Cybersecurity Today: Oracle Breach, CrowdStrike Report, and New iPhone Scam

Host: Jim Love
Date: November 14, 2025

Episode Overview

In this episode, Jim Love reviews major recent cybersecurity threats and breaches, with a particular focus on the Oracle E-Business Suite hack impacting thousands of employees at high-profile organizations, takeaways from CrowdStrike’s 2025 Global Threat Report, a warning about a sophisticated lost iPhone phishing scam, and a listener’s direct account and concerns regarding SonicWall security weaknesses. The episode is packed with actionable insights and real-world cautionary tales for organizations and individuals aiming to bolster their defenses against an increasingly complex cyber threat landscape.

Key Discussion Points & Insights

1. Oracle E-Business Suite Breach

[01:00 - 04:30]

The Washington Post reported that nearly 10,000 current and former employees and contractors had sensitive personal information stolen following an attack on its Oracle EBS environment.
Breach Entry:
- An individual contacted the Post in September claiming access to its Oracle system.
- Internal investigation confirmed the intrusion and linked it to a previously unknown Oracle EBS vulnerability.
- The breach occurred between July 10 and August 22, resulting in theft of names, bank account numbers, routing numbers, Social Security numbers, and tax IDs.
Scope & Scale:
- Other organizations, like GlobalLogic (Hitachi-owned) and Alliance UK, have confirmed similar incidents, with expectations for more disclosures soon.
- Some analysts believe “dozens” of organizations are affected; others warn the total could exceed 100 (based on EBS environments communicating with attacker infrastructure).
Attribution & Response:
- Attackers identified as the Clop ransomware group.
- Oracle issued emergency patches in late October but hasn’t specified how many customers were hit or the length of exploitation.
- The vulnerability may have been exploited at scale for months.
Notable Quote:
- "The filing says attackers accessed the system between July 10 and August 22, stealing data that included names, bank account numbers, routing numbers, Social Security numbers and tax identification numbers." – Jim Love [01:55]

2. CrowdStrike’s 2025 Global Threat Report

[04:40 - 09:20]

Threat Landscape Evolution:
- Modern attackers mirror legitimate businesses: organizing, scaling, and innovating rapidly.
- Shift to “malware-free” intrusions (79% of detections): use of valid credentials, social engineering, cloud misconfigurations instead of detectable malware.
- Breakout Times:
  - Average: 48 minutes; fastest: 51 seconds.
Tactics & Tools:
- Social Engineering:
  - Vishing attacks up 442%.
  - Attackers impersonate IT staff, use spam bombs, Microsoft Teams, Quick Assist.
  - Help Desk impersonation grows—calling support to reset multifactor authentication, take over accounts.
- Generative AI:
  - Used to write phishing emails, influence ops, generate exploit code, create deepfakes.
  - One study: AI-generated phishing emails had a 54% click-through vs. 12% for human-written.
- Nation-State Activity:
  - Chinese-linked intrusions up 150%. Some industries see 200-300% more activity.
  - Chinese threat actors: specialized, operational security, use massive proxy networks.
  - North Korea expands revenue operations with fake developer identities and insider schemes.
- Cloud and Identity Attacks:
  - Valid credential abuse: 35% of cloud incidents.
  - Attackers pivot into cloud control planes, exploit SaaS apps, and chain vulnerabilities for ransomware/lateral movement.
  - Palo Alto Networks, Cisco, Microsoft components are frequent targets, often attacked within 24 hours of new vulnerability disclosures.
Defensive Recommendations:
- Identity-first security
- Cloud-native monitoring
- Rapid patching
- Cross-domain visibility
- Intelligence-driven defense
Notable Quotes:
- "The biggest shift is in the dominance of malware free intrusions, which now account, according to the report, for 79% of all detections." – Jim Love [05:20]
- "Breakout times—the moment an attacker pivots deeper into a network—hit a new low of 48 minutes on average, but the fastest observed was 51 seconds." – Jim Love [06:12]
- “A single large language model generated phishing study showed a click through rate of 54% compared with 12% for those written by humans.” – Jim Love [07:05]
- “CrowdStrike concludes that 2024 marked a turning point. Adversaries are maturing faster than defenders.” – Jim Love [08:50]

