Summary6 min read

CyberWire Daily — "Oracle zero-day serves up persistent access"

Date: October 6, 2025
Host: Dave Bittner, N2K Networks

Overview

This episode centers on major cybersecurity news, with headline focus on a critical zero-day affecting Oracle E-Business Suite now under active exploitation, alongside a sweep of current cyber threats, vendor vulnerabilities, and industry trends. It features a substantive interview with Volker Wagner (Chief Information Security Officer, BASF) on industrial cyber resilience, innovation, and collaborative defense.

Key Headlines & Discussion Points

1. Critical Oracle Zero-Day Actively Exploited

(00:12 – 01:53)

Vulnerability Details: Oracle E-Business Suite zero-day (CVSS 9.8) is being exploited in the wild. Allows unauthenticated remote code execution (RCE) over HTTP.
Exploitation & Attribution: Attackers use reverse shell commands to establish persistence. Forensic links tie the toolkit to high-profile threat actors: Scattered Spider, Lapsus$, Clop.
Mitigation: Oracle urges immediate patching; only supported systems will receive fixes. Detection possible via Nuclei templates or Shodan queries.
Analyst Commentary: “Continuous monitoring and patch validation are essential to mitigate this active threat.”

2. ICE Plans Major Social Media Surveillance Expansion

(01:54 – 03:37)

Scope: ICE is seeking up to 30 contractors to monitor social media (Facebook, TikTok, YouTube) for intelligence on deportation and raids.
Techniques: Contractors will use open-source intel, databases (LexisNexis, Clear), and possibly AI/automation.
Privacy Concerns: Groups including the ACLU and EPIC warn of potential civil liberties violations and blurred lines between immigration and political monitoring.
Government Status: ICE has not commented; project remains in early stages.

3. Discord Data Breach through Third-party Vendor

(03:38 – 04:33)

Incident: Compromise affected users contacting Discord support or trust/safety teams via a third-party vendor.
Data Exposed: Names, emails, billing info, some government IDs, IP addresses, messages, attachments.
Response: Discord cut off vendor access, involved law enforcement, and claims core systems weren’t breached. Full affected user count undisclosed.

4. Unity Game Engine Vulnerability

(04:34 – 05:29)

Issue: Critical flaw allows RCE via Unity-built apps (affecting Android, Windows, Linux, macOS).
Impact: Exploits app permissions to access confidential data; execution limited to app’s privileges.
Mitigation: Patches available. Microsoft advises updating and Defender protection. Steam blocks risky parameters.
Research: Discovered by “Ryotac” of GMO Flat Security; highlights Unity’s wide global risk.

5. Xworm RAT: New Variants in the Wild

(05:30 – 06:47)

Current Activity: Xworm RAT, despite original author abandonment, is used by several threat actors via phishing.
Capabilities: Now features 35+ plugins (data theft, ransomware, surveillance, credential theft).
Delivery: Infection via malicious JS, Excel macros, fake executables.
Advice: Layered defenses, EDR monitoring, strict email filtering remain critical.

6. Dell Unity VSA: Critical Command Injection

(06:48 – 07:29)

Vulnerability: Unauthenticated attackers can execute arbitrary commands via login logic flaw (Perl URI mishandling).
Severity: Dell rates 7.3 (high), but external researchers score it as 9.8 (critical).
Remediation: Patch available; immediate upgrades recommended.

7. Surge in Scanning of Palo Alto Network Login Portals

(07:30 – 08:21)

Observation: GreyNoise reports 500% spike (to 1,300+ IPs) in scans targeting Palo Alto login portals.
Trend: Similar surges have preceded disclosures elsewhere; attackers focus on high-value network entry points.
Ongoing Monitoring: GreyNoise monitoring for links to new vulnerabilities or coordinated action.

8. $4.5M Cloud/AI Hacking Competition Launched

(08:22 – 09:10)

Event: Wiz launches “Zero Day Cloud”, with backing from AWS, Google Cloud, Microsoft.
Prize: $4.5M, top reward $300K; targets cloud, AI, Kubernetes, web server and DevOps exploits.
Industry Note: Trend Micro accuses Wiz of copying “Pwn2Own” rules verbatim.

