Oracle Says Data Was Stolen From "Obsolete" Servers; US OCC Experienced Major Cybersecurity Incident; CIS Will Provide Gap Funding for MS-ISAC

"No, it was an OLD plane that went down. It doesn't count as a crash!" The fastest way to lose trust is half-truths and evasiveness. I'm sure there are some great people doing great work there, but they're not putting their best foot forward.

Christopher Elgee

Clarification of the scope of the breach is helpful. The identities were stolen from the Oracle Cloud Classic (OCC) Oracle Identity Manager (IDM) database which included usernames, emails and hashed passwords. It is positioned as a legacy service, so you should be moving away from it if you are using it, disabling any remaining OCC IDM accounts. If you have an OCI account, which should have a different password from OCC, make sure that you're enforcing MFA.

Lee Neely

It would appear that Oracle is 'doubling-down' on their denial of a security breach of their network. If the servers were obsolete, then why not expunge all user data and take them off-line. It speaks to Oracle processes, or lack thereof. Honestly, it's not a good look for Oracle for being a responsible company.

Curtis Dukes

There is an ongoing lawsuit about this. I'm unsure I want to weigh in because I would prefer to look at the court documents to determine what is provided to the judge. Here is what I can tell you: this level of uncertainty may not be good for Oracle overall as it is trying to attract more customers onto its platform.

Moses Frost

As we noted last week, both orphan servers and data leak. Whether one calls this risk a "breach" is a matter of semantics. However, by whatever name, the risk must be identified and managed.

William Hugh Murray

The attackers had access to OCC email accounts, via compromised administrator accounts, for about 20 months, and the compromise was detected because of unusual interaction between administrator accounts and their mailboxes, which hints that behavior detection capabilities were recently enabled. The takeaway is to both enable behavior detection capabilities, and validate administrator accounts, to include enforcing MFA. Don't forget to not only monitor creation, but also reactivation of accounts.

Lee Neely

What's embarrassing is that the evildoer maintained persistence for over a year. It makes one wonder about the security controls in place, and oversight provided by the security staff. Let's worry less about who the threat actor is, and more on overhauling the security staff and monitoring of critical cybersecurity controls so that it 'happen again.

Curtis Dukes

While often beneath our notice, for most organizations, e-mail is a mission critical application. It is valuable resource requiring necessary protection and an attack vector and amplifier. Let this report be a warning.

William Hugh Murray

The MS-ISAC does wonderful work helping defend SLTTs who simply don't have the bench to do it all themselves. I sincerely hope they're able to continue their important work indefinitely!

Christopher Elgee

Along with the FS-ISAC, the MS-ISAC has been a leader, effective and useful. A new funding model should be found. My understanding is that the FS-ISAC is funded by subscription by its members.

William Hugh Murray

The core argument was the MS-ISAC functions were overlapping other CISA provided services, and CISA is facing cuts of their own. CIS's funding should last through the end of the fiscal year, allowing time to determine the long-term solution.

Lee Neely

CVE-2025-30401 is still getting updates, and currently has a CVSS score of 6.7. Regardless, if you're using the Windows Desktop WhatsApp, update it. While there are not reports of active exploits, WhatsApp has been actively, successfully targeted in the past, as such, you want to review having it on desktops.

Lee Neely

Bug bounty programs have been available for well over a decade. They continue to prove their worth in finding critical vulnerabilities in both vendor and government programs. Product owners should not only focus on the immediate vulnerability but take the time to understand the root-cause for the vulnerability and fix it correctly.

Curtis Dukes

The CentreStack flaw, CVE-2025-30406, CVSS score 9.0, hinges on a hardcoded cryptographic key (machineKey) and is fixed in version 16.4.10315.56368, released April 3 - which generates a new unique mackineKey during installation. CentreStack has also published additional server-side fixes and enhancements you'll want to make sure are in place.

Lee Neely

As government agencies go, CISA continues to be efficient and its services essential. Its funding is under pressure as much political as economic. It deserves our support.

