Windows servers under siege

WSUS attacks escalate as emergency patch fails to fully contain exploited flaw. Schneider Electric and Emerson are listed among victims in the Oracle EBS cyberattack. Google debunks reports of a massive GMail breach. A new banking trojan mimics human behavior for stealth. Sweden’s power grid operator confirms a cyberattack. Italian spyware targets Russian and Belarusian organizations. The U.S. declines to sign the new UN cyber treaty. Ransomware payments fall to record lows. U.S. Cyber Chief calls for a “clean American tech stack” to counter China's global surveillance push. On today's Threat Vector segment, David Moulton⁠ speaks with two cybersecurity leaders from Palo Alto Networks:⁠ Sarit Tager⁠ and⁠ Krithivasan Mecheri⁠. AI mistakes Doritos for a deadly weapon.

Today is Tuesday October 28th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

WSUS attacks escalate as emergency patch fails to fully contain exploited flaw. 

Researchers warn that a critical Windows Server Update Services, or WSUS, vulnerability—tracked as CVE-2025-59287—is being actively exploited, despite Microsoft’s recent emergency patch. The flaw enables unauthenticated remote code execution on Windows Server 2012 through 2025, stemming from insecure deserialization of untrusted data.

Google’s Threat Intelligence Group confirmed multiple intrusions by a threat actor it calls UNC6512, observing reconnaissance and data exfiltration from compromised hosts. Trend Micro reports roughly 100,000 exploitation attempts in a week, with nearly half a million internet-exposed WSUS servers potentially vulnerable.

Experts warn that exposed servers could allow attackers to distribute malicious updates downstream, amplifying the threat.

Schneider Electric and Emerson are listed among victims in the Oracle EBS cyberattack. 

Cybercriminals tied to the Cl0p ransomware operation have named Schneider Electric and Emerson as victims of an ongoing campaign exploiting Oracle E-Business Suite, or EBS, vulnerabilities. The attackers, believed to be associated with the financially motivated FIN11 group, claim to have stolen large volumes of corporate data, later posted on Cl0p’s leak site.

The site lists 2.7 terabytes of data allegedly from Emerson and 116 gigabytes from Schneider Electric, with file structures suggesting origin in Oracle environments. Other organizations, including Harvard University and Envoy Air, have confirmed impact from the same campaign.

Researchers say the operation mirrors prior large-scale attacks on MOVEit and Fortra systems, underscoring persistent risks in enterprise software supply chains.

Google debunks reports of a massive GMail breach. 

Widespread reports of a massive Gmail breach grabbed headlines this week, but Google says the claims are false. The confusion began after researcher Troy Hunt added 183 million credentials to his Have I Been Pwned service, sourced from old infostealer malware logs, not a new Gmail hack.

Google confirmed there’s no evidence of compromise, calling the reports a misunderstanding of recycled data. The company emphasized that Gmail’s defenses remain strong and advised users to enable two-factor authentication.

A new banking trojan mimics human behavior for stealth. 

Researchers at ThreatFabric have identified a new Android banking Trojan called “Herodotus” that uses randomized pauses to evade basic behavioral detection systems. The malware inserts delays of up to three seconds when entering stolen credentials, mimicking human typing speed to appear legitimate.

Distributed through smishing links and side-loaded apps, Herodotus abuses Android accessibility services to steal banking credentials, intercept SMS one-time passcodes, and display fake login overlays. It shares limited code overlap with the Brokewell Trojan discovered earlier this year.

Though currently active in Italy and Brazil, Herodotus includes templates for banks and crypto wallets in multiple countries, suggesting broader campaigns ahead. More advanced biometric systems may still detect its automated behavior.

Sweden’s power grid operator confirms a cyberattack. 

Sweden’s state-owned power grid operator, Svenska kraftnät, confirmed a cyberattack that led to a data breach but did not affect the country’s electricity supply. The incident, discovered Saturday, targeted an isolated external file transfer system, according to Chief Information Security Officer Cem Göcören.

