Cybersecurity Update 4-17 October 2025

United States of America

JPMorganChase Announces 1.5 Trillion Investment in National Security. On 13 October 2025, JPMorganChase announced the Security and Resiliency Initiative, a $1.5 trillion, 10-year plan to facilitate, finance and invest in industries critical to national economic security and resiliency. The company will focus on the following four key areas, supporting companies across all sizes and development stages by offering advice, providing financing, and, in some cases, investing capital: (1) Supply Chain and Advanced Manufacturing, including critical minerals, pharmaceutical precursors and robotics; (2) Defense and Aerospace, including defense technology, autonomous systems, drones, next-gen connectivity and secure communications; (3) Energy Independence and Resilience, including battery storage, grid resilience and distributed energy; and (4) Frontier and Strategic Technologies, including AI, cybersecurity and quantum computing. More specifically, the firm has currently divided these four key areas into 27 sub areas, ranging from shipbuilding and nuclear energy to nanomaterials and critical defense components. These activities will cut across both middle-market companies and large corporate clients. (JPM Announcement, SecurityWeek)

Oracle E-Business Suite Active Exploitation. On 4 October 2025, security researchers identified an actively exploited flaw (zero-day) in Oracle’s E-Business Suite that allows unauthenticated remote attackers to execute arbitrary code on vulnerable systems through network-based exploitation with low attack complexity. On 5 October 2025, Google stated that the vulnerabilities in Oracle’s E-Business software were being used in a “mass exploitation” campaign for data theft and extortion. The malicious actors are targeting the UiServlet component in Oracle EBS servers. On 6 October 2025, Oracle released a critical patch and stated that this flaw can be “exploited over a network without the need for a username and password.” NIST's National Vulnerability Database (NVD) description states, the vulnerability is easy to exploit and “allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator.” NIST goes on to state: “successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.” Oracle’s advisory provided several indicators of compromise to help Oracle customers identify evidence of malicious activity on their systems. Google stated that the Cl0p ransomware syndicate was exploiting multiple vulnerabilities including the vulnerabilities that were patched in Oracle's July 2025 update as well as the one that was patched on 6 October - CVE-2025-61882. (Cybersecurity News, Oracle, TechCrunch, Google LinkedIn, Reuters, Google/Mandiant, The Register, HackerNews)

1B Salesforce Customer Records Posted on Leak Site. On 3 October 2025, a group of malicious actors (Scattered Spider, Shiny Hunters, and LAPSUS$ — aka the Trinity of Chaos) published a dedicated data leak site on the dark web, called Scattered LAPSUS$ Hunters. The sample data are excerpts from at least 1B records from 39 victim organizations. In total, the group claims to possess over 1.5 billion records across 760 companies, including: 254,127,054 accounts, 579,042,146 contacts, 171,625,743 opportunities. In early September 2025, the ShinyHunters extortion group claimed to have stolen over 1.5 billion Salesforce records from 760 companies using the compromised Salesloft Drift OAuth tokens. Now the group is posting samples on their leak site and demanding payment to prevent public disclosure of the corporate data. Alianz Life, Google, Kering, Qantas Airlines, Stellantis, TransUnion, Workday have all confirmed their data was stolen. Other victims include Adidas, Air France, Albertsons, Cartier, Cisco, Chanel, FedEx, Gap, Google, HBO MAX, Home Depot, Hulu, IKEA, Instacart, KLM, KFC, Marriott, McDonald's, Saks Fifth Avenue, Toyota Motors, UPS, and Walgreens. The group has given Salesforce until 10 October 2025 to respond. On 7 October 2025, Salesforce said they would not pay the ransom. Salesforce posted the following statement: “We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology. We understand how concerning these situations can be. Protecting customer environments and data remains our top priority, and our security teams are fully engaged to provide guidance and support.” On 9 October 2025, the FBI working with law enforcement in France, seized the portal for the BreachForums web infrastructure. However, the group’s TOR dark web site is still accessible and they state that they will begin leaking data. On 11 October 2025, the group began to leak the data stolen from six victims: grocery giant Albertsons, global energy and services firm Engie Resources, Japanese camera maker Fuji Film, clothing retailer Gap, the Australian airline Qantas and Vietnam Airlines. (TechCrunch, DarkReading, Salesforce, InfoSecurity, ArsTechnica, BleepingComputer, Rapid7, DataBreach Today)