9. Business Brief: M&A and Investment Activity

(09:11 – 13:15)

Notable Deals:
- Accenture to acquire Idomey (Japan)
- HoneyBook acquires Fine.dev
- Harness buys Quiet AI
- Taoping purchases Skyladder Group ($21.3M)
- Liatrio purchases Superorbital IP
Investments:
- Cerebras raises $1.1B for AI chips
- Vercel raises $300M for AI cloud
- Dscope ($88M), Xania ($18M), Mondu ($17.5M), Gelt ($13M), Long I ($5M), Hupside ($1.7M)

Expert Interview: Volker Wagner (CISO, BASF) with Ann Johnson

(“Afternoon Cyber Tea” segment)
Begins 14:17

Wagner’s Path to Security Leadership

[14:30]

"Like for many of us it was an incident which brought me into the cyber arena… More than 20 years back I worked in internal audit… I wanted to go to the front seat… from the reactive to the proactive side…"
— Volker Wagner (14:30)

Transitioned from audit/control to security by design.
Now leads security for 110,000+ employees in 150 countries at BASF.
Biggest Threats:
1. Espionage/APT attacks on business secrets.
2. Destructive (ransomware) attacks on plants, systems, supply chain.

Cyber Resilience Philosophy & Zero Trust

[16:15]

Adopted zero trust with three principles:
- Assume the breach: “We never ever can go for 100% prevention. We have to assume that… some elements of our networks might be compromised.” (16:15)
- Never trust, always verify: Controls must be always on.
- Least privilege: Access tightly limited.
Practical Steps:
- Devices not on latest OS/version lose remote access rights.
- Zero trust being deployed across four major business domains.

Innovation vs. Security: The BASF Approach

[17:38]

"Innovation is key … We are heavily working on this to explore for sure AI tools… AI for data labeling, incident playbooks, AI-supported pen tests… Awareness and phishing simulations, third party risk assessment."
— Volker Wagner (17:38)

AI used for: data labeling/classification, incident response playbooks, pen tests, T1 SoC alert triage (“an AI tool is never tired”), reducing bias and error.
Acknowledges the challenge: Security can introduce friction, but sees innovation and security as complementary.

The Importance of Real Industry Collaboration

[18:54]

"Firstly it starts with our heads, our own mindsets… If we strive for collective defense, we have to go into partnerships, we have to share not only threats and risks, but we really have to do. We have to collaborate real time in incidents…"
— Volker Wagner (18:54)

Calls for shifting from defensive “castle” mentalities to open, experience-based trust and collective defense.
Applauds joint initiatives in Germany and Europe for shared cyber resilience.

Notable Quotes & Memorable Moments

On Accepting Breach Reality:
"We never ever can go for 100% prevention. We have to assume that already some elements of our networks might be compromised."
— Volker Wagner (16:15)
On the Need for Real Collaboration:
“Trust will increase by shared experiences and close interaction.”
— Volker Wagner (18:54)
On AI’s Role in Security Operations:
“An AI tool is never tired, is less nevertheless concentrated and we can eliminate the human bias as well.”
— Volker Wagner (17:38)
Humorous Wrap-up on the ParkMobile Settlement:
“After nearly four years and a $32.8 million settlement, ParkMobile has finally compensated victims… to the tune of one whole dollar. Yes, affected users are receiving a dollar in app credit dispensed as four dazzling 25 cent discounts…”
— Dave Bittner (20:44)

Timestamps for Major Segments

Oracle Zero-Day & Initial Headlines: 00:12 – 13:15
Afternoon Cyber Tea (Interview with Volker Wagner): 14:17 – 19:54
ParkMobile Breach Settlement & Lighthearted News: 20:44 – End

Summary

This episode provides actionable intelligence on active threats (Oracle, Unity, Dell, Xworm), state cyber policy trends (ICE’s surveillance), and the impact of supply chain and vendor vulnerabilities (Discord). The Volker Wagner interview delivers an authentic, candid look at enterprise security leadership—in particular, the necessity of zero trust, the balancing act of innovation and defense, and the value of industry collaboration. The show’s style—authoritative but approachable—ends with a wry take on the realities of breach settlements for everyday users.

