- Email: office@meraal.me
- 60 Alfalah Town, Main Boulevard, Cantt, Lahore , Pakistan
- +923234979477
Threat Landscape Summary (September 29 – 6 October 2025)
The week of September 29 to October 6, 2025, was marked by a significant escalation in global cyber threats, characterized by high-impact ransomware events, large-scale data exfiltration, and the active exploitation of a critical zero-day vulnerability in a widely used enterprise software suite. A notable incident involved a sophisticated ransomware operation against a major Japanese multinational conglomerate, leading to a complete suspension of critical business operations within Japan. Concurrently, the cybercriminal ecosystem demonstrated its reach through a significant data breach at a globally recognized luxury retailer, impacting hundreds of thousands of online customers and traced back to a compromise in its supply chain. Perhaps most alarmingly, this week witnessed the widespread exploitation of a previously unknown vulnerability in Oracle E-Business Suite (CVE-2025-61882), leveraged in an extortion campaign affecting multiple organizations across diverse sectors. This zero-day campaign, coupled with a separate massive data exfiltration event from a leading technology consulting firm’s GitLab instance, illustrates the advanced capabilities and strategic intent of modern threat actors. The sheer volume of records compromised, exceeding tens of millions, and the breadth of industries affected, from aviation and finance to technology and retail, reinforce the notion that no organization is immune.
The global cybersecurity landscape during this period was characterized by an alarming convergence of high-impact attack vectors, sophisticated adversary tactics, and a broadening scope of targeted sectors and geographies. Ransomware syndicates demonstrated a clear preference for targeting large, multinational corporations and critical service providers, as seen in the attack on Asahi Group Holdings Ltd. in Japan, which resulted in a nationwide shutdown of core operations. A particularly concerning development was the widespread exploitation of a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite, a widely deployed enterprise resource planning (ERP) system. This vulnerability, which allows for unauthenticated remote code execution, was observed being leveraged in active extortion campaigns against multiple organizations, suggesting that highly resourced threat actors are actively stockpiling and deploying such exploits. The persistent threat of supply chain compromises was also highlighted by the Harrods data breach, where a third-party vulnerability led to the exposure of personal data for 430,000 online customers. Beyond these major themes, social engineering attacks and direct third-party CRM platform compromises continued to be highly effective, impacting millions of records globally.
| Date | Organization | Country | Sector | Incident Type | Records Affected / Impact |
|---|---|---|---|---|---|
| 2025-09-29 | Asahi Group Holdings Ltd | Japan | Food & Beverage | Cyber Attack (Ransomware Suspected) | Complete suspension of operations in Japan, including ordering, shipping, call center, and customer service. No confirmed personal data leakage; investigation ongoing. |
| 2025-09-30 | Harrods | United Kingdom | Retail (Luxury) | Data Breach (Third-Party Supply Chain) | Personal information of approximately 430,000 online customers exposed, including names and contact details. No payment information compromised. Harrods refused to engage with attackers. |
| 2025-10-01 | WestJet | Canada | Transportation (Aviation) | Cyber Attack (Social Engineering leading to Data Breach) | Personal data of approximately 1,200,000 individuals compromised, including names, birth dates, addresses, ID details, and loyalty information. |
| 2025-10-02 | Allianz Life Insurance Company of North America | USA | Finance (Insurance) | Data Breach (Third-Party Cloud CRM) | Exposure of personal data for 1,497,036 individuals, including names, addresses, dates of birth, and Social Security numbers, due to a breach of a third-party cloud CRM platform. |
| 2025-10-02 | Motility Software Solutions | USA | Technology (Automotive SaaS) | Ransomware Attack (Data Theft & Extortion) | Data theft and encryption impacting 766,670 records, including names, contact details, dates of birth, Social Security, and driver’s license numbers. Attributed to the PEAR ransomware group. |
| 2025-10-02 | Oracle E-Business Suite (Multiple Organizations) | Global | Cross-Industry | Extortion Campaign (Zero-Day Exploit – CVE-2025-61882) | Multiple organizations targeted in extortion campaigns exploiting a critical zero-day vulnerability in Oracle E-Business Suite, allowing for unauthenticated remote code execution. Full extent of impact is still emerging. |
