March 24, 2025 • 10 mins
In this episode of 'Cybersecurity Today,' host Jim Love covers several major cybersecurity events. A devastating breach at Oracle Cloud Infrastructure has exposed 6 million records affecting 140,000 businesses, linked to a threat actor known as Rose87168. The attack exploited vulnerabilities in Oracle Fusion Middleware 11G. New browser-in-the-middle attack techniques are discussed, which can steal data by bypassing multi-factor authentication. The episode also highlights a severe vulnerability in Synology's DiskStation Manager software that could allow remote attackers to take full control of affected systems. Lastly, significant budget cuts in the Cybersecurity and Infrastructure Security Agency’s (CISA) Red Team might weaken US government cyber defenses. Critical insights and mitigation strategies for these emerging threats are provided.
00:00 Massive Oracle Supply Chain Attack
03:08 Browser in the Middle Attack Explained
06:03 Synology's Major Security Flaw
08:08 US Government Red Team Disruptions
10:31 Conclusion and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
Oracle is hit with what someare calling one of the largest
supply chain attacks ever.
A browser in the middle attackcan steal everything in seconds.
Synology, a large storage company, hasa major vulnerability and have the Doge
terminations hurt US government red teams.
This is cybersecurity today.
I'm your host, Jim Love.
(00:22):
A significant security breachhas compromised Oracle Cloud's
infrastructure, exposing approximately6 million records and placing
over 140,000 businesses at risk.
Cybersecurity firm CloudSEK.
Identified the breach on March 21st,2025, attributing it to a threat
actor known as Rose 8 7 1 6 8.
(00:44):
The attacker is not well knownin cybersecurity circles, but has
demonstrated what experts are calling ahigh level of technical sophistication.
The compromised data includes sensitiveauthentication files such as Java
Key Store or JKS files, encryptedsingle sign-on or SSO passwords,
key files, and enterprise managerJava platform security, or JPS keys.
(01:08):
These elements are crucialfor maintaining secure access
within enterprise environments.
The attacker reportedly exploited avulnerability in Oracle Cloud's login
interface, specifically targeting thesubdomain login.us two.oracle cloud.com.
This subdomain was associated withOracle Fusion Middleware 11 G,
(01:29):
which has known vulnerabilitiesincluding CVE 20 21 35 5 87.
This particular flaw allowsunauthenticated attackers to compromise
Oracle Access Manager potentiallyleading to a complete system takeover.
The threat actor has been active sinceJanuary 2025 and is demanding payments
(01:50):
from affected companies to removetheir data from the compromised set.
They have also offered incentivesto individuals who can assist in
decrypting the stolen SSO passwordsor cracking the lightweight directory
access protocol or LDAP passwords.
The breach poses several risks.
There's data exposure, sensitiveauthentication data could be
(02:12):
used for unauthorized accessor corporate espionage.
There's credential compromise if.
Decrypted, the stolen passwordscould facilitate further breaches
within Oracle cloud environments.
And there's extortion.
The attacker's ransom demands will placeadditional financial and reputational
pressures on the affected businesses.
(02:33):
CloudSEK advises organizationsusing Oracle Cloud services to
take immediate actions, includingresetting passwords, updating security
protocols, and monitoring for anyunusual activities, businesses can
verify their exposure to this breachusing CloudSEK's dedicated portal.
There's a link in our show notes.
Oracle is yet to release an officialstatement regarding the breach.
(02:56):
Organizations are urged to remain vigilantand implement recommended security
measures to mitigate the potentialthreats arising from this severe incident.
A sophisticated cyber attack techniqueknown as browser in the middle has
emerged enabling hackers to bypassmultifactor authentication or MFA and
(03:18):
hijack user sessions within seconds.
This method exploits web browserfunctionalities to intercept authenticated
sessions, posing a significant threatto organizations relying on traditional
security measures in a browser.
In the middle attack, victims are directedthrough an attacker controlled browser.
(03:38):
That mirrors a legitimate website.
When a user visits a malicious siteor clicks on a phishing link, their
interactions are funneled through thisproxy, tricking them into entering
credentials and completing MFA challenges.
Once authenticated, the attackercaptures the session token stored
in the browser, effectively stealingthe user's authenticated state.
(04:02):
Some of the key components of this arethe transparent proxies, and there are
tools like Evil Jinx Two or Delusion.
They act as intermediaries between thevictim and the target service modifying
HTTP responses to replace legitimatedomains with phishing domains and
enabling session token extraction.
(04:22):
There's rapid deployment with thesebrowser in the middle frameworks, allowing
operators to target any website quickly.