Listeners gain both up-to-minute analysis and enduring lessons from leaders on the cyber front lines.

Loading summary

Transcript13 lines

[00:02]
A
You're listening to the Cyberwire network, powered by N2K.
[00:13]
B
And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI A Critical Zero Day in Oracle business suite is under active exploitation ICE plans a major expansion of its social media surveillance operations. Discord confirms a third party data breach. A critical vulnerability in the Unity game engine could allow arbitrary code execution. New variants of the X Worm remote access Trojan spread through phishing campaigns. Researchers uncover a critical command injection flaw in Dell storage appliances. There's been a sharp surge in reconnaissance scans targeting Palo Alto Network's login portals. A new hacking competition offers $4.5 million in prizes for exploits targeting major cloud and AI software. We got our Monday business brief on our afternoon Cyber Tea segment with Microsoft's Ann Johnson. Ann and guest Volker Wagner, Chief Information Officer at basf, share some lessons from the front lines of industrial security and don't spend that Park Mobile settlement all in one. Foreign October 6, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. Happy Monday. It is great as always to have you with us. A critical zero day vulnerability in Oracle E Business suite is being actively exploited after Proof of Concept code was released. The flaw, rated 9.8, enables unauthenticated remote code execution over HTTP. Attackers are using reverse shell commands to gain persistent access. Forensic evidence links the exploit toolkit to groups such as Scattered Spider, Lapsus and Clop. Oracle urges immediate patching, noting only supported systems will receive fixes. Organizations can detect exposure using nuclei templates or shodan queries. Continuous monitoring and patch validation are essential to mitigate this active threat. U.S. immigration and Customs Enforcement, you know them as ICE is planning a major expansion of its social media surveillance operations, seeking to hire nearly 30 private contractors to monitor platforms such as Facebook, TikTok and YouTube for intelligence that could inform deportation raids and arrests. According to federal contracting records reviewed by Wired. The program would operate from ICE's targeting centers in Vermont and Southern California, running 24. 7 and processing cases within hours Contractors will use open source intelligence and commercial databases like LexisNexis and Clear to assemble digital dossiers. Planning documents also invite proposals incorporating artificial intelligence and automated data collection. Privacy groups, including the ACLU and the Electronic Privacy Information center, warn that ice's growing use of surveillance technologies and data brokers threatens civil liberties and may blur the line between immigration enforcement and political monitoring. ICE has not yet commented on the proposal, which remains in early planning stages. Discord has confirmed a data breach affecting users who contacted its support or trust and safety teams after a third party customer service vendor was compromised. Exposed data includes names, emails, billing details and in some cases, government ID images. Attackers also accessed IP addresses, messages and attachments allegedly seeking ransom. Discord emphasized its own systems were not breached, cut off vendor access and alerted law enforcement. The company calls the impact limited, though it hasn't disclosed how many users were affected. A critical vulnerability in the Unity game engine could allow attackers to execute arbitrary code through compromised Unity built apps affecting Android, Windows, Linux and macOS users. The flaw lets malicious files exploit app permissions to access confidential data, though Unity says any code execution remains limited to the app's privilege level. No active exploitation has been detected and patches are now available. Microsoft urged users to keep games updated and ensure defender protection is enabled while Steam is blocking risky launch parameters. The bug discovered by researcher Ryotac of GMO Flat Security underscores the vast risk tied to Unity's global footprint, powering major titles like Pokemon Go and the mobile version of Call of Duty. New variants of the Xwyrm Remote Access Trojan are spreading through phishing campaigns months after its creator, Xcoder, abandoned the product. The latest versions are being adopted by multiple threat actors and now include over 35 modular plugins for data theft, remote control, file encryption and ransomware. Researchers at Trellix report new infection chains combining social engineering and technical exploits, including malicious JavaScript, Excel macros and fake executables. The ransomware module encrypts user files and demands payment via Bitcoin. Exworm's architecture supports extensive surveillance and credential theft across browsers, email clients and crypto wallets. Despite its origins as a cracked underground tool, it remains a growing multipurpose threat across global campaigns, emphasizing the need for layered defenses, EDR monitoring, and strict email filtering. Researchers at Watchtower