F5 Exploitation - Source Code Accessed. On 15 October 2025, F5 filed an 8K with the Securities and Exchange Commission (SEC) regarding a breach that occurred on 9 August 2025. The U.S. Department of Justice authorized a delay in public disclosure. According to F5, the malicious actor “maintained long-term, persistent access to, and downloaded files from, certain F5 systems. These systems included our BIG-IP product development environment and engineering knowledge management platforms. We have taken extensive actions to contain the threat actor. Since beginning these activities, we have not seen any new unauthorized activity, and we believe our containment efforts have been successful.” F5 also stated that some of the files taken were “configuration or implementation information for a small percentage of customers.” F5 released software updates for several products, including BIG-IP, F5OS, and BIG-IP Next, customers should patch immediately. F5's BIG-IP product line is used across the US government and by most of the largest companies in the world. Separately, on 9 October 2025, Michael Montoya resigned from the company’s board and became its chief technology operations officer. (Geekwire, F5 Customer Notification, SEC 8K, CyberScoop, UK NCSC Alert, CISA Alert, ArsTechnica)

California’s California Consumer Privacy Act Gets Teeth. On 8 October 2025, Govenor Newsom signed a bill into law that requires web browsers to make it easier for Californians to opt-out (with the push of a button) — easy-to-use opt-out preference signals (OOPS) that allow users to automatically communicate their privacy preferences to websites, ensuring that third parties to cannot sell their data. The California Opt Me Out Act, sponsored by the California Privacy Protection Agency, closes a major gap in privacy protections. That same day other laws were passed that give Californians important data privacy rights. One of them requires social media companies to make it easy to cancel accounts and mandates that cancellation lead to full deletion of consumers’ data. A second bolsters the state’s Data Broker Registration Law by giving consumers more information about what personal data is collected by data brokers and who can obtain it. (CPPA Blog, TheRecord)

California Passes a Law on AI Chatbot Companions. On 13 October 2025, California became the first state in the nation to require AI chatbot operators to implement safety protocols for AI companions. The law, SB 243, is designed to protect children and vulnerable users from some of the harms associated with AI companion. The law goes into effect 1 January 2026 and requires companies to implement certain features such as age verification, and warnings regarding social media and companion chatbots. The law also implements stronger penalties for those who profit from illegal deepfakes, including up to $250,000 per offense. Companies must also establish protocols to address suicide and self-harm, which will be shared with the state’s Office of Suicide Prevention at the Department of Public Health alongside statistics on how the service provided users with crisis center prevention notifications and the Office would need to post such data on its website. (California Press Release, TechCrunch, Axios, Politico, The Verge)

Microsoft Highlights Payroll Pirates Targeting Workday. On 9 October 2025, Microsoft Threat Intelligence published a blog highlighting a financially motivated actor (Payroll Pirates or Storm-2657) compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. This malicious actor is actively targeting a range of US-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday. The malicious actors don't exploit any security flaw in the service or product of Workday. Rather, they leverage social engineering tactics and a lack of multi-factor authentication (MFA) protections to seize control of employee accounts and ultimately modify payment information to route them to accounts managed by the threat actors. To mitigate these risks, it's recommended to adopt passwordless, phishing-resistant MFA methods such as FIDO2 security keys, and review accounts for signs of suspicious activity, such as unknown MFA devices and malicious inbox rules. (Microsoft, HackerNews)

Apple Increases Bug Bounty Pay Out. On 10 October 2025, Apples stated that it is increasing the payouts for several categories of security vulnerabilities, including zero-click vulnerabilities and attacks that work when in close proximity to an iOS or MacOS device. These bounties will go into effect in November 2025. Apple vice president of security engineering and architecture Ivan Krstić announced a new payout of $2 million for a chain of software exploits that could be abused for spyware. Further on its website, Apple stated “this is an unprecedented amount in the industry and the largest payout offered by any bounty program we’re aware of — and our bonus system, providing additional rewards for Lockdown Mode bypasses and vulnerabilities discovered in beta software, can more than double this reward, with a maximum payout in excess of $5 million. We’re also doubling or significantly increasing rewards in many other categories to encourage more intensive research. This includes $100,000 for a complete Gatekeeper bypass, and $1 million for broad unauthorized iCloud access, as no successful exploit has been demonstrated to date in either category.” In addition, it is “introducing Target Flags, a new way for researchers to objectively demonstrate exploitability for some of our top bounty categories, including remote code execution and Transparency, Consent, and Control (TCC) bypasses — and to help determine eligibility for a specific award. Researchers who submit reports with Target Flags will qualify for accelerated awards, which are processed immediately after the research is received and verified, even before a fix becomes available.” (Apple Announcement, Axios, Wired, Security Week)