Features such as firefox's profilestorage, and automatic load balancing,
simplify large scale phishing campaigns.
And finally, there's real time monitoring.
Attackers could observe victiminteractions in real time,
enabling immediate session theftupon successful authentication.
(04:47):
So browser in the middle attacks areparticularly dangerous because they
bypass multifactor authentication,which many organizations consider
their last line of defense.
By capturing session tokens, attackersgain persistent access to accounts without
needing the victim's credentials Again.
Some of the mitigation strategies youcan use hardware based multifactor
(05:09):
authentication using security keyslike UB Key to enforce cryptographic
challenges tied to specific domains,preventing attackers from replaying
responses across different websites.
You can use client certificatesbinding authentication to
device specific certificates.
Could prevent session reuseon unauthorized devices.
(05:30):
You can use behavioral monitoring,detecting unusual login patterns, or
browser fingerprint discrepancies.
Could flag some of these browserin the middle compromises.
And finally, there's security awarenesstraining, educating users to recognize
phishing attempts remains critical.
The emergence of browser inthe middle attacks signifies a
major shift in cyber threats.
(05:51):
Utilizing browser functionalities toevade traditional security measures,
security teams globally have to urgentlyaddress this evolving threat landscape.
A major security flaw in Synologydisc station manager or DSM software
could allow remote attackers to takefull control of affected systems
(06:13):
with no user interaction required.
Synology a leading provider of networkattached storage or NAS systems used
by businesses and individuals forsecure file storage and backup.
Confirmed the vulnerability afterit was publicly demonstrated at
the PO to own hacking contest.
Early this year, the flaw identifiedas CVE twenty twenty four ten four
(06:37):
four one has been given a near maximumseverity score of 9.8 out of 10 by the
common vulnerability scoring systemor CVSS indicating it could have
devastating effects if left unpatched.
The vulnerability lies in thesystem, plugin Damon, which fails to
properly handle output and coding.
This allows attackers to run arbitrarycommands on vulnerable systems
(07:01):
from anywhere on the internet.
Synology is also disclosed two additionalvulnerabilities, one that could allow
attackers to read limited files, CVE20 24, 5 0 6, 29, and another that
could let nearby attackers write filesdue to poor certificate validation.
CVE twenty twenty four,ten four, four five.
(07:23):
Security researchers from Devcoteam smoking barrels and independent
expert Ryan Emmonds were amongthose who discovered the flaws.
Synology has released securityupdates to fix the issues in all
affected versions of DSM, includingversion 6.2 through 7.2 0.2.
Users are urged to upgradeimmediately as there are no
(07:46):
temporary workarounds available.
Synology full security advisoryis available on their website.
There's a link in our show notes withSynology NAS devices, so widely used
in corporate environments and smalloffices for sensitive data storage,
the risk of compromises is high.
If patches are not applied immediately.
(08:08):
Recent operational upheavals withinthe cybersecurity and infrastructure
security agency or CSA S Red Teamare prompting serious concerns about
the robustness of US cyber defenses.
The red team tasked with simulatingcyber attacks to identify vulnerabilities
in federal systems has experiencedsignificant disruptions due to budgetary
(08:31):
measures implemented by the Departmentof Governmental Efficiency or Doge.
In late February, doge terminatedcontracts affecting over 100 CSA RED
team members as part of a broaderinitiative to reduce government spending.
Christopher Chenoweth, a seniorpenetration tester at the Department
of Homeland Security or DHShighlighted the impact of these
(08:54):
cuts stating As a result, I and manyother experienced red team operators
are now seeking new opportunities.
The abrupt termination of these contractshas raised alarms about the potential gaps
in the nation's cybersecurity posture.
Red teams play a critical rolein proactively identifying and
assessing security weaknesses beforemalicious actors can exploit them.
(09:19):
Their work informs defensive strategiesacross various government agencies
and critical infrastructure sectors.
CSA acknowledged the staffingchanges, but assured that
efforts are underway to maintainessential cybersecurity functions.
In a recent statement, the agencyemphasized its commitment to
collaborating with network defenders,system administrators, and technical
(09:39):
staff to bolster the nation's criticalinfrastructure against diverse threats.
If that sounds likecorporate, blah, blah, blah.
It's because it is, you don'tlose a hundred experienced red
team members in any organizationwithout taking an incredible hit.
And that's why cybersecurity expertsare cautioning that the loss of
(09:59):
experienced red team personnelcould hinder the government's
ability to anticipate the defenseagainst sophisticated cyber threats.
The timing of these disruptions isalso particularly concerning given the
escalating frequency and complexity ofcyber attacks that are targeting both
public and private sector organizations.
