Cybersecurity Today: Oracle Breach, CrowdStrike Report, and New iPhone Scam

Host: Jim Love
Date: November 14, 2025

Episode Overview

In this episode, Jim Love reviews major recent cybersecurity threats and breaches, with a particular focus on the Oracle E-Business Suite hack impacting thousands of employees at high-profile organizations, takeaways from CrowdStrike’s 2025 Global Threat Report, a warning about a sophisticated lost iPhone phishing scam, and a listener’s direct account and concerns regarding SonicWall security weaknesses. The episode is packed with actionable insights and real-world cautionary tales for organizations and individuals aiming to bolster their defenses against an increasingly complex cyber threat landscape.

Key Discussion Points & Insights

1. Oracle E-Business Suite Breach

[01:00 - 04:30]

The Washington Post reported that nearly 10,000 current and former employees and contractors had sensitive personal information stolen following an attack on its Oracle EBS environment.
Breach Entry:
- An individual contacted the Post in September claiming access to its Oracle system.
- Internal investigation confirmed the intrusion and linked it to a previously unknown Oracle EBS vulnerability.
- The breach occurred between July 10 and August 22, resulting in theft of names, bank account numbers, routing numbers, Social Security numbers, and tax IDs.
Scope & Scale:
- Other organizations, like GlobalLogic (Hitachi-owned) and Alliance UK, have confirmed similar incidents, with expectations for more disclosures soon.
- Some analysts believe “dozens” of organizations are affected; others warn the total could exceed 100 (based on EBS environments communicating with attacker infrastructure).
Attribution & Response:
- Attackers identified as the Clop ransomware group.
- Oracle issued emergency patches in late October but hasn’t specified how many customers were hit or the length of exploitation.
- The vulnerability may have been exploited at scale for months.
Notable Quote:
- "The filing says attackers accessed the system between July 10 and August 22, stealing data that included names, bank account numbers, routing numbers, Social Security numbers and tax identification numbers." – Jim Love [01:55]

2. CrowdStrike’s 2025 Global Threat Report

[04:40 - 09:20]

Threat Landscape Evolution:
- Modern attackers mirror legitimate businesses: organizing, scaling, and innovating rapidly.
- Shift to “malware-free” intrusions (79% of detections): use of valid credentials, social engineering, cloud misconfigurations instead of detectable malware.
- Breakout Times:
  - Average: 48 minutes; fastest: 51 seconds.
Tactics & Tools:
- Social Engineering:
  - Vishing attacks up 442%.
  - Attackers impersonate IT staff, use spam bombs, Microsoft Teams, Quick Assist.
  - Help Desk impersonation grows—calling support to reset multifactor authentication, take over accounts.
- Generative AI:
  - Used to write phishing emails, influence ops, generate exploit code, create deepfakes.
  - One study: AI-generated phishing emails had a 54% click-through vs. 12% for human-written.
- Nation-State Activity:
  - Chinese-linked intrusions up 150%. Some industries see 200-300% more activity.
  - Chinese threat actors: specialized, operational security, use massive proxy networks.
  - North Korea expands revenue operations with fake developer identities and insider schemes.
- Cloud and Identity Attacks:
  - Valid credential abuse: 35% of cloud incidents.
  - Attackers pivot into cloud control planes, exploit SaaS apps, and chain vulnerabilities for ransomware/lateral movement.
  - Palo Alto Networks, Cisco, Microsoft components are frequent targets, often attacked within 24 hours of new vulnerability disclosures.
Defensive Recommendations:
- Identity-first security
- Cloud-native monitoring
- Rapid patching
- Cross-domain visibility
- Intelligence-driven defense
Notable Quotes:
- "The biggest shift is in the dominance of malware free intrusions, which now account, according to the report, for 79% of all detections." – Jim Love [05:20]
- "Breakout times—the moment an attacker pivots deeper into a network—hit a new low of 48 minutes on average, but the fastest observed was 51 seconds." – Jim Love [06:12]
- “A single large language model generated phishing study showed a click through rate of 54% compared with 12% for those written by humans.” – Jim Love [07:05]
- “CrowdStrike concludes that 2024 marked a turning point. Adversaries are maturing faster than defenders.” – Jim Love [08:50]