Red Hat Customer Data Posted on DarkWeb. On 2 October 2025, Red Hat confirmed that it “recently detected unauthorized access” to one of its self-hosted GitLab instances “used for internal Red Hat Consulting collaboration in select engagements.” The Crimson Collective is now working with Lapsus$ and have given Red Hat until 10 October to pay the ransom. Stolen customer data began being posted on 6 October 2025. (CybersecurityDive, Red Hat, CyberPlace, DarkReading)

The Epochalypse Project: The 32-bit Timestamp Vulnerability;Y2K38. Researchers warn that the Year 2038 problem (aka Y2K38 bug) is a vulnerability, not just a date problem: A 32-bit signed integer variable has a maximum value of 2,147,483,647, which will be reached on 19 January 2038. When the number exceeds its limit and overflows, systems will interpret the date as a negative number, resetting it to 13 December 1901. Y2K38 could cause computers to malfunction and affects systems that use a 32-bit integer to store time as the number of seconds that have passed since the Unix epoch (January 1, 1970). In the case of industrial control systems (ICS) and other operational technology (OT) systems used in critical infrastructure, a time-stamping error could lead to a chain reaction of failures, causing systems to crash, data to become corrupted, or safety protocols to fail, potentially leading to physical damage or risk to human life. In addition, many cybersecurity systems rely on accurate time, including SSL/TLS certificates, logging and forensics solutions, and time-based authentication and access systems. Malicious actors could manipulate time synchronization protocols in many cases to trigger this vulnerability at the time of their choosing. This is particularly concerning given how little attention many networks pay to their Network Time Protocol (NTP) security. Malicious actors could exploit this Y2K38 bug to bypass security, cause system outages, cover their tracks, or to gain unauthorized access to systems. (Security Week, The Epochalypse Project)

OpenAI Disrupts Malicious Actors Abusing ChatGPT. On 7 October 2025, OpenAI stated that it disrupted thee different malicious actors that were misusing its ChapGPT artificial

Hathaway Global Strategies LLC Cybersecurity Update Page 4 of 8

intelligence (AI) tool to facilitate malware development. It also blocked accounts linked to scam and influence operations across various countries. For the malicious actors:

• Chinese Malicious Actors: Targeted investment firms with phishing campaigns, using ChatGPT to generate multilingual content for routine tasks. In addition, entities linked to the Chinese government used ChatGPT for monitoring individuals and generating promotional materials.

• Russian Malicious Actors: Utilized ChatGPT to develop a remote access trojan (RAT) and prototype technical components for credential theft. In addition, platforms tied to a Russian marketing firm used AI to spread anti-Ukraine content and criticize Western roles in Africa.

• North Korean Malicious Actors: Engaged in malware and command-and-control (C2) development, exploiting ChatGPT for converting Chrome extensions and drafting phishing emails. (CybersecurityNews, E-Security, HackerNews)

Nearly 8 in 10 Workers Expose Secrets Through ChatGPT. In October 2025, LayerX published a report that show 77% of employees unintelly expose company data through ChatGPT and other AI tools. “Employees are increasingly accessing critical apps through unmanaged accounts, uploading sensitive files into GenAI, and moving data via invisible copy/ paste channels. Traditional DLP solutions, designed for file-based and sanctioned environments, cannot keep pace with this shift.” The report shows that 71.6% of access to generative AI occurs via non-corporate accounts, thereby bypassing corporate security controls. 67% of ChatGPT access happens through unmanaged accounts, and even when using corporate logins SSO adoption is effectively zero. The result is an enterprise ecosystem where AI drives productivity, but every session, upload, or paste exposes sensitive data to uncontrolled environments. CISOs must extend audits beyond sanctioned apps to include shadow SaaS and AI-enabled platforms like ChatGPT, Claude, LinkedIn, Databricks, etc., which employees often access through unmanaged personal accounts. Blocking personal account usage and enforcing SSO across all corporate logins is the only way to ensure that employees access business-critical apps in a secure, visible, and controlled manner. (LayerX Report)

