This reporting period saw the “Clop” syndicate’s mass-exploitation campaign reach a fever pitch, specifically targeting high-profile media and technology firms via legacy and unpatched infrastructure. Simultaneously, massive data exposures in the French public sector and the South Korean retail market have underscored the ongoing risk of session-token theft and cloud misconfigurations.
Key Highlights:
Media & Tech Under Siege:The Washington Post and GlobalLogic confirmed breaches resulting in the theft of financial and personal data for approximately 20,000 combined employees.
Public Sector Exposure: France’s Pajemploi service reported a breach affecting 1.2 million childcare workers, highlighting a pivot toward targeting social security and administrative databases.
Supply Chain & Third-Party Risks:Logitech and Checkout.com suffered significant data exfiltrations (up to 1.8TB) attributed to compromised third-party software platforms and legacy cloud storage.
II. GLOBAL CYBER THREAT LANDSCAPE OVERVIEW
The trend of “Industrialized Data Theft”—where actors skip encryption entirely to focus on rapid exfiltration—has become the standard operational procedure for top-tier groups.
Key Observations:
ERP Vulnerability Crisis: The continued exploitation of Oracle E-Business Suite has proven to be the most successful entry vector of Q4 2025, enabling unauthenticated access to the “crown jewels” of global enterprises.
Credential Saturation: The circulation of a “Gmail Aggregation” (183M records) is driving a surge in automated Account Takeover (ATO) attempts against corporate VPNs and SaaS portals.
III. NOTABLE INCIDENTS AND DATA BREACHES
GlobalLogic (Tech): On November 10, the Hitachi-owned firm admitted to a breach involving 10,000 staff records, including Social Security numbers and bank details, after Clop exploited an Oracle EBS zero-day.
The Washington Post (Media): Confirmed a data breach on November 13 impacting nearly 10,000 employees and contractors; sensitive tax IDs and routing numbers were exfiltrated.
Checkout.com (Fintech): Disclosed a breach on November 17 after the ShinyHunters group accessed a legacy cloud bucket. Approximately 25% of current merchants are potentially affected.
Asahi (Manufacturing): The Qilin group claimed a disruption at the beverage giant, allegedly exposing the PII of more than 1.5 million individuals.
IV. COMPREHENSIVE INCIDENT SUMMARY TABLE
Date
Affected Organization
Sector
Incident Type
Impact
Nov 10, 2025
GlobalLogic
Tech
Zero-Day Exploit
10,000 employee profiles stolen
Nov 10, 2025
Princeton University
Education
Database Breach
Donor/Alumni contact data exposed
Nov 13, 2025
The Washington Post
Media
Zero-Day Exploit
9,720 staff financial records leaked
Nov 14, 2025
Pajemploi (France)
Government
Unauthorized Access
1.2M childcare workers’ PII exfiltrated
Nov 17, 2025
Logitech
Tech
3rd Party Software
1.8TB of corporate data claimed by Clop
Nov 17, 2025
Checkout.com
Finance
Legacy Cloud Leak
Merchant onboarding documents exposed
V. CRITICAL VULNERABILITIES AND CVEs
CVE ID
Description
Severity
Mitigation Status
CVE-2025-62215
Windows Kernel EoP: Race condition allowing SYSTEM privilege escalation.
7.0 (High)
Actively Exploited. Apply November Patch Tuesday updates.
CVE-2025-60724
MS Graphics (GDI+) RCE: Buffer overflow in graphics processing.
9.8 (Critical)
Critical for web-facing servers processing images/PDFs.
CVE-2025-41115
Grafana Impersonation: Critical privilege escalation in SCIM provisioning.
10.0 (Critical)
Disable SCIM or upgrade to latest version immediately.
CVE-2025-12480
Triofox Auth Bypass: Exploited by UNC6485 to create admin accounts.
9.1 (Critical)
Patch available; monitor for unusual RDP tunneling.
VI. THREAT ACTOR ACTIVITIES
Clop (Ransomware Syndicate)
Primary Vector: Continued dominance via Oracle EBS (CVE-2025-61882).
Activity: Successfully compromised at least 29 major organizations this month, focusing on data-theft extortion rather than system-wide encryption.
ShinyHunters
Focus: Targeting “forgotten” or legacy cloud infrastructure.
Recent Success: The Checkout.com breach, where they capitalized on a cloud bucket that was not properly decommissioned.
ByteToBreach
Focus: Large-scale corporate databases in the EU (e.g., Eurofiber, Almaviva).
Method: Selling multi-terabyte datasets on dark-web forums for high-value cryptocurrency ransoms.
VII. MALWARE ANALYSIS
“The Turkish Rat” (Evolved Adwind)
Capabilities: Multi-stage Java-based RAT with advanced persistence and webcam/keystroke logging.
Delivery: Massive phishing campaign using fake Meta “Facebook Business Suite” notifications.
Target: Small to Medium Businesses (SMBs) in advertising-reliant sectors.
LANDFALL (Mobile Spyware)
Status: Remains a high-risk threat for Samsung Galaxy devices.
Development: New variants detected this week include automated exfiltration of Signal and Telegram “Secret Chat” local databases.
VIII. RECOMMENDATIONS
For Technical Audiences:
Legacy Decommissioning: Immediately audit and shut down legacy cloud storage (S3, Azure Blobs) and old subdomains. Actors like ShinyHunters are actively scanning for “forgotten” assets.
Oracle EBS Hardening: Organizations running Oracle EBS must apply the emergency security alert patches and restrict access to the /OA_HTML/ path to internal IPs only.
For Non-Technical Audiences:
Identity Verification: Be wary of emails regarding “Facebook Business” violations or “Policy Changes.” These are currently the primary delivery method for the Turkish Rat.
Password Safety: If you are an employee of GlobalLogic, The Washington Post, or Logitech, immediately change your corporate and personal passwords and enable hardware-based MFA.
IX. ANALYST NOTES
The “Patch Tuesday” release for November addressed several zero-days, but the “Exploitation Gap”—the time between patch release and enterprise deployment—is being aggressively exploited by automated bots. The high-volume brute-force attacks on Palo Alto GlobalProtect (2.3M attempts this week) suggest that actors are pre-positioning for a massive wave of credential-stuffing attacks.
X. CONTACT INFORMATION
Meraal Cyber Security (MCS) Threat Intelligence Team
