Kevin BeaumontOct 6, 2025

Cl0p ransomware extortion gang have a zero day in Oracle E-Business Suite (component: BI Publisher Integration) - which they’ve been exploiting since last month to steal data.

https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/

Oracle patches EBS zero-day exploited in Clop data theft attacks

Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.

BleepingComputer
Show threadKevin BeaumontOct 6, 2025
A few days ago Oracle, via the media, blamed their own customers for not installing a July security update.. then when the media coverage stopped, quietly released a new security update for the actual exploited vulnerability. 🥴
Show threadKevin BeaumontOct 6, 2025

The details for the Oracle hack are as embarrassing as you'd imagine..

../

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

Show threadKevin BeaumontOct 7, 2025
Here's the original Oracle explanation - before the post mysteriously disappeared (even from Internet Archive etc).
Show threadKevin BeaumontOct 7, 2025

The craziest part of the Oracle story is they got the exploit chain via... LAPSUS$.

Before Oracle had an advisory, on Telegram LAPSUS$ posted a working zero day exploit - dated May 2025.

Yes, the teenagers at LAPSUS$ know more about Oracle's security vulnerabilities than Oracle.

-rw-r----- 1 root root 3713 Jun 15 18:19 exp.py
-rw-r--r-- 1 root root 2749 Oct 3 14:54 readme.md
-rw-r----- 1 root root 2651 May 16 10:07 server.py

Show threadKevin BeaumontOct 7, 2025

Having large corporations pay hundreds of millions of US dollars in Bitcoin to teenagers to cover up their data breaches is fucking stupid by the way, as said teens then spend the bitcoin on exploits* - we're in a race to the bottom to arm teens with rocket launchers.

* one of the LAPSUS kids also allegedly ordered pizza to his nans house with bitcoin

APTs aren't nation states anymore, they're Advanced Persistent Teenagers as covering up breaches has lowered the bar. Global gov inaction.

Show threadBrianKrebsOct 7, 2025
@GossiTheDog I'm using a screenshot of your post in a story today. Thanks!
Show threadpeter honeymanOct 8

@briankrebs @GossiTheDog

omg path canonicalization is one of the first things we fixed in honey danber uucp … in 1983

Show threadSteve BellovinOct 8
@peterhoneyman @briankrebs @GossiTheDog It’s amazing how often that bug still shows up.
Show threadJef PoskanzerOct 8
@SteveBellovin @peterhoneyman I wonder what would break if you just unlinked .. from the top dir of a subtree you didn't want people to get out of. And also disallowed filenames beginning with /. Poor person's chroot.
Show threadSteve BellovinOct 8
@jef @peterhoneyman The latter, I think, doesn't help—the whole point of ../ is that it lets you navigate up the tree without an explicit /.
The former—well, it would certainly break fsck and equivalent, and I suspect would have other bad side-effects—the restricted subtree has to be navigable by code that updates the legitimate content. Given that effectively all major platforms have good sandboxing today, I'm not sure that playing games with the file system is the best approach—but it doesn't hurt to think about it more!
Show threadSteve Bellovin
@jef @peterhoneyman On further thought, making it appear that .. from the subtree root pointed to itself could be done by a nested file system or some such, as a way to implement part of the sandbox. That nested file system would not be in place for content updates, checking the file system, etc., so those objections wouldn't apply. This nested file system (or systems) could implement other aspects of protection—for example, chroot() is restricted to root because of the risks of, e.g., creating a bogus /etc/passwd, and you still have to worry about mknod and more.
Oct 8 at 8:48amWeb