William Hugh Murray

CVE-2024-48887, unauthorized password change, CVSS score 9.8, doesn't need authentication and the exploit has a low degree of complexity, meaning expedite the fix. Beyond applying the update, make sure you're limiting access to the administrative web interface to trusted systems.

Lee Neely

A reminder that vulnerabilities classified as critical means malware or threat actors can exploit them with little to no interaction from Windows users. The fixes include not only another CLFS fix but also fixes three RDP (CVE-2025-26671, CVE-2025-28480 and CVE-2025-27482) flaws, last two are critical, marked as exploitation likely.

Lee Neely

This number of flaws patched in one month suggests that there is a huge reservoir of both known and unknown flaws in the code base on which we rely. In the time that it takes the vendors to find and fix these flaws at least some of them may well be found and exploited by those that have come to be known as "Advanced Persistent Threat (sources)." It also demonstrates the huge cost of late quality. For some organizations the cost of late repair may exceed the price paid for the software in the first place. Tolerance of this strategy is costing us a lot of money.

William Hugh Murray

In case you were distracted by the Microsoft patch set, don't overlook all your browsers (Edge, Chrome, Firefox, etc.) and Adobe products, which addresses 54 flaws. Don't forget to review Apple's updates March 31 and April 1st. With spring break, make sure things didn't (or don't) get missed or postponed.

Lee Neely

This Patch Tuesday may well be a stress test for your organization. Use it to re-allocate resources.

William Hugh Murray

his bot uses several CAPTCHA bypass services, particularly targeting hCAPTCHA and reCAPTCHA using a fingerprint service to mimic legitimate user behavior as well as an inject.js script to alter the document object model, to manipulate the session with a headless chrome browser. In short, this can bypass existing non-human attack protections. Give the IOC's from the SentinelOne site to your threat hunters to see if you've been targeted. If you're using services (WAF, etc.) or plugins designed to stop bad bots/crawlers/etc. make sure they are enabled and prepared for this new form of attack. Consider blocking the IOC domains.

Lee Neely

I don't think a marketing campaign exists without ChatGPT involvement. Legit or not.

Johannes Ullrich

Evildoers will always use the tools available to them to carry out their crime. GenAI simply automates the process and expertly gets around the capabilities of spam filters. Those evildoers innovate just like defenders; some would say, even more quickly. The best defense remains implementation of a cybersecurity framework, like IG1 of the CIS Critical Security Controls.

Curtis Dukes

Tools are neutral; most are subject to abuse and misuse. My Dad had a high speed grinder mounted on his work bench. When I was six or seven, I used it to sharpen one of his screw drivers to a sharp edge. Now ninety, I still remember his craftsman's respect for his tools.

William Hugh Murray

When was the last time you reviewed the risks around biometric authentication, particularly factoring in masks, deep fakes, voice replay, and artificial fingerprints? This report goes into great depth on how the biometrics are faked, and while directed towards law enforcement, includes risks and mitigations you may not have considered. Consider leveraging ISO/IEC 30107-3 when evaluating biometric systems with presentation attack detection capabilities.

Lee Neely

These are not so much vulnerabilities as they are fundamental limitations of the technologies. Biometrics are much more about convenience than security but may be useful as evidence in systems of strong authentication. Even here they must be implemented in such a way as to compensate for these fundamental limitations such as counterfeiting or capture and replay.

William Hugh Murray

Sensata is based in Massachusetts, has operations in about a dozen countries, producing sensors, electrical protection and other tools for vehicle, offroad and aerospace markets, and is known for their work on components for the Apollo 11 Moon mission and Hubble space telescope upgrade. They haven't determined what data has been lost, and is already restoring services. If you are a current or past Sensata employee, you want to make sure you already have ID restoration/credit monitoring rather than wait for bad news.

Lee Neely

Even large, well-resourced companies fall victim to ransomware attacks. In this case, a classic double-extortion ransom play. Once the investigation is complete it would be helpful to understand what security controls were in place and what was the root-cause of the successful attack. However, given the legalese in their 8-K filing, it's doubtful the company will be as forthcoming on those type of details. I do give them some props, however, for at least mentioning 'ransomware' in the filing.

Curtis Dukes