WhatsApp Worm, Critical Vulnerabilities, Oracle Zero-Day Exploit, Ransomware Syndicates & More

The Ever-Changing Landscape of Cybersecurity: A Weekly Update

Oct 13, 2025 – By Ravie Lakshmanan

Every week in the cyber world reveals a stark reminder: silence doesn’t equal safety. Cyberattacks can begin quietly with just one unpatched vulnerability, overlooked credentials, or even an unencrypted backup. By the time the alarms sound, the damage is often irreversible. This week, we delve into how attackers are evolving their strategies—linking different vulnerabilities, collaborating across borders, and weaponizing trusted tools. From critical software vulnerabilities to the misuse of artificial intelligence and new phishing techniques, the threat landscape is changing rapidly, underscoring the need for security to adapt equally swiftly.

⚡ Threat of the Week

Dozens of Orgs Impacted by Exploitation of Oracle EBS Flaw
According to Google Threat Intelligence Group (GTIG) and Mandiant, dozens of organizations are at risk following the exploitation of a critical zero-day flaw in Oracle’s E-Business Suite (EBS) software. This vulnerability, tracked as CVE-2025-61882, boasts a high CVSS score of 9.8 and is reportedly linked to the notorious Cl0p ransomware group. Attack chains have demonstrated the use of multiple vulnerabilities to breach networks and exfiltrate sensitive data, deploying malware such as GOLDVEIN.JAVA and SAGEWAVE. Oracle has since released an update for another related vulnerability (CVE-2025-61884) in EBS, though it remains unclear if this flaw is actively being exploited.

🔔 Top News Highlights

1. Storm-1175 Exploits GoAnywhere MFT Vulnerability
   Microsoft revealed that the cybercriminal group Storm-1175 has taken advantage of a maximum-severity vulnerability in GoAnywhere MFT (CVE-2025-10035) for multi-stage attacks, including Medusa ransomware. Their activities have impacted various sectors, including transportation and education, employing stealth techniques to linger undetected while monetizing through extortion.

2. OpenAI Disrupts Malicious Use of ChatGPT
   In a groundbreaking move, OpenAI disrupted three clusters of activity from threat actors in Russia, North Korea, and China who misappropriated ChatGPT for malware development. This includes creating remote access trojans and phishing tools, indicating that adversaries are increasingly integrating AI into their malicious workflows.

3. 175 Malicious npm Packages Used for Phishing
   A new approach to phishing has surfaced through npm packages, where attackers create throwaway packages designed to redirect users to credential-harvesting sites. Developers are now encouraged to scrutinize dependencies to avoid these threats.

4. Formation of a Ransomware Cartel
   Three leading ransomware groups—LockBit, Qilin, and DragonForce—announced a partnership aimed at coordinating attacks. This coalition comes in response to increasing law enforcement pressure and appears to target previously off-limits sectors.

5. Weaponization of the Nezha Tool by Chinese Hackers
   A legitimate open-source tool named Nezha has been exploited by hackers with suspected ties to China, notably impacting over 100 machines in Taiwan, Japan, South Korea, and Hong Kong. This highlights the troubling trend of threat actors bending legitimate resources for malicious ends.

‎️‍🔥 Trending CVEs

With hackers leveraging new vulnerabilities at an alarming pace, staying updated on critical CVEs is vital. This week’s notable vulnerabilities warrant immediate attention:

• CVE-2025-61884 (Oracle E-Business Suite)
• CVE-2025-11371 (Gladinet CentreStack and TrioFox)
• CVE-2025-5947 (Service Finder theme)
• CVE-2025-53967 (Framelink Figma MCP server)
• CVE-2025-49844 (Redis)

Prioritizing fixes for these vulnerabilities is essential to bolster defenses and close security gaps.

📰 Around the Cyber World

• Russia-Linked TwoNet Targets Forescout Honeypot
  An ICS/OT honeypot mimicking a water treatment facility was recently targeted by the hacktivist group TwoNet. This attack showcases the group’s focus on critical infrastructure and indicates a shifting landscape of financially motivated cyber activities.

• Sophos Investigates WhatsApp Worm
  A newly disclosed campaign, dubbed Water Saci, involves self-propagating malware spreading via WhatsApp. Sophos is investigating its links to previously reported campaigns targeting Brazilian banking customers, revealing how attackers evolve their methodologies.

• North Korean IT Workers Seeking Jobs in New Sectors
  According to recent reports, North Korean IT workers are branching into areas like industrial design and architecture, raising concerns about potential espionage and access to sensitive infrastructure designs.

• FBI Seizes Extortion Site Used Against Salesforce
  The FBI recently seized a website employed by the Scattered LAPSUS$ Hunters for extorting Salesforce. Although the main domain is down, the group persists, indicating the ongoing challenges of combating cybercrime.

• NSO Group Acquired by U.S. Investors
  NSO Group, known for its spyware, has been acquired by a U.S. investment group, highlighting the ongoing complexities surrounding the use and regulation of surveillance technologies.

🔧 Cybersecurity Tools

In an ever-evolving threat landscape, having the right tools is crucial:

1. P0LR Espresso – Helps security teams analyze multi-cloud logs, delivering insights that simplify understanding compromised identities and timelines.

2. Ouroboros – A Rust-based open-source decompiler using symbolic execution to reconstruct high-level code from binary files, making it an excellent resource for reverse engineering and security analysis.

🔒 Tip of the Week

Don’t Leave Your Backups Unlocked
Backups serve as essential protective measures for data, but if left unencrypted, they can pose significant risks. An unencrypted backup can be a goldmine for hackers who gain access.

The Simple Fix: Always encrypt your backups before storing or sharing them, whether on USBs, cloud storage, or servers. Tools like Restic and BorgBackup can assist in ensuring that your data remains secure.

This week’s narratives reflect the dualities of the cybersecurity realm — the ingenuity of attackers and the ongoing efforts of defenders. A proactive and aware approach remains essential in navigating this intricate landscape.