CISA orders feds to patch OIM, Delta Dental incurs breach, Ukraine postal operator systems down

Cyber Security Headlines — November 25, 2025
Host: Sarah Lane | Podcast: CISO Series
Episode Theme:
A fast-paced rundown of the top cybersecurity stories affecting global organizations, including critical vulnerabilities, data breaches, cyberattacks, and new security initiatives.

Main Theme & Episode Overview

This episode spotlights urgent vulnerabilities exploited in the wild, notable breaches in the healthcare and financial sectors, the impact of cyber warfare on critical infrastructure, and evolving security best practices—including the use of AI for threat hunting and shifting industry advice on password management. The host, Sarah Lane, delivers concise news segments tailored for professionals seeking actionable information.

Key Discussion Points & Insights

1. CISA Orders Federal Agencies to Patch Oracle Identity Manager (OIM) Zero-Day

• Summary:
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated all federal agencies to patch a critical Oracle Identity Manager zero-day by December 12, 2025.
  • Attackers were probing this vulnerability weeks before Oracle released a fix on October 21.
  • The flaw allows unauthenticated attackers to take control of OIM with a single HTTP request.
• Details:
  • Searchlight Cyber described the exploit as "trivial".
  • Logs by Johannes Ulrich (SANS Internet Storm Center) show pre-patch exploitation attempts as early as late August.
  • The flaw is now part of CISA’s Known Exploited Vulnerabilities list.
• Quote:
  • “Researchers at Searchlight Cyber calling exploitation trivial.” (Sarah Lane, 00:39)

2. Delta Dental of Virginia Suffers Major Data Breach

• Summary:
  • Delta Dental of Virginia disclosed a breach where a compromised email account potentially exposed sensitive data of 146,000 customers.
  • Breach went undetected for over a month (March 21 to April 23, 2025).
  • Personal data, including names, Social Security numbers, government IDs, and health information, could be affected.
• Response:
  • No evidence of misuse yet.
  • Free identity protection and credit monitoring for one year is being offered.
• Quote:
  • “The company says there's no evidence of misuse, but is offering a year of free identity protection and credit monitoring to affected individuals.” (Sarah Lane, 01:21)

3. Ukrainian Cyber Alliance Hits Donbass Post in Eastern Ukraine

• Summary:
  • The hacktivist group Ukrainian Cyber Alliance (UCA) claimed credit for a cyber assault that wiped over 1,000 workstations, about 1,000 virtual machines, and wiped dozens of terabytes of data from Donbass Post, a Russian state-controlled postal service in occupied Ukraine.
  • Service disruption included suspension of physical branches and call centers.
  • Incident coincided with a drone strike on local energy infrastructure, raising questions about coordination between cyber and kinetic attacks.
• Historical Context:
  • UCA has previously targeted Russian financial, telecom, and municipal entities.
• Quote:
  • “The attack reportedly wiped out more than 1,000 workstations, around 1,000 virtual machines and several dozen terabytes of data.” (Sarah Lane, 02:01)

4. Fluent Bit Log Collector Vulnerabilities Threaten Cloud Environments

• Summary:
  • Oligo security researchers identified five longstanding vulnerabilities in Fluent Bit, a widely-used open source log collector in cloud environments.
  • Issues include authentication bypass, path traversal, remote code execution, denial of service, and tag manipulation.
  • Some bugs date back over 8 years and potentially allow full cluster compromise when chained.
• Mitigation:
  • Patches released: versions 4.1.1 and 4.0.12 fix these issues.
• Quote:
  • “Researchers from Oligo found five long standing and easy to exploit vulnerabilities in Fluent Bit…” (Sarah Lane, 02:41)

5. Hacklore Launches to Challenge Outdated Security Myths

• Summary:
  • Hacklore.org is a new initiative led by former Yahoo and DNC security chief Bob Lord, targeting persistent cybersecurity myths—such as the need for frequent password changes and total avoidance of public WiFi.
  • Advocates for practical, evidence-based advice: promoting passkeys, password managers, MFA, and timely software updates.
  • 80+ cybersecurity experts signed an open letter supporting the project.
• Quote:
  • “A new initiative called hacklore.org launched to push back against long standing cybersecurity myths like frequently changing passwords or avoiding all public wifi.” (Sarah Lane, 03:17)

6. Amazon’s AI Agents Advance Proactive Threat Detection

• Summary:
  • Amazon introduces Autonomous Threat Analysis (ATA), an internal AI-powered platform that proactively hunts for vulnerabilities, suggests remediations, and performs variant analysis to catch similar flaws across their cloud systems.
  • Developed from an internal hackathon, now central to Amazon's software security.
• Quote:
  • “ATA uses specialized AI agents to identify weaknesses, perform variant analysis to find similar flaws, and propose remediations before attackers can exploit them.” (Sarah Lane, 03:56)

7. Shadow Ray 2.0 Botnet Hijacks AI Infrastructure for Crypto Mining and Data Theft

• Summary:
  • The botnet Shadow Ray 2.0 targets exposed Ray clusters (used for distributed AI workloads), infecting up to 230,000 environments for cryptocurrency mining, model theft, and data exfiltration.
  • Operated by the Iron Earn 440 group, exploits remote code execution (RCE) flaws, especially on misconfigured GPU clusters.
  • After their previous command-and-control infrastructure was shut down, attackers pivoted to new channels and continued their campaign.
• Quote:
  • “Shadow Ray 2.0 is hijacking exposed Ray clusters to run a self propagating crypto mining and data theft botnet.” (Sarah Lane, 04:32)

8. Citus AMC Cyber Intrusion Puts Major Real Estate Data at Risk

• Summary:
  • Real estate fintech Citus AMC suffered a breach affecting confidential client data, including financial records and legal documents tied to major banks (potentially Citi, JPMorgan Chase, Morgan Stanley).
  • No ransomware detected; FBI is investigating.
  • Defensive measures enacted include password resets, firewalls updates, and restricted remote access.
• Quote:
  • “Citus AMC has since added security measures like resetting credentials, disabling remote access, updating firewalls and monitoring systems…” (Sarah Lane, 05:37)

Memorable Quotes & Moments

• "Researchers at Searchlight Cyber calling exploitation trivial." (Sarah Lane, 00:39)
• "No one claims that humans are perfect, but we keep designing security systems as if we were." (Sarah Lane, 06:29)
• On coordinated attacks:
  “The disruption coincided with a drone strike on local energy infrastructure, leaving many wondering if the incidents were perhaps coordinated.” (Sarah Lane, 02:17)

Noteworthy Timestamps for Key Segments

• OIM vulnerability & CISA directive: 00:07–01:12
• Delta Dental data breach: 01:13–01:51
• Donbass Post cyberattack: 01:52–02:41
• Fluent Bit vulnerabilities in the cloud: 02:42–03:16
• Hacklore myth-busting initiative: 03:17–03:55
• Amazon’s AI ATA platform: 03:56–04:16
• Shadow Ray 2.0 and AI botnets: 04:17–04:55
• Citus AMC breach and big banks: 04:56–05:41

Tone & Language

Sarah Lane maintains a clear, factual, and pragmatic tone—delivering each headline with brevity and focus, emphasizing actionable details and real-world impact. Expert and user-friendly language ensures the audience is informed without being overwhelmed.

For details on any specific story or further expert analysis, visit CISOseries.com.