3. New iPhone Lost Device Phishing Scam

[09:30 - 11:20]

Scam Description:
- Cybercriminals mimic Apple’s device recovery messages to target users who have reported their iPhones lost.
- Attackers use details displayed on the lost device’s lock screen (model, color, contact info) to craft realistic fake notifications.
- Victims receive text or iMessage prompts with links to spoofed Apple login pages designed to harvest Apple ID credentials.
- With credentials, attackers can attempt to bypass activation lock, resell or reuse devices.
Official Advice:
- Apple does not send texts for device recovery.
- Enable “Lost Mode” via Find My app; protect SIM with PIN.
- Ignore login prompts received after reporting a missing device.
Notable Quote:
- "The Swiss National Cybersecurity center says messages can look convincing, especially when they reference the correct device information." – Jim Love [10:55]

4. Listener Story: SonicWall “Security by Default” Flaws

[11:25 - 16:50]

Listener’s Experience:
- After breach exposing all customer data at SonicWall’s MySonicWall cloud backup service, listener’s organization moved quickly to reset credentials, rotate tokens, and deploy an on-premise private management appliance.
- During migration, two critical design flaws were discovered:
  1. Default Admin Account: All SonicWall devices must use and leave enabled a default “admin” username, which cannot be changed.
    - “All bad actors already know the highest level management account name...and simply have to work that single user’s password to gain access.”
  2. MFA Disabled Required: Multi-Factor Authentication must be disabled for any device managed by SonicWall NSM appliance.
    - “This effectively removes the only backstop...between a bad actor successfully gaining access to the well-known admin account creds on every device and using them to take the devices over.”
- SonicWall support reportedly acknowledged these flaws, but only committed to addressing them in the future.
Due Diligence & Outcomes:
- Listener provided correspondence showing SonicWall’s internal awareness.
- SonicWall was queried for comment; no response was received by air time.
Notable Quotes:
- “The first was all SonicWall management devices and systems must enable and use the default user admin. You cannot change the admin login names and the account must remain enabled at all times.” [13:50]
- “You must disable all MFA on all devices you wish to manage...In order to allow them to be managed.” [14:35]
- “We were told that these issues have been known for a long time and are all in Sonicwall’s future development plans to remediate, but for now it’s what you need to do.” [15:10]

Memorable Moments & Quotes

“Breakout times...hit a new low of 48 minutes on average, but the fastest observed was 51 seconds.” – Jim Love [06:12]
“A single large language model generated phishing study showed a click through rate of 54% compared with 12% for those written by humans.” – Jim Love [07:05]
“All bad actors already know the highest level management account name of all SonicWall devices and simply have to work that single user’s password to gain access.” – Listener email read by Jim Love [13:55]
“Apple does not send text messages to report a recovered phone and urges users to avoid clicking links in unsolicited notifications.” – Jim Love [11:00]

Key Timestamps

[01:00] Oracle E-Business Suite breach at Washington Post and scale of global Oracle attacks.
[04:40] CrowdStrike’s 2025 Global Threat Report: new tactics, social engineering, and AI in attacks.
[09:30] iPhone lost device phishing scam mechanisms and countermeasures.
[11:25] Listener’s report on SonicWall “security by default” issues after recent breach.

Takeaways

Adversaries act with the scale and cunning of big business—malware-free attacks, rapid lateral movement, and new-age social engineering are the new normal.
Credential-based and cloud-centric threats demand identity-first security.
Product security practices can lag behind attack sophistication, as shown by the SonicWall case—default admin accounts and forced MFA disabling are glaring weaknesses.
User vigilance and skepticism of communications, especially around lost devices, is more important than ever.
Regular patching, monitoring, and proactive configuration reviews are essential across all security domains.

For more details or to read the full CrowdStrike report, visit the links in the show notes at technewsday.com or .ca.