Midweek Patch Panic: Oracle’s Zero‑Day, Red Hat’s Repo Raid, and BRICKSTORM in the Walls
This week showed up with a zero‑day, a repo rummage, and an appliance backdoor that thrives where your EDR can’t follow. Oracle shipped an emergency patch, Red Hat is untangling a Consulting GitLab breach, IBM rushed fixes for identity appliances, and Talos reminded everyone not to feed untrusted files to privileged tools. Meanwhile, ransomware crews keep riding legit RMM agents, and NCSC’s guidance boils down to: log it, keep it, hunt it.
Actively Exploited: Oracle E‑Business Suite zero‑day (CVE-2025-61882)
UncleSp1d3r: Oracle dropped a security alert for CVE-2025-61882, an unauthenticated RCE in E‑Business Suite’s Concurrent Processing/BI Publisher integration, with exploitation already in the wild and linked to Cl0p/Graceful Spider. The bug lets attackers run commands over HTTP; observed outcomes include JSP web shells, data staging, and big, ugly database exports. If your EBS (12.2.3–12.2.14) is internet‑exposed, assume hostile hands have touched it; patch now, pull it off the public internet if you can’t, and start hunting for servlet filter tampering, odd cron jobs, new local accounts, and oversized exports. Oracle’s advisory has the fixes, and multiple vendors confirm active exploitation: Oracle Security Alert, CrowdStrike, Rapid7, Tenable, NVD, Dark Reading.
Plain‑English takeaway: it’s a no‑auth door into your ERP. Patch immediately; restrict external access; place EBS behind a WAF that can block known exploit traffic; and comb the app server for post‑compromise artifacts. Treat all adjacent credentials as suspect and rotate them after you validate the host. If your EBS was on the internet this week, it was basically a honeypot—act accordingly.
Breach Desk: Red Hat Consulting’s GitLab got raided
KryptoKat: Red Hat confirmed unauthorized access to a self‑hosted GitLab used by its Consulting org, while an actor calling itself “Crimson Collective” claims ~570 GB of compressed data exfiltrated from roughly 28,000 private repos. That’s a lot of potential secrets: API keys, DB URIs, CI/CD tokens, runner creds, and Customer Engagement Reports—exactly the stuff attackers turn into lateral movement, extortion, and laser‑targeted phishing. Red Hat says it’s notifying impacted customers and investigating; customers should assume anything stored in those repos or CI variables might be exposed and rotate credentials now. Details: Red Hat’s incident update, plus coverage from BleepingComputer, SecurityWeek, The Register, and Check Point.
Immediate priorities: run secret scans across repos and CI variables, revoke and rotate tokens, force password resets and MFA for admins, developers, and service accounts, and audit GitLab access logs, export/download events, runner logs, and personal access token usage. Keep forensics quality logs and snapshots; you’ll want them when legal asks “what exactly left?” And yes, monitor extortion forums—because of course that’s next.
Edge and Virtualization: BRICKSTORM lurks where EDR doesn’t
KryptoKat: BRICKSTORM is a stealthy, Go‑based backdoor used by UNC5221 to live for months on network/edge appliances and virtualization management servers (vCenter/ESXi), with variants for Linux/BSD and Windows. Operators favor web protocols for C2 and wildcard/cloudy infra—think sslip.io, nip.io, Cloudflare Workers (*.workers.dev), and Heroku (*.herokuapp.com)—while harvesting credentials, proxying traffic (SOCKS), cloning VMs for offline analysis, and staging quiet exfiltration. Appliances are a perfect hide because they’re under‑instrumented and often can’t run your EDR; reported dwell is measured in many, many months. Readups and tooling: Google Cloud GTIG, NVISO technical report, AlienVault OTX pulse, and Mandiant’s brickstorm‑scanner.
Defensive work: forward appliance logs to your SIEM (web, system, auth), run GTIG/Mandiant YARA against appliance filesystems and backups, and audit vCenter/ESXi for oddities—SSH suddenly enabled, new local accounts, servlet/filter tampering in management UIs, unexpected VM clone/export operations, and suspicious scheduler tasks. Segment and egress‑restrict management networks; long‑lived HTTPS/DoH beacons to the hosts above deserve a hard look. Appliances aren’t “set‑and‑forget.” They’re Tier‑0 adjacent—treat them that way.
Vendor Patch Roundup
KryptoKat: IBM shipped fixes for multiple issues in identity infrastructure—CVE-2025-36354 (unauthenticated command injection) plus CVE-2025-36355/36356 (local script execution/priv‑esc) affecting IBM Security Verify Access (10.0.0.0–10.0.9.0) and Verify Identity Access (11.0.0.0–11.0.1.0). If exploited, you’re handing over your SSO/proxy—i.e., the keys to everything behind it. Apply Fixpack 10.0.9.0‑IF3 (Verify Access) and 11.0.1.0‑IF1 (Verify Identity), restrict management interfaces to known admin networks, enforce MFA on admin consoles, and monitor for odd process launches or new accounts. Advisories: IBM Support, Tenable CVE entry, GHSA reference.
UncleSp1d3r: Cisco Talos highlighted parser bugs where you least want them: tools you point at untrusted files. CVE-2025-23340 hits NVIDIA’s CUDA toolkit (nvdisasm/cuobjdump) with an out‑of‑bounds read on malformed ELF; Adobe’s CVE-2025-54257 is a use‑after‑free in Acrobat/Reader. Patch both, stop running analysis tooling with elevated privileges on production hosts, and shove untrusted ELF/PDFs into a sandboxed VM or container with no secrets and limited egress. Details and patches: Talos blog, NVIDIA advisory, NVD 23340, NVD 54257, Adobe APSB25‑85.
TTP Watch: Ransomware crews love your RMM
KryptoKat: Human‑operated ransomware operators are increasingly abusing legitimate RMM/remote‑access tools—AnyDesk, Splashtop, ScreenConnect/ConnectWise, TeamViewer, Atera—because signed agents blend into the wallpaper. Once they get console access or agent creds, it’s stealthy lateral movement, mass software pushes, scripted payload deployment, and data theft, all under the guise of “IT doing IT things.” Countermeasures: inventory and authorize agents, kill unknown/unused installs, clamp consoles to allow‑listed admin networks with MFA, forward detailed session logs/recordings to your SIEM, and alert on RMM‑spawned scripting interpreters and unusual file transfer volumes. References: CISA/NSA/MS‑ISAC guidance, Microsoft on RMM‑enabled intrusions, plus recent community discussion on r/blueteamsec.
Guidance to Bank: Observability beats vibes
KryptoKat: The NCSC’s recent note—boosted this week in r/blueteamsec—says the quiet part out loud: if you can’t see it, you can’t hunt it. Prioritize process command‑lines, DNS, TLS metadata, network flows, and cloud audit logs; keep them longer (30–90 days baseline, more for Tier‑0); and pull CI/CD runners and appliances into your telemetry plan. Then actually hunt—purple‑team with MTTD/MTTR goals and fix what the exercises reveal. Start here: NCSC blog and the community thread. As Captain Sisko might put it: vigilance isn’t a setting, it’s a posture.
Closing thoughts: If you do nothing else before Friday, patch Oracle EBS, rotate anything that ever touched your GitLab CI/CD, and pull appliance management into your logging orbit. The common theme this week isn’t sophistication—it’s visibility and velocity. Detect early, patch quickly, rotate often.
See you on Sunday. In the meantime, go check your CI variables before your weekend becomes someone else’s data room.