CyberNews: 08/10/2025 Edition

Published by Dunateo on 2025-10-08

Today’s roundup

  • Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave
  • LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem
  • Severe Figma MCP Vulnerability Lets Hackers Execute Code Remotely — Patch Now
  • OpenAI Disrupts Russian, North Korean, and Chinese Hackers Misusing ChatGPT for Cyberattacks
  • BatShadow Group Uses New Go-Based 'Vampire Bot' Malware to Hunt Job Seekers
  • ShinyHunters Wage Broad Corporate Extortion Spree
  • Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution
  • U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog
  • GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns
  • Cybercrime crew claims attack on Japanese brewer as it restarts operations

    • Summary

    Chinese-linked threat actors weaponized the open-source Nezha monitoring tool in August 2025, using log poisoning to deliver Gh0st RAT and establish web shells.

    Prominent groups LockBit, Qilin, and DragonForce announced a strategic ransomware alliance, aiming for more effective coordinated attacks.

    A critical remote code execution vulnerability (CVE-2025-53967, CVSS 7.5) in the Figma-developer-mcp server, a command injection bug from unsanitized user input, has been patched.

    OpenAI disrupted three clusters of Russian, North Korean, and Chinese state-affiliated hackers misusing ChatGPT for malware development, including RATs and credential stealers.

    Vietnamese threat actor BatShadow uses new Go-based "Vampire Bot" malware in social engineering campaigns, targeting job seekers with malicious job descriptions.

    ShinyHunters, a cybercrime group linked to Scattered Spider and Lapsus$, launched a broad corporate extortion spree impacting Salesforce, Red Hat, and Discord. Attacks involved voice phishing for Salesforce data (affecting many Fortune 500 firms), compromising a Red Hat GitLab server, breaching Discord via a third-party vendor, and exploiting a critical Oracle E-Business Suite zero-day (CVE-2025-61882) by Clop in August 2025. Salesforce refuses to pay upcoming ransom demands; law enforcement has made arrests.

    Redis patched a 13-year-old critical RCE flaw (CVE-2025-49844, "RediShell", CVSS 10.0) in its Lua scripting engine. Discovered by Wiz, the use-after-free bug allows authenticated attackers to escape the sandbox and achieve arbitrary code execution, affecting 75% of cloud environments.

    CISA added Synacor Zimbra Collaboration Suite (ZCS) zero-day flaw (CVE-2025-27915) to its KEV catalog. Exploited "earlier in 2025" via malicious iCalendar files, this stored XSS enables session hijacking and data exfiltration. Federal agencies must patch by October 28, 2025.

    The Storm-1175 cybercrime group, a Medusa ransomware affiliate, actively exploited a maximum severity GoAnywhere MFT zero-day (CVE-2025-10035) since September 10, 2025. The deserialization flaw allowed remote code execution, RMM tool abuse for persistence, Rclone for exfiltration, and Medusa ransomware deployment.

    The Qilin ransomware gang claimed responsibility for a cyberattack on Japanese brewer Asahi, disrupting operations last week. Asahi has since restarted production.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-61882 Critical
    CVE-2025-49844 High
    CVE-2025-27915 Medium
    CVE-2025-10035 Critical