware collective — allegedly tied to Lapsus$, Scattered Spider, and ShinyHunters — lists 39 major companies and claims more than 1.5 billion records across 760 firms, Resecurity reports. Rather than announcing fresh intrusions, the group published previously undisclosed data from past breaches and has threatened Salesforce, alleging massive corporate data holdings; Salesforce denies new vulnerabilities. Sample data reportedly contains significant personally identifiable information but few passwords, suggesting access via stolen OAuth tokens and vishing tied to third-party integrations. The FBI issued an alert to help detect similar compromises. The leak site faces DDoS attacks and set an October 10 negotiation deadline. Experts warn further releases could spur phishing, identity theft, and AI-driven abuse.

LinkedIn files a lawsuit against an alleged data scraper. 

LinkedIn has filed a lawsuit against Delaware-based ProAPIs Inc. and its founder Rehmat Alam, accusing them of creating over one million fake accounts to scrape user data and sell access via a tool called iScraper API. The company seeks a permanent injunction, data deletion, and damages. LinkedIn alleges ProAPIs charged up to $15,000 per month for large-scale scraping, violating its terms of service. The suit also names a Pakistan-based partner, Netswift. LinkedIn says it will continue aggressive legal action to protect member data.

This year’s Nobel Prize in Physics recognizes pioneering research into quantum mechanical tunneling. 

John Clarke, Michel H. Devoret, and John M. Martinis have been awarded the 2025 Nobel Prize in Physics for pioneering research into quantum mechanical tunneling, a phenomenon fundamental to quantum computing and modern electronics. Clarke, of UC Berkeley, said the award was “the surprise of my life,” adding that their collective work underpins technologies like smartphones. The Nobel committee praised their discoveries for advancing quantum cryptography, computing, and sensing, calling them vital to the next generation of digital innovation. This year’s physics prize marks the 119th Nobel award, carrying a cash prize of 11 million Swedish kronor (about $1.2 million). Other Nobel announcements continue throughout the week, with the award ceremony set for December 10 in Stockholm.

Sadly, there’s still no Nobel for podcasting. 

Australia’s AI-authored report gets a human rewrite. 

Deloitte has agreed to refund part of an AU$440,000 Australian government contract after admitting that a report it produced was, shall we say, a little too imaginative. The Department of Employment and Workplace Relations discovered that its commissioned analysis contained fake citations, phantom footnotes, and even a fabricated court judgment—courtesy of a “large language model” enlisted to tidy up the paperwork. Officials insist the “substance” remains intact, though the confession reads like a case study in modern due diligence gone missing. Increasingly, AI is slipping into serious policy work, performing “assistive” tasks that somehow leave fingerprints of fiction. The irony, of course, is that this technology is being sold as a tool for efficiency and truth—yet keeps demonstrating a flair for creative writing. The quiet weekend upload of the corrected version suggests that the machines aren’t the only ones generating artful evasions these days.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

One quick note before we wrap up: I’ve been nominated for the SANS Difference Maker Award in the Media Creator of the Year category. I’m honored to be recognized and would appreciate your support. You’ll find the link to vote in our show notes, and voting is open until Wednesday, October 8th at 11:59 p.m. Eastern. Thanks for listening, and for being part of the N2K CyberWire community.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.