今週の気になるセキュリティニュース - Issue #244

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

Red Hat の GitLab インスタンスから不正アクセスによるデータ流出

(10/2) Security update: Incident related to Red Hat Consulting GitLab instance - Red Hat Customer Portal

We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.

(10/2) Red Hat confirms security incident after hackers breach GitLab instance

(10/7) Red Hat Consulting breach puts over 5000 high profile enterprise customers at risk — in detail | by Kevin Beaumont | Oct, 2025 | DoublePulsar


Discord でサードパーティのベンダーから不正アクセスによりユーザの個人情報が流出

(10/3) Update on a Security Incident Involving Third-Party Customer Service

(10/4) Discord discloses data breach after hackers steal support tickets


攻撃、脅威

Scattered LAPSUS$ Hunters が Salesforce ユーザから窃取したデータを一斉にリークサイトに掲載

(10/3) Security Advisory: Ongoing Response to Social Engineering Threats

We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology. We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support. As we continue to monitor the situation, we encourage customers to remain vigilant against phishing and social engineering attempts, which remain common tactics for threat actors.

(10/3) ShinyHunters launches Salesforce data leak site to extort 39 victims

(10/7) Salesforce refuses to pay ransom over widespread data theft attacks


Oracle E-Business Suite の脆弱性を悪用し窃取したデータによる恐喝キャンペーンが発生

(10/4) Apply Oracle Security Alert CVE-2025-61882 for Oracle E-Business Suite (EBS)

Updated [10/04/2025]: Oracle has issued Oracle Security Alert Advisory – CVE-2025-61882 to provide updates against additional potential exploitation that were discovered during our investigation. We strongly recommend Oracle E-Business Suite (EBS) customers apply the guidance provided by this Security Alert as soon as possible. We also reaffirm our strong recommendation that customers stay up to date with Critical Patch Updates.

(10/4) Oracle Security Alerts CVE-2025-61882

(10/6) Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882)

(10/6) CrowdStrike Identifies Campaign Targeting Oracle E-Business Suite via Zero-Day Vulnerability Tracked as CVE-2025-61882

CrowdStrike is tracking a mass exploitation campaign almost certainly leveraging a novel zero-day vulnerability — now tracked as CVE-2025-61882 — targeting Oracle E-Business Suite (EBS) applications for the purposes of data exfiltration.

CrowdStrike Intelligence assesses with moderate confidence that GRACEFUL SPIDER is likely involved in this campaign but cannot rule out the possibility that multiple threat actors have exploited CVE-2025-61882. The first known exploitation occurred on August 9, 2025; however, investigations remain ongoing, and this date is subject to change.

CrowdStrike Intelligence further assesses that the October 3, 2025 proof-of-concept (POC) disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors — particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against internet-exposed EBS applications.

(10/10) Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign | Google Cloud Blog

Beginning Sept. 29, 2025, Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand. The actor began sending a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims' Oracle E-Business Suite (EBS) environments. On Oct. 2, 2025, Oracle reported that the threat actors may have exploited vulnerabilities that were patched in July 2025 and recommended that customers apply the latest critical patch updates. On Oct. 4, 2025, Oracle directed customers to apply emergency patches to address this vulnerability, reiterating their standing recommendation that customers stay current on all Critical Patch Updates.

Our analysis indicates that the CL0P extortion campaign followed months of intrusion activity targeting EBS customer environments. The threat actor(s) exploited what may be CVE-2025-61882 as a zero-day vulnerability against Oracle EBS customers as early as Aug. 9, 2025, weeks before a patch was available, with additional suspicious activity dating back to July 10, 2025. In some cases, the threat actor successfully exfiltrated a significant amount of data from impacted organizations.


IIJ著作権侵害通知を装うメールを用いた情報窃取型マルウェア配布キャンペーンについて報告

(10/7) 著作権侵害通知を装ったメールを用いた情報窃取型マルウェア配布キャンペーン – wizSafe Security Signal -安心・安全への道標- IIJ


OpenAI が自社の AI モデルを悪用する活動について報告

(10/7) Disrupting malicious uses of AI: October 2025 | OpenAI


楽天証券がリアルタイムフィッシング詐欺への注意喚起

(10/10) リアルタイムフィッシング詐欺にご注意ください | 楽天証券


脆弱性

CISA が Known Exploited Vulnerabilities (KEV) カタログに 7+1+1 個の脆弱性を追加

(10/6) CISA Adds Seven Known Exploited Vulnerabilities to Catalog | CISA

(10/7) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2025-27915 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

(10/9) CISA Adds One Known Exploited Vulnerability to Catalog | CISA


その他