Oracle Says Data Was Stolen From "Obsolete" Servers; US OCC Experienced Major Cybersecurity Incident; CIS Will Provide Gap Funding for MS-ISAC

After denying that a reported March 20, 2025 breach of Oracle Cloud took place, Oracle has now sent emails to customers informing them that "a hacker did access and publish user names" and encrypted or hashed passwords, specifying that the credentials were on "obsolete servers that were never a part of OCI," and therefore that "the Oracle Cloud -- also known as Oracle Cloud Infrastructure or OCI -- has NOT experienced a security breach." Oracle's notification email states that in the specific context of OCI, customer environments, customer data, and cloud service have not been compromised. Multiple news sources have received confirmation of the leaked data's authenticity from Oracle customers. Kevin Beaumont characterized Oracle's response as "wordplay," and asked, "How long was the attacker in the SaaS solution (that Oracle manage)? What did they do with the access? How long were they in for? Why were 'legacy' systems containing customer info left unmanaged and insecure?" Oracle is currently facing a class-action lawsuit over a separate breach of Oracle Health servers, also not publicly acknowledged by the company.

The US Office of the Comptroller of the Currency (OCC) told Congress that a February email system breach is considered a major cybersecurity incident. The breach was initially disclosed on February 26. The updated information provided to Congress says the OCC became aware of the incident on February 11. The breach led to the theft of "highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes." The intruders had access to the email system for more than a year; in all, the incident compromised more than 150,000 emails from bank regulators dating back to 2023.

In the wake of funding cuts affecting the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Center for Internet Security (CIS) has said they will provide temporary gap funding so MS-ISAC can continue providing services to state and local governments. MS-ISAC has more than 18,000 members, who receive services that include "network intrusion detection, a malicious domain blocking and reporting service, endpoint detection and response, a cybersecurity self-assessment program and a 24/7 security operations center."

Meta has published a security advisory disclosing a "spoofing issue" in WhatsApp Desktop for Windows, fixed as of version 2.2450.6. CVE-2025-30401, CVSS score not yet provided, would allow an attacker to use a maliciously crafted "mismatch" attachment to cause the recipient to "inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp," because the software would display the attachment according to its MIME type, but would select the file opening handler based on the filename extension. The flaw was reported through Meta Bug Bounty Submission by an external researcher. BleepingComputer notes that a similar flaw resulting in unwanted execution of Python and PHP attachments was patched by WhatsApp in July 2024.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added five CVEs to their Known Exploited Vulnerabilities (KEV) catalog this week. The vulnerabilities include a use of hard-coded cryptographic key vulnerability in Gladinet CentreStack (CVE-2025-30406); a use-after-free vulnerability in Microsoft Windows Common Log File System (CLFS) Driver (CVE-2025-29824); an authentication bypass vulnerability in CrushFTP (CVE-2025-31161); and two vulnerabilities in Linux kernel: an out-of-bounds read issue (CVE-2024-53150) and an out-of-bounds access issue (CVE-2024-53197). The vulnerabilities have mitigation due dates between April 28 and April 30.

Fortinet has released FortiSwitch updates to address "an unverified password change vulnerability [CWE-620] in FortiSwitch GUI [that] may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request." The issue was discovered internally. The flaw affects multiple versions of FortiSwitch; users are urged to update to versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, or 7.6.1. For users unable to update immediately, Fortinet suggests a workaround that involves "disable[ing] HTTP/HTTPS access from administrative interfaces [and] configure[ing] trusted hosts to limit the hosts that can connect to the system."

On Tuesday, April 8, Microsoft released fixes for more than 120 security issues across their product line. Eleven of the vulnerabilities included in the April release are rated critical. Among the issues addressed this month is a zero-day vulnerability: a high-severity use-after-free issue in Windows Common Log File System (CLFS) Driver that can lead to local privilege elevation (CVE-2025-29824).

Tuesday, April 8 also saw security updates from many other vendors, including Adobe, which patched 30 vulnerabilities in ColdFusion, 11 critical, as well as multiple vulnerabilities in a variety of products; Ivanti, which addressed six vulnerabilities in Endpoint Manager; VMware, which addressed vulnerabilities in Tanzu Greenplum and Tanzu Greenplum Backup; Zoom; Google Chrome; Siemens; Schneider Electric; Rockwell Automation, and ABB.

Researchers at SentinelOne's SentinelLABS have observed a spam campaign targeting small and medium-size business websites' contact forms and chat widgets, using the chat API for OpenAI's gpt-4o-mini model to generate customized text, then automating sending large quantities of messages using the AkiraBot framework. The researchers note that "the use of LLM-generated content likely helps these messages bypass spam filters, as the spam content is different each time a message is generated. The framework also rotates which attacker-controlled domain is supplied in the messages, further complicating spam filtering efforts." OpenAI has disabled the API key involved and is continuing to investigate; SentinelLABS recommends using the set of rotating attacker-controlled domains as indicators of compromise and blocking them, as the content of the messages is not consistent.

Europol has published a report that "identifies potential ways of exploiting vulnerabilities, thus enabling law enforcement agencies to update their systems and detect such incidents during investigations." In addition to describing attack scenarios for a variety of biometric protections, the report offers mitigation suggestions, including raising awareness within law enforcement, adopting advanced evasion detection techniques, ensuring that biometric systems have security baked in from the beginning, collaborating with experts, establishing standardized reporting and data aggregation, and ensuring that data are processed securely. The report was created as a collaborative effort by Europol's Operational and Analysis Centre and the Europol Innovation Lab.

Major industrial sensor manufacturer Sensata Technologies has filed an 8-K form with the US Securities and Exchange Commission (SEC) disclosing a "ransomware incident" involving encryption of company devices and theft of files, that took place on April 6, 2025, impacting "operations, including shipping, receiving, manufacturing production," and support functions, with no timeline given for full restoration of services. Interim measures are in place to maintain certain functions, and on learning of the attack Sensata proactively took its network offline, implementing response protocols and containment measures; third-party cybersecurity professionals are assisting with ongoing investigation. The company will notify individuals and regulatory authorities after reviewing the files that were accessed and stolen. The company does not currently expect the incident to have a material financial and operational impact between now and June 30, 2025.