Forrester: Agentic AI-powered breach will happen in 2026. On 1 October 2025, Forrester put forward some of its 2026 predictions. One of its predictions asserts that agentic AI deployment will cause a publicly disclosed data breach. “As companies begin building agentic AI workflows, these issues will only become more prevalent.” “Without the right guardrails, systems of autonomous AI agents may sacrifice accuracy for speed of delivery, especially when interacting directly with customers.” “To prevent these failures, and scapegoating, security organizations must enable the business to develop agentic applications with minimum viable security.” Forrester recommends that companies follow its AEGIS framework: securing intent, ensuring appropriate identity and access management controls to track agent activity, and implementing data security controls to track data provenance. Forrester’s Agentic AI Enterprise Guardrails for Information Security (AEGIS) framework focuses on six core elements: (1) Governance, risk, and compliance (GRC); (2) Identity and access management (IAM); (3) Data security and privacy; (4) Application security; (5) Threat management; and (6) Zero Trust architecture. (Forrester, InfoSecMag)

Discord Third Party Breach Exposes 70K Individuals’ Personal Identifiable Information. On 3 October 2025, Discord provided details on a breach of one of its third-party vendors (5CA) that Discord used for age verification. Discord states that the incident impacted “a limited number of users who had communicated with our Customer Support or Trust & Safety teams.” “Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals." The breach also involved personal and account details, limited billing information, and messages with customer service agents. Discord said it has revoked the customer support provider's access to the system that was targeted in the breach. (Discord Blog, BBC)

American Investors Buy a Majority Steak in NSO Group, Israel’s Top Spyware Company. On 10 October 2025, a U.S. investment group led by Hollywood producer Robert Simonds has agreed to acquire the controversial spyware developer the NSO Group. The transaction is expected to be signed in the coming days, though its completion will require approval from Israel’s Defense Export Control Agency (DECA) at the Ministry of Defense. In 2021, the U.S. added NSO Group to its entities list of banned organizations amid accusations of the company targeting American officials with spyware. Following completion, Omri Lavie’s (founder) involvement in the company will end, marking the complete departure of NSO’s founding team. (TechCrunch, CalcalisTech)

Critical Redis Bug Threatens Cloud Environments. On 6 October 2025, a security vulnerability (score 10.0) was published by Wiz researchers — dubbed RediShell (CVE-2025-49844) — and affects 75% of cloud environments. Its lightweight performance and ease of deployment have made it a default choice in cloud-native architectures. More than 330,000 Redis instances are publicly exposed to the internet, and 60,000 of them lack any form of authentication—creating ideal conditions for mass exploitation.The vulnerability exploits a Use-After-Free (UAF) memory corruption bug that has existed for approximately 13 years in the Redis source code. Redis is a cornerstone technology for caching, session management, and messaging across modern applications. On 3 October 2025, Redis published the patch - as a coordinated disclosure and security management. (E-Security Planet, Wiz Research, Redis IO)

Regulators Approve a New Bank to Fill the Void of Silicon Valley Bank. On 15 October 2025, the Office of the Comptroller of the Currency (OCC) granted “preliminary and conditional” approval for the launch of a new bank — Erebor — backed by Palmer Luckey, co founder of military contractor Anduril and Joe Lonsdale, head of venture capital firm 8VC and a co-founder of data analytics firm Palantir. Erebor’s target market will be businesses that are part of the US “innovation economy” — particularly tech companies focused on cryptocurrencies, artificial intelligence, defense and manufacturing. Erebor is backed by $275 million of capital, the bulk of which is regulatory capital held in an account and will not be used for its operations. Stablecoins are expected to be a significant part of the bank’s operations. Comptroller of the Currency Jonathan V. Gould, stated,“Today’s decision is also proof that the OCC under my leadership does not impose blanket barriers to banks that want to engage in digital asset activities. Permissible digital asset activities, like any other legally permissible banking activity, have a place in the federal banking system if conducted in a safe and sound manner. The OCC will continue to provide a path for innovative approaches to financial services to ensure a strong, diverse financial system that remains relevant over time.” (OCC Announcement, FT)

DOJ Seizes $15B in Bitcoin from Multinational Operating Out of Cambodia. On 14 October 2025, an indictment was unsealed in federal court in Brooklyn, New York, charging Cambodian national Chen Zhi, also known as Vincent, 37, the founder and chairman of Prince Holding Group (Prince Group), a multinational business conglomerate based in Cambodia, with wire fraud conspiracy and money laundering conspiracy for directing Prince Group’s operation of forced-labor scam compounds across Cambodia. The U.S. Attorney’s Office for the Eastern District of New York and the Justice Department’s National Security Division also filed today a civil forfeiture complaint against approximately 127,271 Bitcoin, currently worth approximately $15 billion, that are proceeds and instrumentalities of the defendant’s fraud and money laundering schemes, and were previously stored in unhosted cryptocurrency wallets whose private keys the defendant had in his possession. Those funds (the Defendant Cryptocurrency) are presently in the custody of the U.S. government. U.S. Attorney Joseph Nocella Jr. for the Eastern District of New York stated, the “Prince Group’s investment scams have caused billions of dollars in losses and untold misery to victims around the world, including here in New York, on the backs of individuals who have been trafficked and forced to work against their will.” The complaint is the largest forfeiture action in the history of the Department of Justice. (DOJ Announcement, CNBC, OFAC Analysis, Treasury Statement, Wired)

