Cybersecurity Today: Red Hat Breach, CLOP Targets Oracle, and CISA Cuts Critical Support

Podcast: Cybersecurity Today
Host: Jim Love
Episode Date: October 3, 2025

Episode Overview

On this episode, Jim Love delivers critical updates on recent cybersecurity incidents affecting global enterprises. The discussion covers:

• The Red Hat consulting GitLab breach and its fallout
• The CLOP ransomware group’s direct extortion attempts against Oracle E Business Suite clients
• Alarming overconfidence among Canadian businesses about their cyber readiness
• The U.S. CISA’s ending of its core support relationship with the Center for Internet Security (CIS) – a move impacting state and local government cyber defenses

Throughout, Love underscores the importance of realistic threat awareness and immediate, practical defensive actions as organizations face rising cyber risk.

Key Discussion Points & Insights

1. Red Hat Consulting GitLab Breach

[00:01–04:45]

• What Happened:
  Red Hat’s consulting team’s self-managed GitLab server was breached. The company isolated the server and found no evidence of broader compromise, but a group named Crimson Collective claims to have stolen:
  • 3,570 GB of data
  • 28,000 internal repositories
  • ~800 customer engagement reports—including potential network information, config data, authentication tokens, and full database URLs.
• Exposure Risks:
  Attackers could use exposed tokens and network maps to bypass perimeters—“skipping the front door entirely” ([03:30]).
• Immediate Actions for Clients:
  • Revoke and rotate tokens and database credentials.
  • Scrutinize logs for anomalous token usage.
  • Increase monitoring for suspicious authentication and API activity.
• Clarifications:
  • This incident involved Red Hat’s GitLab, not GitHub.
  • The compromised instance was self-managed, meaning customers are responsible for patching and security.

Notable Quote:

“If those CERs and embedded secrets are real, attackers could walk in using working tokens and network maps, skipping the front door entirely.”
— Jim Love [03:30]

2. CLOP Extortion Campaign Targeting Oracle E Business Suite Clients

[04:45–09:45]

• What’s New:
  CLOP, a notorious ransomware group, is emailing Oracle E Business Suite (EBS) clients directly, threatening to leak financial, HR, customer, and supply chain data unless ransoms are paid.
• Oracle’s Position:
  Oracle asserts no breach to its networks or supply chain, though incidents point to vulnerabilities in EBS client deployments.
• Scale & Stakes:
  • E Business Suite is Oracle’s flagship ERP, used by thousands of large entities.
  • In 2024, Oracle became the top ERP vendor by revenue, surpassing SAP.
• Urgency:
  Given CLOP’s history (SolarWinds, GoAnywhere MFT, MOVEit Transfer), clients must take the group’s threats seriously and demand clear, actionable guidance from Oracle.
• Implications:
  The attack “raises the bar for Oracle; simply denying involvement isn’t going to be enough” ([09:05]).

Notable Quote:

“This gang pulled off some of the most damaging enterprise attacks of the past five years... That track record explains why this extortion should be taken seriously...”
— Jim Love [08:05]

3. Overconfidence Among Canadian Businesses

[09:45–14:00]

• Survey Findings:
  • 86% of Canadian execs feel “confident” about cyber defenses.
  • Yet, over half (55%) experienced at least one breach in the last two years.
  • Only 38% have adopted Zero Trust Security.
  • Fewer than half regularly test response plans; just over half use advanced detection tools like continuous monitoring.
• Expert Insight:
  • Small and medium-sized enterprises (SMEs) are particularly vulnerable, often serving as gateways in larger supply chains.
  • They're frequent ransomware and phishing targets due to limited defenses.
• Insurance Bureau of Canada Survey:
  • Only half of SMEs believe they're vulnerable.
  • Only 6% think a cyber incident will affect them.

Notable Quotes:

“Don’t underestimate the threat. Don’t assume that because you’re an SME that you’re not going to be a victim of a cyber incident.” — Sami Khoury (Head of the federal government’s cybersecurity program) [12:45]

“The bottom line is: whether you’re a large enterprise or an SME, confidence isn’t resilience.”
— Jim Love [13:35]

4. CISA Cuts Ties with Center for Internet Security

[14:00–17:45]

• What Changed:
  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ended its agreement with the Center for Internet Security (CIS), which supplied:
  • ALBERT intrusion detection sensors (vital for small municipalities)
  • Threat intelligence feeds
  • Incident response resources
• Impact:
  Many small/local governments will lose their only affordable detection tool—right as threat activity is escalating.
• Timing:
  This cut is not related to the wider U.S. government shutdown but is separate—and comes at the very start of Cybersecurity Awareness Month.
• Larger Implications:
  Removing this support now “weakens the entire U.S. Security ecosystem” ([17:00]).
• Metaphor:

  “Taking away one of their most trusted sources of defense in the middle of a shutdown is like pulling firefighters off duty while the forest is already burning.”
  — Jim Love [16:23]

Timestamps for Key Segments

• Red Hat GitLab Breach: [00:01–04:45]
• CLOP Targets Oracle EBS: [04:45–09:45]
• Canadian SME Overconfidence: [09:45–14:00]
• CISA–CIS Support Termination: [14:00–17:45]

Memorable Quotes

• “If those CERs and embedded secrets are real, attackers could walk in using working tokens and network maps, skipping the front door entirely.”
  — Jim Love [03:30]

• “This gang pulled off some of the most damaging enterprise attacks of the past five years... That track record explains why this extortion should be taken seriously...”
  — Jim Love [08:05]

• “Don’t underestimate the threat. Don’t assume that because you’re an SME that you’re not going to be a victim of a cyber incident.”
  — Sami Khoury [12:45]

• “The bottom line is: whether you’re a large enterprise or an SME, confidence isn’t resilience.”
  — Jim Love [13:35]

• “Taking away one of their most trusted sources of defense in the middle of a shutdown is like pulling firefighters off duty while the forest is already burning.”
  — Jim Love [16:23]

• “Cybersecurity is only as strong as the weakest link. State and local governments are often where attackers start.”
  — Jim Love [17:00]

Summary

This episode highlights major, multifaceted cyber risks and institutional gaps—from Red Hat’s exposed credentials to the fragility of local governments’ cyber defenses in the wake of CISA’s decision. Key takeaways include:

• Don’t delay in rotating exposed credentials after consulting-related breaches.
• Take extortion threats seriously when they have credible backing.
• Overconfidence is risky—test, verify and upgrade cyber readiness continuously.
• Policy changes can have immediate real-world impacts on cyber resilience, especially for resource-strapped public sector organizations.

Love’s tone is urgent and practical, emphasizing actionable steps while calling out systemic vulnerabilities—to remind listeners that effective cybersecurity demands constant vigilance and collective responsibility.