Ransomware group Everest has claimed responsibility, adding Svenska kraftnät to its leak site and alleging theft of roughly 280 gigabytes of data. The company reported the attack to authorities and is investigating the breach’s scope.

While no critical systems were compromised, the attack underscores the growing threat to critical infrastructure operators from data extortion groups.

Italian spyware targets Russian and Belarusian organizations. 

Kaspersky researchers say Italian spyware from Memento Labs, formerly known as Hacking Team, was used in cyberattacks targeting organizations in Russia and Belarus. The commercial surveillance tool, called Dante, appeared in incidents linked to a threat group dubbed ForumTroll, which has previously targeted Russian institutions with phishing and Chrome zero-day exploits.

Kaspersky could not confirm who commissioned the attacks or whether Memento Labs knew of Dante’s deployment. The discovery marks the spyware’s first confirmed use since its 2023 debut for law enforcement clients.

ForumTroll’s campaigns leveraged a custom loader, LeetAgent, to deploy Dante in select cases, showing advanced espionage capabilities. Memento Labs declined comment on the findings.

The U.S. declines to sign the new UN cyber treaty. 

More than 70 countries, including the U.K., China, Russia, and the European Union, signed the new U.N. Convention against Cybercrime in Hanoi—while the United States notably withheld its signature. The treaty, adopted in December 2024, establishes the first global framework for sharing electronic evidence and coordinating cross-border cybercrime investigations.

U.N. Secretary-General António Guterres called the convention a “powerful, legally binding instrument” against crimes like ransomware, money laundering, and online trafficking. But critics warn it could enable mass surveillance and suppress digital freedoms under authoritarian regimes.

The State Department said the U.S. is still reviewing the treaty, which will take effect after 40 ratifications.

Ransomware payments fall to record lows. 

Ransomware payments have fallen to their lowest level on record, with just 23% of victimized organizations paying attackers in the third quarter of 2025, according to Coveware. The firm says the steady six-year decline reflects stronger defenses, improved incident response, and growing pressure from authorities not to pay.

Average ransom payments dropped to $377,000, with median payments at $140,000. Data theft now dominates ransomware activity, featuring in 76% of incidents, and payment rates fall to 19% when only exfiltration is involved.

Groups like Akira and Qilin increasingly target medium-sized firms, while remote access compromise and software vulnerabilities remain top entry points. Coveware says every avoided payment “constricts attackers of oxygen,” validating collective defensive progress.

U.S. Cyber Chief calls for a “clean American tech stack” to counter China's global surveillance push. 

National Cyber Director Sean Cairncross warned that China is attempting to “export a surveillance state across planet Earth” and urged the U.S. to promote a “clean American tech stack” as a democratic alternative. Speaking at the 2025 Meridian Summit, Cairncross said Washington must engage both current and emerging partners to push back against Beijing’s growing digital influence, which he described as destabilizing and aimed at undermining U.S. decision-making.

He said the upcoming U.S. cybersecurity strategy under President Trump will emphasize posture and action over length or rhetoric. Strengthening the Office of the National Cyber Director remains his top priority, following recommendations from the Cyberspace Solarium Commission.

Cairncross also urged Congress to renew the expired Cybersecurity Information Sharing Act, calling its protections essential for industry collaboration on cyber threats.

AI mistakes Doritos for a deadly weapon. 

Sixteen-year-old Taki Allen was finishing football practice and a bag of Doritos when Baltimore County police—eight cars deep—arrived with guns drawn. The culprit? Not Taki, but an AI gun detection system with a vivid imagination. It flagged the glint of his crisp packet as a firearm, prompting what one might call a highly seasoned police response.

The school’s principal quickly realized it was a false alarm, but not before the teen was handcuffed and thoroughly confused. Police insist they “responded proportionally,” though one wonders what a disproportionate response would look like—an airstrike, perhaps?

Omnilert, the AI vendor, said its system “operated as designed,” which may concern anyone who snacks in public. Taki now avoids eating chips outdoors, citing safety concerns.

Because in 2025 America, even Doritos can trigger an incident report.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.