uncovered a critical command injection flaw in Dell Unity VSA storage appliance. The bug allows unauthenticated attackers to execute arbitrary commands by exploiting a flaw in the system's login redirection Logic, where unsanitized URIs are passed into a Perl command string. The latest version fixes the issue. Dell rates it with a high severity of 7.3, although others call it critical with a 9.8. Organizations should upgrade immediately. Security Researchers at Greynoise report a sharp 500% surge in reconnaissance scans targeting Palo Alto network's login portals, with activity peaking at 1300 IPs on October 3, compared to a typical volume below 200. Most scanning originated in the US and 93% of IPs were flagged as suspicious. Grainoise noted that similar surges have sometimes preceded new vulnerability disclosures, though no direct link has been established here. The activity mirrors recent spikes in Cisco, ASA and other remote access product scans showing overlapping tooling and TLS fingerprints. The increase underscores continued attacker interest in security appliances, which often serve as high value network entry points. Graynoise is continuing to monitor whether this surge signals emerging vulnerabilities or coordinated reconnaissance efforts. Cloud security firm Wiz has launched Zero Day Cloud, a new hacking competition offering $4.5 million in prizes for exploits targeting major cloud and AI software backed by aws, Google Cloud and Microsoft. The contest runs live at Black Hat Europe, with entries due December 1st. Categories include AI Kubernetes, containers, web servers, databases and DevOp tools, with top rewards reaching $300,000. Despite strong industry support, Trend Micro has accused Wiz of copying PWN to own rules verbatim. This week's Monday Business brief highlights a surge of mergers, acquisitions and investments shaping the global AI and cloud landscape. Accenture announced plans to acquire Japan's Idomey Inc. To strengthen its Learn Vantage service, while HoneyBook bought Fine.dev to expand its AI development capabilities Harness acquired Quiet AI to enhance application security, and taoping finalized a $21.3 million deal for Skyladder Group. Meanwhile, Liatrio purchased Superorbital's IP to merge consulting with advanced training. On the investment front, cerebras Systems raised $1.1 billion to expand AI chip innovation, while Vercel secured $300 million to scale its AI cloud platform. Other notable rounds include Dscope at $88 million, Xania at $18 million, Mondu with $17.5 million, Gelt with $13 million, Long I at $5 million and Hupside at $1.7 million. Clearwater and Inorbit AI also received undisclosed strategic and Series A funding, respectively. Ethan Cook is the editor of our Cyberwire Pro Business Brief newsletter. You can learn more and subscribe at. Coming up after the break, what does it really Take to defend one of the world's largest chemical companies Guest Volker Wagner joins N2K CyberWire's afternoon Cyber Tea podcast with Microsoft's and Johnson and don't spend that park mobile settlement all in one place. Stick around at Thales. They know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and health care companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S learn more@thalesgroup.com Cyber what's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber Microsoft's Ann Johnson is host of the Afternoon Cybertea podcast, which you can find right here on the N2K CyberWire Network. Anne recently got together with her guest Volker Wagner, Chief Information Security Officer at basf, to share some lessons from the front lines of industrial security.
[14:17]
A
Today I'm excited to be joined by Volker Wagner, Chief Information Security Officer at basf. I'm absolutely thrilled that you joined us today. What first drew you to cybersecurity and how has your leadership philosophy evolved over time?
[14:30]
C
Like for many of us it was an incident which brought me into the cyber arena. More than 20 years back I worked with a German telecommunications company in internal audit. I wanted to go to the front seat and have more the steering wheel in the hand. And so it's a bit coming from the reactive to the proactive side and a bit more from the, I would say from the control perspective to a security by design perspective. And I think it reflects a bit what we all have achieved as cyber security experts and leaders in the past couple of years that more and more we developed ourselves that we are more in the front row. And so here I am now and looking very much forward to our talk today. So if it comes to the threat situation for us, I would say it's lots is related to the numbers we have in our group. So we have more than 110,000 employees spread over 150 countries in the world. The large digital footprint, including some high value targets. If you ask me about what are the most concerning threats, the most serious risks, which I'm concerned about for sure, number one is espionage or APD attacks on our business secrets, on our ground rules. And secondly, more and more we see destructive attacks, ransomware attacks on our systems, on our plants, on our supply chains, but on the basic infrastructure of it as well.
[16:02]
A
