Oracle Cloud Breach: A Strategic Response to an Identity-Layer Threat
On March 21, 2025, security researchers identified a threat actor, operating under the alias rose87168, attempting to sell over six million records allegedly exfiltrated from Oracle Cloud’s Single Sign-On (SSO) and LDAP services. This breach is suspected to stem from a vulnerability within the login infrastructure of login.(region-name).oraclecloud.com.
Threat Hunt of the Month: Rhysida Ransomware Group Targeting VPNs and Search Engine Poisoning
In February 2025, GoSecure Threat Hunters identified Rhysida, a ransomware group actively exploiting stolen VPN credentials and search engine poisoning to infiltrate corporate networks. Rhysida’s double-extortion tactics involve encrypting files while threatening to leak stolen sensitive data. The group has been observed delivering malware disguised as legitimate software, such as Microsoft Teams or Google Chrome, via poisoned search results. Once installed, the malware establishes persistence through scheduled tasks and executes via rundll32.exe, providing long-term access to compromised systems.
Threat Hunt of the Month: Browser Session Hijacking via Malvertising
In January 2025, GoSecure Threat Hunters identified a new browser hijacking campaign leveraging malware dubbed MEDIAARENA, which is being actively distributed via malvertising. This Windows-based malware uses valid code-signing certificates, time-based defense evasion, and persistence techniques to manipulate browser settings and steal sensitive session data. Once installed, it establishes persistence through scheduled tasks and exploits Chromium’s remote debugging feature to hijack an infected device’s browser, ultimately modifying search engine settings and redirecting user searches to attacker-controlled domains.
Ransomware Groups Exploiting Microsoft Teams
Recent findings reveal that ransomware groups, including the notorious Black Basta, have begun leveraging Microsoft Teams as a vector to infiltrate corporate networks. These attackers employ advanced social engineering tactics to compromise systems, exfiltrate sensitive data, and deploy ransomware.
Fortinet Data Leak and Mitigation Recommendations
Recent events have highlighted a critical security disclosure involving Fortinet devices. A hacker group known as “Belsen Group” has leaked sensitive data allegedly associated with approximately 15,000 Fortinet firewalls. The leaked information includes highly sensitive details such as plaintext credentials, firewall configurations, and management certificates, raising significant concerns about the potential for unauthorized access and exploitation.
