A

FBI takes down Breach Forums portal used for Salesforce extortion New critical Oracle E business suite vulnerability announced this weekend and compromised American IoT devices fueling massive botnet. This is Cybersecurity Today and I'm your host, David Shipley. Back on the road this fall, Tuesday morning to the Incyber conference in the Paris of North America, also known as Montreal. The FBI has struck a major blow against one of the Internet's most notorious hacker communities, taking down a key domain tied to the massive Salesforce data breach and extortion campaign. The domain in question, BreachForums HN, has been a familiar name in the cybercriminal world. It's where hackers have traded stolen data, leaked credentials, and bragged about their exploits. This summer, a group known as Shiny Hunters tried to bring it back to life after several of its alleged operators were arrested. But the revival didn't last long. By October, the site had been repurposed by a gang calling itself Scattered Lapsis Hunters, a mashup of members claiming ties to Shiny Hunters, Scattered Spider and the Lapsus extortion crews. Their goal? To extort companies hit by the Salesforce data theft campaign this summer that had been making headlines. Last week, both the public website and its Dark Web twin suddenly went offline. The Dark Web version popped back up a few hours later, but the main domain did not. Then came the unmistakable sign the FBI seizure manor. The bureau, working with French authorities, confirmed they'd taken over Breach Forum's infrastructure to stop hackers from leaking Salesforce data stolen from dozens of major companies. As of the weekend, the domain servers have been switched over to the US Government's seized network. Not long after the takedown, Shiny Hunters broke their silence on Telegram in a message verified with their PGP encryption key, basically the signature that they use to prove they are who they say they are. They admitted what everyone suspected. The FBI now controls their databases, going all the way back to 2023. In their words, quote, the era of forums is over. End quote. They warned that any new Breach forums claiming to rise from the ashes should be considered honeypots, law enforcement traps for hackers. Interestingly, they said no core team members had been arrested, but they say they will not relaunch the forum. Scattered Lapsis Hunters said Saturday it had leaked data stolen from six victims. Grocery giant Albertsons Global energy and services firm NG Resources, Japanese camera maker Fujifilm, clothing retailer Gap, the Australian airline Qantas and Vietnam Airlines. And the list of companies potentially affected by these Salesforce breaches done by these gangs is staggering. FedEx, Disney, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Saks, Fifth Avenue, Air France, KLM, TransUnion, HBO, Max, UPS, Chanel, and even poor Ikea, just to name some. The hackers claim to have stolen over 1 billion records containing customer data. If it's true, this could be one of the largest data thefts we've seen in recent years. Oracle's headaches continue There's a serious new warning from Oracle out this weekend, and if your organization relies on Oracle's E Business Suite, you want to pay attention. A newly discovered vulnerability could let hackers access your company's data without even having to log in. And it's not a theoretical risk. It's a new high severity flaw, tracked as CVE2025 61884 with a CVSS score of 7.5. That's in the serious business category of security issues. The bug affects E business suite versions 2.3.12 through 2.3.12 and specifically targets a component called Oracle Configurator, which helps manage custom product configurations and business data. According to the National Vulnerability Database, this flaw is, quote, easily exploitable by unauthenticated attackers, meaning anyone on the same network with HTTP access could exploit this vulnerability. Attackers leveraging this exploit gain unauthorized access to critical or complete datasets handled by the Oracle Configurator module. Oracle confirmed the bug can be exploited remotely and doesn't require authentication. That's always dangerous. That means the only layer we have is whether this thing is exposed to the Internet or not. The company urges users to apply patches immediately, though at this point there's no evidence it's being actively exploited in the wild. Whenever you hear that phrase there's no evidence it's being actively exploited in the wild. Always add yet, and that advice should always be cold comfort given the intense amount of unhealthy hacker attention being directed at this particular software suite and how trivial it is now to convert documented vulnerabilities into malicious POC code within minutes. Thanks to AI, Oracle's Chief Security officer Rob Dewhardt clarified the flaw only affects some deployments of E Business Suite, and did warn that it could be weaponized quickly if left unpatched. Based on ESET's research this summer, I can give you right now a quick estimate of how long it likely took to start weaponizing this with POC code. About 15 minutes. And of course, this attack isn't coming out of left field. It follows a pattern in the recent wave of very highly targeted attacks on this Oracle business suite Just last week, researchers at Google's Threat Intelligence Group and Mandiant revealed that dozens of organizations were compromised