I'm curious how you think about resilience because as you know, you and I have talked about this, it is a strategic imperative. But when you think about cyber resilience across all of your businesses, what are the key pillars of your strategy and how are you trying to achieve it?
[16:16]
C
So we decided to change our paradigm and we introduced our so called zero trust strategy. We deploy the three basic principles. Assume the breach. So you have to accept and I told it to my board of directors that we never ever can go for 100% prevention. We have to assume that already some elements of our networks might be compromised. Never trust, always verify, have your controls in place and provide least privilege access. Try to reduce the damage potential. We try to introduce this very, very practical and I want to elaborate it maybe in four domains. If devices are not patched on the latest operating system version, we don't grant access from remote anymore. We believe with these three elements we prepare ourselves and make us more mature in the future.
[17:12]
A
The business you're in though is very innovative, right? You have to be innovative and innovation. Resilience, cyber can often seem to be friction, right? People talk about how the cyber team can also create friction in that innovation. How do you see the promise and the risk of balancing innovation across your cyber organization when you're thinking about security and trying to support the business?
[17:39]
C
I think innovation is key for every business function. We are heavily working on this to explore for sure AI tools and enabling our cybersecurity workforce. Maybe I can give you some of the examples what we are striving for. It's a journey we embarked on with some of the elements, we are a bit more ahead with others. We are in the early phase. Let's take for example the use case that we use AI for data labeling and classification, incident playbooks augmented by AI solutions, AI supported pen tests, awareness and phishing simulations third party risk assessment in our SoC the tier one level is usually flooded with alerts. An AI tool is never tired, is less nevertheless concentrated and we can eliminate the human bias as well.
[18:31]
A
I love that. I think that there will continue to be innovation in cyber as you know and particularly with artificial intelligence and automation and as leaders we have to be prudent where we deploy it, but also leverage it for the best capabilities and also to help our staff. So can you talk about from your point of view, what does meaningful industry collaboration look like and how can organizations better support each other?
[18:54]
C
Yeah, I would say firstly it starts with our heads, with our own mindsets. So as security professionals we have been educated over years that we have to keep everything strict confidential and we have to hatch our own castles within the companies we have to open up. If we strive for collective defense, we have to go into partnerships, we have to share not only threats and risks, but we really have to do. We have to collaborate real time in incidents. And my learning is that you cannot say from tomorrow on we will trust each other. Trust will increase by shared experiences and close interaction. And therefore, once again, I'm really, really super happy that you initiated this collective defence approach and that we can partner with you here in Germany and Europe to bring our internal forces.
[19:55]
B
That's Microsoft's Ann Johnson speaking with Volker Wagner from basf. Be sure to check out the complete Afternoon Cyber Tea podcast wherever you get your favorite podcasts.
[20:22]
A
When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone.
[20:45]
B
Learn more@WhatsApp.com this episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast and even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply. And finally, after nearly four years and a $32.8 million class action settlement, Park Mobile has finally compensated victims of its 2021 data breach to the tune of one whole dollar. Yes, affected users are receiving a dollar in app credit dispensed as four dazzling 25 cent discounts expiring in 2026, unless you're in California, where small mercies never expire. The breach exposed data from 22 million accounts, including names, emails, license plates and hashed passwords. ParkMobile denied wrongdoing, of course, while urging users to manually claim their reward via a code because convenience apparently wasn't part of the settlement. Adding insult to micro injury, Parkmobile also warned of fresh phishing scams targeting its customers. So if you get a text asking for payment, ignore it unless it's your dollar credit, which, let's face it, you've already earned the hard way. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed One quick note before we wrap up. I've been nominated for the Sans Difference Maker Award in the Media Creator of the Year category. I'm honored to be recognized and would appreciate your support. You'll find a link to vote in our show notes and voting is open until Wednesday, October 8th. Thanks for listening and for being part of the N2K CyberWire community. N2K's Senior Producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at cid datatribe. Com.