As the digital landscape continuesto evolve, ensuring the stability and
(10:23):
effectiveness of cybersecurity operationslike those conducted by CIS a's red
team should remain a national priority.
And that's our show.
What a past couple of days it's beenbetween high severity issues and
the loss of these key resources.
Hey, take a deep breath.
(10:45):
We'll get back to anotherweek of the battle.
We're all in this together.
I am your host, Jim Love.
Thanks for listening.
Oracle is hit with what someare calling one of the largest
supply chain attacks ever.
A browser in the middle attackcan steal everything in seconds.
Synology, a large storage company, hasa major vulnerability and have the Doge
terminations hurt US government red teams.
This is cybersecurity today.
I'm your host, Jim Love.
(00:22):
A significant security breachhas compromised Oracle Cloud's
infrastructure, exposing approximately6 million records and placing
over 140,000 businesses at risk.
Cybersecurity firm CloudSEK.
Identified the breach on March 21st,2025, attributing it to a threat
actor known as Rose 8 7 1 6 8.
(00:44):
The attacker is not well knownin cybersecurity circles, but has
demonstrated what experts are calling ahigh level of technical sophistication.
The compromised data includes sensitiveauthentication files such as Java
Key Store or JKS files, encryptedsingle sign-on or SSO passwords,
key files, and enterprise managerJava platform security, or JPS keys.
(01:08):
These elements are crucialfor maintaining secure access
within enterprise environments.
The attacker reportedly exploited avulnerability in Oracle Cloud's login
interface, specifically targeting thesubdomain login.us two.oracle cloud.com.
This subdomain was associated withOracle Fusion Middleware 11 G,
(01:29):
which has known vulnerabilitiesincluding CVE 20 21 35 5 87.
This particular flaw allowsunauthenticated attackers to compromise
Oracle Access Manager potentiallyleading to a complete system takeover.
The threat actor has been active sinceJanuary 2025 and is demanding payments
(01:50):
from affected companies to removetheir data from the compromised set.
They have also offered incentivesto individuals who can assist in
decrypting the stolen SSO passwordsor cracking the lightweight directory
access protocol or LDAP passwords.
The breach poses several risks.
There's data exposure, sensitiveauthentication data could be
(02:12):
used for unauthorized accessor corporate espionage.
There's credential compromise if.
Decrypted, the stolen passwordscould facilitate further breaches
within Oracle cloud environments.
And there's extortion.
The attacker's ransom demands will placeadditional financial and reputational
pressures on the affected businesses.
(02:33):
CloudSEK advises organizationsusing Oracle Cloud services to
take immediate actions, includingresetting passwords, updating security
protocols, and monitoring for anyunusual activities, businesses can
verify their exposure to this breachusing CloudSEK's dedicated portal.
There's a link in our show notes.
Oracle is yet to release an officialstatement regarding the breach.
(02:56):
Organizations are urged to remain vigilantand implement recommended security
measures to mitigate the potentialthreats arising from this severe incident.
A sophisticated cyber attack techniqueknown as browser in the middle has
emerged enabling hackers to bypassmultifactor authentication or MFA and
(03:18):
hijack user sessions within seconds.
This method exploits web browserfunctionalities to intercept authenticated
sessions, posing a significant threatto organizations relying on traditional
security measures in a browser.
In the middle attack, victims are directedthrough an attacker controlled browser.
(03:38):
That mirrors a legitimate website.
When a user visits a malicious siteor clicks on a phishing link, their
interactions are funneled through thisproxy, tricking them into entering
credentials and completing MFA challenges.
Once authenticated, the attackercaptures the session token stored
in the browser, effectively stealingthe user's authenticated state.
(04:02):
Some of the key components of this arethe transparent proxies, and there are
tools like Evil Jinx Two or Delusion.
They act as intermediaries between thevictim and the target service modifying
HTTP responses to replace legitimatedomains with phishing domains and
enabling session token extraction.
(04:22):
There's rapid deployment with thesebrowser in the middle frameworks, allowing
operators to target any website quickly.
Features such as firefox's profilestorage, and automatic load balancing,
simplify large scale phishing campaigns.
And finally, there's real time monitoring.
Attackers could observe victiminteractions in real time,
enabling immediate session theftupon successful authentication.
(04:47):
So browser in the middle attacks areparticularly dangerous because they
bypass multifactor authentication,which many organizations consider
their last line of defense.
By capturing session tokens, attackersgain persistent access to accounts without
needing the victim's credentials Again.