through another Oracle E business suite flaw CVE2025 61882 a 9.8 CBSs zero day that attackers were having a field day with. While investigators haven't named the specific group, the activity shows patterns similar to those used by hackers tied to the Clop ransomware gang. And it matches their mo. They love finding a particular suite of software and really digging in and exploiting it for maximum pain. So what's the takeaway here? If your company runs Oracle E Business suite, it's beyond time to check that version number. Read Oracle's advisory, and if you're vulnerable, apply that patch. Waiting any longer is asking for trouble, particularly if this is Clop now for Oracle, the timing on announcing this was awful. I get that it's a damned if you do, damned if you don't scenario, but releasing a security warning like this on a Saturday of a long weekend in Canada and the US Is not great for already stressed out IT teams. Guess who's back? Well, it's not shady this time. It's a suru. And it's likely this particular bad botnet is running on your neighborhood ISP network. If you're an American, the world's largest and most dangerous botnet is now running on your or if it's not your maybe your neighbor's router or other IoT device. According to Brian Krebs at Krebs on Security, the Isuru botnet is using hundreds of thousands of hacked Internet of Things devices, things like routers, security cameras, and DVRs to unleash the biggest denial of service attacks the world has ever seen. Last week, a fired off a test blast that peaked at nearly 30 terabits per second. That's enough to overwhelm almost any system on earth. Asuru has been quietly growing for more than a year, outcompeting every other IOT botnet in the wild. And what's new and troubling is that most of its firepower now seems to be coming from infected devices hosted on US Internet providers like AT&T, Comcast, Charter, T Mobile, and Verizon. That means when the botnet launches an attack, it's not coming from some distant country. It's coming from right within the core North American networks. And the resulting flood of junk traffic can even slow down Internet service for for legitimate users. Security experts told Krebson Security last week that these outbound DDoS blasts are becoming just as disruptive as receiving an inbound one. ISPs may be able to absorb attacks coming at them, but when their own customers devices are unknowingly participating in the attacks, every connection suffers. Recent victims include hosting providers that support Minecraft servers. These are favorite targets for DDoS gangs who use the attacks to knock out competitors and extort protection money. One provider in Australia saw its network flooded with 15 terabits per second of junk traffic, forcing its upstream carrier to drop it as a customer entirely. Krebs notes that many of these attacks are being traced back to consumer devices with outdated firmware and default passwords, the same weaknesses that powered the infamous botnet nearly a decade ago. And of course, that's no coincidence. A Siru is built on Mirai's leaked source code, and just like its predecessor, it's believed to be run by a small group of operators who also sell DDoS mitigation and residential proxy services on the side, essentially making money both from defense and from offense. The big picture here, the Isero botnet shows that our weakest devices are still the Internet's biggest threat, and that poor patching and cheap hardware have global consequences. As one expert told Krebs on security, the need for effective outbound DDoS suppression has never been more urgent. For now, for all of us potentially on the firing line of an Acero blast, the best defense is making sure that you your devices are updated and not participating, you're not part of the problem properly secured, and they're not using factory default settings because the next record breaking attack may be coming quite literally from our own living rooms. Finally, on a different and more positive note, a quick shout out to the fantastic folks at the Indiana Toll Road for holding cybersecurity awareness sessions for their local community. They did a session at their local university campus and they even had some great local TV coverage. Awesome job. And if you're listening and your organization is doing cybersecurity awareness work in the community, let me know on LinkedIn. I'd love to highlight examples like this all month long. And most importantly for all you listening who are out in the community making the most of Security Awareness Month, helping secure your neighbors and others. Thank you for doing that. Those are your Updates for Tuesday, October 13th and in 2025, the old horror trope of the call, or in this case the DDoS attack really is coming from inside the house this time. And yes, for those wondering, I am thinking about going as a zombie router for Halloween. But sadly I've already been roped in to going as Uncle Fester for my wife's friend's Wednesday themed party this year. I wonder why. We're always interested in your opinion and you can contact us@technewsday.com or you can leave a comment under the YouTube video. Please help us spread the word about the show. Like subscribe, think about leaving a review and if you enjoy the show, please tell others. We'd love to grow our audience and we need your help. I've been your host David Shipley. Jim Love will be back later this week.