3. New iPhone Lost Device Phishing Scam

[09:30 - 11:20]

Scam Description:
- Cybercriminals mimic Apple’s device recovery messages to target users who have reported their iPhones lost.
- Attackers use details displayed on the lost device’s lock screen (model, color, contact info) to craft realistic fake notifications.
- Victims receive text or iMessage prompts with links to spoofed Apple login pages designed to harvest Apple ID credentials.
- With credentials, attackers can attempt to bypass activation lock, resell or reuse devices.
Official Advice:
- Apple does not send texts for device recovery.
- Enable “Lost Mode” via Find My app; protect SIM with PIN.
- Ignore login prompts received after reporting a missing device.
Notable Quote:
- "The Swiss National Cybersecurity center says messages can look convincing, especially when they reference the correct device information." – Jim Love [10:55]

4. Listener Story: SonicWall “Security by Default” Flaws

[11:25 - 16:50]

Listener’s Experience:
- After breach exposing all customer data at SonicWall’s MySonicWall cloud backup service, listener’s organization moved quickly to reset credentials, rotate tokens, and deploy an on-premise private management appliance.
- During migration, two critical design flaws were discovered:
  1. Default Admin Account: All SonicWall devices must use and leave enabled a default “admin” username, which cannot be changed.
    - “All bad actors already know the highest level management account name...and simply have to work that single user’s password to gain access.”
  2. MFA Disabled Required: Multi-Factor Authentication must be disabled for any device managed by SonicWall NSM appliance.
    - “This effectively removes the only backstop...between a bad actor successfully gaining access to the well-known admin account creds on every device and using them to take the devices over.”
- SonicWall support reportedly acknowledged these flaws, but only committed to addressing them in the future.
Due Diligence & Outcomes:
- Listener provided correspondence showing SonicWall’s internal awareness.
- SonicWall was queried for comment; no response was received by air time.
Notable Quotes:
- “The first was all SonicWall management devices and systems must enable and use the default user admin. You cannot change the admin login names and the account must remain enabled at all times.” [13:50]
- “You must disable all MFA on all devices you wish to manage...In order to allow them to be managed.” [14:35]
- “We were told that these issues have been known for a long time and are all in Sonicwall’s future development plans to remediate, but for now it’s what you need to do.” [15:10]

Memorable Moments & Quotes

“Breakout times...hit a new low of 48 minutes on average, but the fastest observed was 51 seconds.” – Jim Love [06:12]
“A single large language model generated phishing study showed a click through rate of 54% compared with 12% for those written by humans.” – Jim Love [07:05]
“All bad actors already know the highest level management account name of all SonicWall devices and simply have to work that single user’s password to gain access.” – Listener email read by Jim Love [13:55]
“Apple does not send text messages to report a recovered phone and urges users to avoid clicking links in unsolicited notifications.” – Jim Love [11:00]

Key Timestamps

[01:00] Oracle E-Business Suite breach at Washington Post and scale of global Oracle attacks.
[04:40] CrowdStrike’s 2025 Global Threat Report: new tactics, social engineering, and AI in attacks.
[09:30] iPhone lost device phishing scam mechanisms and countermeasures.
[11:25] Listener’s report on SonicWall “security by default” issues after recent breach.

Takeaways

Adversaries act with the scale and cunning of big business—malware-free attacks, rapid lateral movement, and new-age social engineering are the new normal.
Credential-based and cloud-centric threats demand identity-first security.
Product security practices can lag behind attack sophistication, as shown by the SonicWall case—default admin accounts and forced MFA disabling are glaring weaknesses.
User vigilance and skepticism of communications, especially around lost devices, is more important than ever.
Regular patching, monitoring, and proactive configuration reviews are essential across all security domains.