NY Imposes $33M in Penalties against Eight Insurance Companies for Poor Cybersecurity. On 14 October 22025, the New York State Department of Financial Services (NY-DFS) and New York Attorney General Letitia James after a joint investigation imposed more than $33 million in penalties on eight insurers. They found that the auto insurers failed to comply with the state’s cybersecurity regulations, allowing hackers to access nonpublic consumer information, including driver’s license numbers and dates of birth. The companies involved are Farmers Insurance Exchange, Hagerty Insurance Agency LLC, Hartford Fire Insurance Co., Infinity Insurance Co., Liberty Mutual Insurance Co., Metromile Insurance Co., Midvale Indemnity Co., and State Automobile Mutual Insurance Co. including Farmers Insurance Exchange and Liberty Mutual Insurance. The companies must also improve cyber protections under separate settlements with the agencies. (NY State Case, Bloomberg Law)

International Items of Interest

Asahi Brewing Offline in Japan. On 30 September 2025, Japanese brewing company Asahi Group Holdings announced that its operations in the country have been disrupted by a cyberattack. On 3 October 2025, Asahi confirmed it was a ransomware event. On 7 October 2025, the ransomware group, Qilin, claimed credit and stated that they stole roughly 27 gigabytes of data from Asahi Group, including financial documents, budgets, contracts, employees’ information, plans and development forecasts. Asahi was able to resume operations partial manual order processing and shipment at 6 of its 30 plants on 2 October 2025. Asahi stated, “While we are unable to provide a clear timeline for recovery at this time, our Emergency Response Headquarters is working in collaboration with external cybersecurity experts to restore the system as quickly as possible.” (Bloomberg, Bloomberg, InfoSecurity)

The Netherlands Takes Control of China’s Nexperia. On 30 September 2025, the Dutch Minister of Economic Affairs invoked the Goods Availability Act (Wet beschikbaarheid goederen) due to serious governance shortcomings at semiconductor manufacturer Nexperia, the European semiconductor unit of China’s Wingtech Technology. The measure is intended to mitigate the risks to Europe’s economy by ensuring the continuity and safeguarding on Dutch and European soil of crucial technological knowledge and capabilities. Nexperia produces, among other things, chips used in the European automotive industry and in consumer electronics. (CNBC, Netherlands Blog, WSJ, The Record)

North Korea Ups its Attacks Against the Supply Chain. On 10 October 2025, Socket Research updated and published its analysis regarding North Korean backed malicious operations. "North Korean state-sponsored threat actors have intensified their supply chain attacks against software developers through a sophisticated campaign dubbed “Contagious Interview,” deploying 338 malicious npm packages that have accumulated over 50,000 downloads. The malicious actors used more than 180 fake personas tied to new npm aliases and registration emails, and ran over a dozen command and control (C2) endpoints. Targets include Web3, cryptocurrency, and blockchain developers, as well as technical job seekers approached with recruiting lures, leading to multi-stage compromise and financial loss. The latest wave of attacks introduces encrypted loaders that demonstrate a significant evolution in the malicious actors’ technical capabilities. (Socket Research, Cybersecurity News)

Malicious Actors Claim Breach Of Huawei Technologies Source Code and Internal Tools. The post, which appeared in early October 2025, asserts that the breach resulted in the exfiltration of sensitive intellectual property. The compromised data includes a wide range of internal assets; specifically source code, development tools, build files, scripts, and technical manuals as being part of the stolen data package. (CybersecurityNews)

German State — Schleswig-Holstein— Replaces Microsoft Exchange and Outlook with Open-Source Email. On. 6 October 2025, the German province of Schleswig-Holstein announced that it had completed its 6 month migration from Microsoft Exchange and Outlook to Open-Xchange and Thunderbird for e-mail. The transfer covered more than 40,000 mailboxes and over 100 million messages and calendar entries. Many other EU government agencies (in Austria, Denmark, EU, and France) have already dropped Microsoft software from their computers. (ZDNet, Schleswig-Holstein Blog)