| 2025-10-02 | Red Hat Consulting | USA | Technology (IT Services) | Data Breach (GitLab Compromise) | Exfiltration of approximately 570 GB of compressed data from a self-managed GitLab instance, including customer engagement reports, VPN settings, infrastructure diagrams, API keys, and credentials for numerous enterprise and government clients. Claimed by Crimson Collective. |
The most prominent emerging trends include the escalating severity and operational focus of ransomware attacks, the pervasive impact of third-party and supply chain compromises, and the alarming weaponization of zero-day vulnerabilities in large-scale, financially motivated extortion campaigns. The incident involving Asahi Group Holdings Ltd. demonstrates a shift towards “operational paralysis” strategies, where attackers aim to inflict maximum business disruption. The Harrods and Allianz Life Insurance breaches highlight that an organization’s security is only as strong as that of its weakest vendor or partner. The active exploitation of CVE-2025-61882, a critical unauthenticated remote code execution vulnerability, signifies a dangerous convergence of APT-level capabilities with financially motivated criminal campaigns, blurring traditional threat actor categorizations.
| CVE ID | Description | Severity (CVSS) | Affected Product(s) | Known Exploited? | Mitigation / Remediation |
|---|---|---|---|---|---|
| CVE-2025-61882 | Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in takeover of Oracle E-Business Suite. | Critical (9.8) | Oracle E-Business Suite 12.2.3 – 12.2.12 | Yes | Oracle has released a security update to address this vulnerability. Organizations are strongly advised to apply the necessary patches immediately. In addition to patching, implement network segmentation, restrict network access to E-Business Suite instances from untrusted networks, monitor for suspicious activity, and consider deploying virtual patching mechanisms if immediate patching is not feasible. |
The week’s activities highlighted diverse threat actors, including financially motivated ransomware groups, sophisticated data exfiltration collectives, and actors exploiting zero-day vulnerabilities. The exploitation of CVE-2025-61882 suggests involvement of highly resourced actors, potentially APT groups or sophisticated criminal syndicates. The Crimson Collective, claiming the Red Hat Consulting GitLab breach, demonstrated an interest in high-value intellectual property. Ransomware groups like PEAR, Radiant, and INC Ransom continued their prolific “double extortion” campaigns, targeting various sectors for financial gain. These actors employ a range of TTPs, from phishing and exploiting RDP vulnerabilities to leveraging zero-day exploits and supply chain compromises.
Ransomware remained a dominant threat, with groups like PEAR, Radiant, and INC Ransom actively deploying their malware. These groups typically operate on a Ransomware-as-a-Service (RaaS) model, employing “double extortion” tactics involving data encryption and exfiltration. Their TTPs include initial access via phishing or compromised credentials, lateral movement, privilege escalation, data theft, and ransomware deployment. While new, unique malware families were not prominently featured in this specific week’s public reports, the continued evolution and widespread use of existing ransomware variants underscore their effectiveness and the need for robust behavioral-based detection and prevention strategies.
For Technical Audiences:
For Non-Technical Audiences:
The threat landscape is witnessing a blurring of lines between financially motivated cybercrime and APT activity, evidenced by the use of zero-days in extortion campaigns. There’s an escalating focus on operational disruption over mere data theft, as seen in the Asahi attack. Supply chain compromises remain a systemic vulnerability, with potential targeting of software development lifecycle tools. The diversity of targets and the global reach of attacks underscore that no organization is immune, highlighting the need for greater international cooperation and a professionalized, globalized cybercrime ecosystem response.
Meraal Cyber Security (MCS) Threat Intelligence Team
Note on Sources and Intelligence: This report synthesizes information from various credible sources, including public advisories, internal analysis, and emerging threat intelligence from reputable cybersecurity news outlets, threat intelligence platforms, and vulnerability databases. Efforts have been made to differentiate between confirmed intelligence and speculative or unverified information.