For more details or to read the full CrowdStrike report, visit the links in the show notes at technewsday.com or .ca.

Transcript

A (0:00)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them@meter.com CST the Washington Post has 10,000 affected by an Oracle breach, CrowdStrike's global threat outlook, a new lost iPhone scam, and a listener reaches out with concerns about Sonic Wal. This is Cybersecurity Today. I'm your host Jim Love. Let's get into it. The Washington Post has confirmed that nearly 10,000 current and former employees and contractors had personal information stolen after attackers breached the newspaper's Oracle E business suite environment earlier this year. In a filing with Maine's attorney general, the Post said it was contacted on September 29 by an individual claiming to have accessed its Oracle system. An internal investigation later verified the intrusion and linked it to a previously unknown Oracle EBS vulnerability that has been exploited across multiple organizations worldwide. The filing says attackers accessed the system between July 10 and August 22, stealing data that included names, bank account numbers, routing numbers, Social Security numbers and tax identification numbers. The Post determined the scope of the breaches on October 27th and began notifying almost 10,000 affected individuals. Those whose Social Security numbers or tax IDs were taken have been offered identity protection services. This incident is part of a larger campaign attributed to the Clop ransomware group, which has posted alleged victims on its leak site. Confirmed disclosures so far include GlobalLogic, a Hitachi owned engineering firm that reported more than 10,000 of its staff impacted, and Alliance UK researchers also expect more announcements in the coming weeks as organizations review their Oracle logs. Estimates of the scale of the campaign vary widely. Some security analysts say dozens of companies have been affected, while others warn the total may exceed 100 based on the number of EBS environments seen communicating with attacker infrastructure. Oracle acknowledged the flaw in late October and issued emergency patches, but it has not said how many customers were affected or how long the bug had been exploited. Researchers believe the vulnerability may have been used at scale for several months. CrowdStrike's 2025 Global Threat Report paints a clear picture of a threat landscape moving faster, operating more quietly and acting more like modern businesses than traditional hackers. The overarching theme is the rise of the enterprising adversary attackers who organize, scale and innovate with the efficiency of legitimate enterprises. The biggest shift is in the dominance of malware free intrusions, which now account, according to the report, for 79% of all detections. Attackers are using valid credentials social engineering, remote management tools and cloud misconfigurations to enter networks without triggering classic antivirus alerts. Breakout times the moment an attacker pivots deeper into a network hit a new low of 48 minutes on average, but the fastest observed was 51 seconds. Social engineering has entered a new phase. Vishing attacks surged 442% with attackers impersonating IT staff using spam bombs to create urgency and leveraging tools like Microsoft Teams or Quick Assist to gain access. Help Desk impersonations also expanded, with adversaries calling support lines to reset MFA and take over accounts. Generative AI is now a mainstream adversary capability. Threat actors are using it to craft convincing phishing emails, run influence operations, automate coding tasks, create deep fakes for fraud and even draft early stage exploit code. A single large language model generated phishing study showed a click through rate of 54% compared with 12% for those written by humans. Nation state activity is also escalating. China linked intrusions are up 150% with some industries seeing 2 to 300% more activity than last year. China's operations show increasing specialization, stronger opsec and a heavy use of massive orb proxy networks. Meanwhile, North Korean or DPRK actors continue to grow their revenue generation schemes including sophisticated insider operations using fake developer identities and job interviews. Cloud intrusions are climbing as attackers target identity systems and SaaS apps. Valid credential abuse accounts for 35% of cloud incidents and multiple groups now pivot directly into cloud control planes to steal data or deploy ransomware. Attackers are increasingly exploiting SaaS tools such as SharePoint communication platforms, credential managers and SMS distribution apps to conduct further phishing and lateral movement. Vulnerability exploitation remains aggressive, especially against network appliances. Threat actors are chaining multiple CVEs and abusing built in product features to achieve remote code execution. Palo Alto Networks, Cisco Infrastructure and Microsoft components were among the most targeted, with exploitation often beginning within 24 hours of disclosure. CrowdStrike concludes that 2024 marked a turning point. Adversaries are maturing faster than defenders. The report recommends identity first