Some of the mitigation strategies youcan use hardware based multifactor
(05:09):
authentication using security keyslike UB Key to enforce cryptographic
challenges tied to specific domains,preventing attackers from replaying
responses across different websites.
You can use client certificatesbinding authentication to
device specific certificates.
Could prevent session reuseon unauthorized devices.
(05:30):
You can use behavioral monitoring,detecting unusual login patterns, or
browser fingerprint discrepancies.
Could flag some of these browserin the middle compromises.
And finally, there's security awarenesstraining, educating users to recognize
phishing attempts remains critical.
The emergence of browser inthe middle attacks signifies a
major shift in cyber threats.
(05:51):
Utilizing browser functionalities toevade traditional security measures,
security teams globally have to urgentlyaddress this evolving threat landscape.
A major security flaw in Synologydisc station manager or DSM software
could allow remote attackers to takefull control of affected systems
(06:13):
with no user interaction required.
Synology a leading provider of networkattached storage or NAS systems used
by businesses and individuals forsecure file storage and backup.
Confirmed the vulnerability afterit was publicly demonstrated at
the PO to own hacking contest.
Early this year, the flaw identifiedas CVE twenty twenty four ten four
(06:37):
four one has been given a near maximumseverity score of 9.8 out of 10 by the
common vulnerability scoring systemor CVSS indicating it could have
devastating effects if left unpatched.
The vulnerability lies in thesystem, plugin Damon, which fails to
properly handle output and coding.
This allows attackers to run arbitrarycommands on vulnerable systems
(07:01):
from anywhere on the internet.
Synology is also disclosed two additionalvulnerabilities, one that could allow
attackers to read limited files, CVE20 24, 5 0 6, 29, and another that
could let nearby attackers write filesdue to poor certificate validation.
CVE twenty twenty four,ten four, four five.
(07:23):
Security researchers from Devcoteam smoking barrels and independent
expert Ryan Emmonds were amongthose who discovered the flaws.
Synology has released securityupdates to fix the issues in all
affected versions of DSM, includingversion 6.2 through 7.2 0.2.
Users are urged to upgradeimmediately as there are no
(07:46):
temporary workarounds available.
Synology full security advisoryis available on their website.
There's a link in our show notes withSynology NAS devices, so widely used
in corporate environments and smalloffices for sensitive data storage,
the risk of compromises is high.
If patches are not applied immediately.
(08:08):
Recent operational upheavals withinthe cybersecurity and infrastructure
security agency or CSA S Red Teamare prompting serious concerns about
the robustness of US cyber defenses.
The red team tasked with simulatingcyber attacks to identify vulnerabilities
in federal systems has experiencedsignificant disruptions due to budgetary
(08:31):
measures implemented by the Departmentof Governmental Efficiency or Doge.
In late February, doge terminatedcontracts affecting over 100 CSA RED
team members as part of a broaderinitiative to reduce government spending.
Christopher Chenoweth, a seniorpenetration tester at the Department
of Homeland Security or DHShighlighted the impact of these
(08:54):
cuts stating As a result, I and manyother experienced red team operators
are now seeking new opportunities.
The abrupt termination of these contractshas raised alarms about the potential gaps
in the nation's cybersecurity posture.
Red teams play a critical rolein proactively identifying and
assessing security weaknesses beforemalicious actors can exploit them.
(09:19):
Their work informs defensive strategiesacross various government agencies
and critical infrastructure sectors.
CSA acknowledged the staffingchanges, but assured that
efforts are underway to maintainessential cybersecurity functions.
In a recent statement, the agencyemphasized its commitment to
collaborating with network defenders,system administrators, and technical
(09:39):
staff to bolster the nation's criticalinfrastructure against diverse threats.
If that sounds likecorporate, blah, blah, blah.
It's because it is, you don'tlose a hundred experienced red
team members in any organizationwithout taking an incredible hit.
And that's why cybersecurity expertsare cautioning that the loss of
(09:59):
experienced red team personnelcould hinder the government's
ability to anticipate the defenseagainst sophisticated cyber threats.
The timing of these disruptions isalso particularly concerning given the
escalating frequency and complexity ofcyber attacks that are targeting both
public and private sector organizations.
As the digital landscape continuesto evolve, ensuring the stability and
(10:23):
effectiveness of cybersecurity operationslike those conducted by CIS a's red
team should remain a national priority.
And that's our show.
What a past couple of days it's beenbetween high severity issues and
the loss of these key resources.
Hey, take a deep breath.
(10:45):
We'll get back to anotherweek of the battle.
We're all in this together.
I am your host, Jim Love.
Thanks for listening.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.