security, cloud native monitoring, rapid patching, cross domain visibility and intelligence driven defense as the only sustainable countermeasures. There is a link to the report in our show notes@technewsday.com or CA. Just go to the Podcast tab. You may have to register to get the report. Criminals are now using a new phishing scheme to target people who've lost their iPhones, sending messages that imitate Apple's device recovery alerts to steal user credentials. The scam takes advantage of the information a user displays on a lost iPhone's lock screen. Attackers copy those details, including the phone model, color and the contact number provided by the owner, and send a text message or imessage claiming the device has been located. The message includes a link to what appears to be an official Apple page, but instead it leads to a counterfeit login site designed to harvest Apple ID usernames and passwords. Once attackers obtain those credentials, they can attempt to remove the activation lock that prevents a stolen phone from being reused. The Swiss National Cybersecurity center says messages can look convincing, especially when they reference the correct device information. The agency noted that Apple does not send text messages to report a recovered phone and urges users to avoid clicking links in unsolicited notifications. The advisory recommends enabling lost mode through the Find My app, protecting the SIM card with a pin, and ignoring any external login prompts received after reporting a device missing. And finally we got an email from a listener. It went like this. Several weeks ago you reported on a story involving SonicWall where a breach of MySonicWall cloud backup service exposed customer data. SonicWall originally stated a small set of customers were impacted, less than 5% with limited data exfiltrated, but soon after were forced to publicly admit all customers and all hosted data was actually taken as a SonicWall customer. We immediately reached out when we heard the initial less than 5% impacted news reported. Thank you again to Cybersecurity today and we're told to immediately reset all credentials, rotate all device tokens, reset all configs, and consider moving to a secure private appliance for device management until the root cause of the breach is found and fixed. We took that very seriously and immediately engaged SonicWall Enterprise support to assist with deploying Sonicwall's private management appliance in a closed network configuration as directed by Sonicwall, while performing all remediations as directed. During the on prem NSM appliance deployment with Sonicwall support, we discovered several shocking issues that underscore just how poorly many traditional firewall and security product managers manage their own product safety and development. The first was all SonicWall management devices and systems must enable and use the default user admin. You cannot change the admin login names and the account must remain enabled at all times. This obviously creates a ridiculously insecure profile where all bad actors already know the highest level management account name of all SonicWall devices and simply have to work that single user's password to gain access. This most likely explains why all Sonicwall devices are constantly being password sprayed online. And second, you must disable all MFA on all devices you wish to manage with Sonicwall's NSM appliance in order to allow them to be managed. This effectively removes the only backstop between a bad actor successfully gaining access to the well known admin account creds on every device and using them to take the devices over. We were told that these issues have been known for a long time and are all in Sonicwall's future development plans to remediate, but for now it's what you need to do if you want to manage your Sonicwall estate with a Sonicwall private management appliance. NSM and we could add our voice by submitting a future product feature request in response to our checking with this, the same person was able to provide us confidentially with copies of the correspondence to show that Sonicwall was aware of these issues. The company said it received verbal assurances that these concerns are being addressed, but nothing in writing. Doing our due diligence, we submitted these questions to Sonicwall. We gave them three full days before going forward with the story. We have not yet heard anything back. We will gladly post their reply when and if we receive it. And that's our show. If you've got a story that you think we should cover a concern that you have, let me know. Reach me at thetechnewsday.com or CA. Contact us form Catch us this weekend when we bring back researcher Tammy Harper for a conversation where she shares some of her ideas about where cybercrime is and is going. Spoiler alert. We won't have all the answers, but we might give you some things to think about. And once again, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, they build the software, they manage deployments, and they run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses to data centers. You can book a demo@meter.com CST that's M-E-T-E-R.com CST I'm your host Jim Love. Thanks for listening.